devkdas · devkdas · Nov 1, 2025 · Oct 17, 2025 · Oct 15, 2025 · Oct 17, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,6 +8,12 @@ updates:
     directory: '/'
     schedule:
       interval: 'monthly'
+    cooldown:
+      default-days: 7
+    groups:
+      actions-deps:
+        patterns:
+          - '*'
     commit-message:
       prefix: 'GHA:'
 
@@ -17,5 +23,14 @@ updates:
       - '/tests'
     schedule:
       interval: 'monthly'
+    cooldown:
+      default-days: 7
+      semver-major-days: 15
+      semver-minor-days: 7
+      semver-patch-days: 3
+    groups:
+      actions-deps:
+        patterns:
+          - '*'
     commit-message:
       prefix: 'GHA:'
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -162,9 +162,9 @@ cryptography:
               docs/libcurl/opts/CURLOPT_EGDSOCKET*,\
               lib/*sha256*,\
               lib/*sha512*,\
-              lib/curl_des.*,\
               lib/curl_hmac.*,\
               lib/curl_md?.*,\
+              lib/curl_ntlm_core.*,\
               lib/md?.*,\
               lib/rand.*\
               }"
@@ -451,6 +451,7 @@ TLS:
   - all:
       - changed-files:
           - any-glob-to-all-files: "{\
+              CMake/FindGnuTLS.cmake,\
               CMake/FindMbedTLS.cmake,\
               CMake/FindWolfSSL.cmake,\
               CMake/FindRustls.cmake,\

diff --git a/.github/scripts/badwords.txt b/.github/scripts/badwords.txt
@@ -46,6 +46,7 @@ there's:there is
 \. But: Rewrite it somehow?
 \. So : Rewrite without "so" ?
  dir :directory
+sub-director:subdirector
 can't:cannot
 that's:that is
 web page:webpage

diff --git a/.github/scripts/requirements-docs.txt b/.github/scripts/requirements-docs.txt
@@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: curl
 
-pyspelling==2.11
+pyspelling==2.12
diff --git a/.github/scripts/requirements.txt b/.github/scripts/requirements.txt
@@ -5,5 +5,5 @@
 cmakelang==0.6.13
 codespell==2.4.1
 pytype==2024.10.11
-reuse==6.1.2
-ruff==0.14.0
+reuse==6.2.0
+ruff==0.14.1
diff --git a/.github/scripts/spacecheck.pl b/.github/scripts/spacecheck.pl
@@ -42,10 +42,6 @@
     "\\.(bat|sln)\$",
 );
 
-my @space_at_eol = (
-    "^tests/data/test",
-);
-
 my @non_ascii_allowed = (
     '\xC3\xB6',  # UTF-8 for https://codepoints.net/U+00F6 LATIN SMALL LETTER O WITH DIAERESIS
 );
@@ -129,8 +125,7 @@ sub eol_detect {
         push @err, "content: must use LF EOL for this file type";
     }
 
-    if(!fn_match($filename, @space_at_eol) &&
-       $content =~ /[ \t]\n/) {
+    if($content =~ /[ \t]\n/) {
         my $line;
         for my $l (split(/\n/, $content)) {
             $line++;

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
@@ -27,6 +27,10 @@ name: 'Source'
       - 'plan9/**'
       - 'tests/data/**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -49,7 +53,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: 'install'
+      - name: 'install prereqs'
         run: |
           python3 -m venv ~/venv
           ~/venv/bin/pip --disable-pip-version-check --no-input --no-cache-dir install --progress-bar off --prefer-binary \
@@ -131,7 +135,7 @@ jobs:
           GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
-          zizmor --pedantic .github/workflows/*.yml
+          zizmor --pedantic .github/workflows/*.yml .github/dependabot.yml
 
