fix(ci): use rustls-native-roots for Windows CI build#8822
Merged
Conversation
pkg.machengine.org redirects to pkg.hexops.org which broke TLS 1.2 support around 2026-03-27, causing native-tls (SChannel) to fail with SEC_E_ILLEGAL_MESSAGE on Windows. The release build already uses rustls-native-roots—this aligns the CI test build to match. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Contributor
Greptile SummaryThis PR fixes a Windows CI failure caused by
Confidence Score: 5/5Safe to merge — targeted, minimal changes that align the CI build with the existing release configuration. Both changes are correct and well-contained. The workflow change exactly mirrors what release builds already use, and the Cargo.toml fix is the standard pattern for opting out of a dependency's default TLS features. No logic, APIs, or user-facing behaviour are altered. The mise-shim crate has zero external dependencies so it is unaffected by the feature flag change. No P0 or P1 findings. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
subgraph Before["Before (cargo build - default native-tls)"]
A1[mise crate\nnative-tls feature] --> B1[reqwest/native-tls]
A1 --> C1[vfox/native-tls]
C1 --> D1[sigstore-verification\ndefault = native-tls ALWAYS]
D1 -->|SChannel TLS 1.2| E1[pkg.hexops.org\nBROKEN TLS 1.2]
E1 -->|SEC_E_ILLEGAL_MESSAGE| F1[CI Failure]
end
subgraph After["After (--no-default-features --features rustls-native-roots,...)"]
A2[mise crate\nrustls-native-roots feature] --> B2[reqwest/rustls-tls-native-roots]
A2 --> C2[vfox/rustls-native-roots]
C2 --> D2[sigstore-verification\ndefault-features=false\n+ rustls-native-roots]
D2 -->|rustls TLS 1.3| E2[pkg.hexops.org]
E2 -->|200 OK| F2[CI Passes]
end
Reviews (3): Last reviewed commit: "[autofix.ci] apply automated fixes" | Re-trigger Greptile |
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.17 x -- echo |
18.6 ± 0.5 | 17.7 | 22.0 | 1.00 |
mise x -- echo |
19.2 ± 0.9 | 18.1 | 28.7 | 1.04 ± 0.06 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.17 env |
18.4 ± 0.7 | 17.4 | 23.4 | 1.00 |
mise env |
18.6 ± 0.4 | 17.6 | 20.6 | 1.01 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.17 hook-env |
18.6 ± 0.4 | 17.8 | 21.1 | 1.00 |
mise hook-env |
19.1 ± 0.5 | 18.1 | 21.7 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.17 ls |
19.3 ± 0.5 | 18.1 | 22.3 | 1.00 |
mise ls |
19.7 ± 0.5 | 18.6 | 22.0 | 1.02 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.3.17 | mise | Variance |
|---|---|---|---|
| install (cached) | 119ms | 119ms | +0% |
| ls (cached) | 69ms | 70ms | -1% |
| bin-paths (cached) | 69ms | 68ms | +1% |
| task-ls (cached) | 714ms | 726ms | -1% |
sigstore-verification was included with default features in vfox, which always enabled native-tls and reqwest/native-tls. This caused the rustls-native-roots feature flag to be ineffective—both TLS backends were compiled in, and reqwest defaults to native-tls when both are present. Now sigstore-verification uses default-features = false, with the TLS backend passed through from vfox's own feature flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mise-en-dev
added a commit
that referenced
this pull request
Mar 31, 2026
### 🚀 Features - **(python)** add GitHub provenance verification for prebuilt binaries by @malept in [#8820](#8820) ### 🐛 Bug Fixes - **(ci)** use rustls-native-roots for Windows CI build by @jdx in [#8822](#8822) - **(go)** improve version fetching logic to support deeply nested sub-modules by @roele in [#8823](#8823) - **(shim)** prevent infinite recursion when system shims dir is on PATH by @andrewthauer in [#8816](#8816) - go backend missing supports_lockfile_url() override by @palootcenas-outreach in [#8790](#8790) - strip shims from PATH in credential and template subprocesses by @antonioacg in [#8802](#8802) ### 📚 Documentation - fix typo in shims documentation for fish by @roele in [#8798](#8798) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:alpine docker digest to 3e6d001 by @renovate[bot] in [#8794](#8794) - pin dependencies by @renovate[bot] in [#8793](#8793) ### 📦 Registry - fix flutter version sorting by @roele in [#8818](#8818) - add svgo (npm:svgo) by @3w36zj6 in [#8817](#8817) ### New Contributors - @antonioacg made their first contribution in [#8802](#8802) - @palootcenas-outreach made their first contribution in [#8790](#8790) ## 📦 Aqua Registry Updates #### New Packages (3) - [`RasKrebs/sonar`](https://github.com/RasKrebs/sonar) - [`emacs-eask/cli`](https://github.com/emacs-eask/cli) - [`superradcompany/microsandbox`](https://github.com/superradcompany/microsandbox) #### Updated Packages (4) - [`dimo414/bkt`](https://github.com/dimo414/bkt) - [`lxc/incus`](https://github.com/lxc/incus) - [`shinagawa-web/gomarklint`](https://github.com/shinagawa-web/gomarklint) - [`updatecli/updatecli`](https://github.com/updatecli/updatecli)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build-windowsjob fromnative-tls(default) torustls-native-roots, matching what release builds already use (scripts/build-tarball.ps1)windows-e2ezig mach test failure caused bypkg.hexops.orgbreaking TLS 1.2 support around 2026-03-27 (SEC_E_ILLEGAL_MESSAGE/ os error-2146893018)rustlshandles TLS 1.3 negotiation correctly, while SChannel's native-tls fails on the broken TLS 1.2 handshakeRoot cause
pkg.machengine.org307-redirects topkg.hexops.org, which broke its TLS 1.2 config. Confirmed locally:Could not create SSL/TLS secure channelTest plan
windows-e2eCI job passes (zig mach test)windows-unitCI job still passes (unchanged, still uses default features)🤖 Generated with Claude Code
Note
Medium Risk
Moderate risk because it changes TLS backend/feature composition for Windows builds and adjusts dependency feature flags, which could affect networking and signature verification behavior. Scope is limited to CI build configuration and
vfoxcrate feature definitions.Overview
Windows CI
build-windowsnow buildsmisewith--no-default-featuresand explicitly enablesrustls-native-roots(plusvfox/vendored-luaandself_update) instead of relying on defaultnative-tls.In
crates/vfox,sigstore-verificationis changed todefault-features = falseand its TLS-related features are explicitly tied intonative-tls,rustls, andrustls-native-rootsso the crate’s TLS backend stays consistent.Written by Cursor Bugbot for commit 4d2866f. This will update automatically on new commits. Configure here.