       - name: 'shellcheck CI'
         run: |

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,7 +32,8 @@ name: 'CodeQL'
     - cron: '0 0 * * 4'
 
 concurrency:
-  group: ${{ github.workflow }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
 
 permissions: {}
 

diff --git a/.github/workflows/configure-vs-cmake.yml b/.github/workflows/configure-vs-cmake.yml
@@ -30,6 +30,10 @@ name: 'configure-vs-cmake'
       - '.github/scripts/cmp-config.pl'
       - '.github/workflows/configure-vs-cmake.yml'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

diff --git a/.github/workflows/curl-for-win.yml b/.github/workflows/curl-for-win.yml
@@ -63,12 +63,39 @@ jobs:
           export CW_GCCSUFFIX='-12'
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE_STABLE}"
+          time podman pull "${OCI_IMAGE_DEBIAN_STABLE}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|GITHUB_)') \
-            "${DOCKER_IMAGE_STABLE}" \
+            "${OCI_IMAGE_DEBIAN_STABLE}" \
+            sh -c ./_ci-linux-debian.sh
+
+  linux-glibc-gcc-minimal:  # use gcc to minimize installed packages
+    name: 'Linux gcc glibc minimal'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          path: 'curl'
+          fetch-depth: 8
+      - name: 'build'
+        run: |
+          git clone --depth 1 https://github.com/curl/curl-for-win
+          mv curl-for-win/* .
+          export CW_CONFIG='-main-werror-unitybatch-prefill-zero-osnotls-osnoidn-nohttp-nocurltool-linux-x64-gcc'
+          export CW_REVISION="${GITHUB_SHA}"
+          . ./_versions.sh
+          sudo podman image trust set --type reject default
+          sudo podman image trust set --type accept docker.io/library
+          time podman pull "${OCI_IMAGE_DEBIAN}"
+          podman images --digests
+          time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
+            --env-file <(env | grep -a -E \
+              '^(CW_|GITHUB_)') \
+            "${OCI_IMAGE_DEBIAN}" \
             sh -c ./_ci-linux-debian.sh
 
   linux-musl-llvm:
@@ -90,12 +117,12 @@ jobs:
           . ./_versions.sh
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${OCI_IMAGE_DEBIAN}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|GITHUB_)') \
-            "${DOCKER_IMAGE}" \
+            "${OCI_IMAGE_DEBIAN}" \
             sh -c ./_ci-linux-debian.sh
 
   mac-clang:
@@ -137,16 +164,16 @@ jobs:
           . ./_versions.sh
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${OCI_IMAGE_DEBIAN}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|GITHUB_)') \
-            "${DOCKER_IMAGE}" \
+            "${OCI_IMAGE_DEBIAN}" \
             sh -c ./_ci-linux-debian.sh
 
-  win-gcc-libssh-zlibold-x64:
-    name: 'Windows gcc libssh zlib-classic (x64)'
+  win-gcc-zlibold-x64:
+    name: 'Windows gcc zlib-classic (x64)'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
@@ -159,15 +186,15 @@ jobs:
         run: |
           git clone --depth 1 https://github.com/curl/curl-for-win
           mv curl-for-win/* .
-          export CW_CONFIG='-main-werror-unitybatch-win-x64-gcc-libssh1-zlibold'
+          export CW_CONFIG='-main-werror-unitybatch-win-x64-gcc-zlibold'
           export CW_REVISION="${GITHUB_SHA}"
           . ./_versions.sh
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${OCI_IMAGE_DEBIAN}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|GITHUB_)') \
-            "${DOCKER_IMAGE}" \
+            "${OCI_IMAGE_DEBIAN}" \
             sh -c ./_ci-linux-debian.sh
diff --git a/.github/workflows/distcheck.yml b/.github/workflows/distcheck.yml
@@ -49,7 +49,7 @@ jobs:
       - name: 'maketgz'
         run: SOURCE_DATE_EPOCH=1711526400 ./scripts/maketgz 99.98.97
 
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: 'release-tgz'
           path: 'curl-99.98.97.tar.gz'
@@ -75,7 +75,7 @@ jobs:
     timeout-minutes: 10
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 
@@ -99,7 +99,7 @@ jobs:
     timeout-minutes: 10
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 
@@ -125,7 +125,7 @@ jobs:
     timeout-minutes: 10
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 
@@ -149,7 +149,7 @@ jobs:
     timeout-minutes: 10
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 
@@ -170,7 +170,7 @@ jobs:
     timeout-minutes: 5
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 
@@ -192,7 +192,7 @@ jobs:
     timeout-minutes: 5
     needs: maketgz-and-verify-in-tree
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 
@@ -218,7 +218,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: 'release-tgz'
 

diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -35,6 +35,11 @@ name: 'Fuzzer'
       - 'projects/**'
       - 'tests/data/**'
 
+concurrency:
+  # Hard-coded workflow name to avoid colliding with curl-fuzzer's group
+  group: curl-fuzz-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs: