pandoras-box/forgejo-cli
7
0
Fork 0
Code Issues Pull requests Projects Releases 5 Packages 1 Wiki Activity Actions

FJ-38: restore TLS/SSH in libgit2 so AGit push works over HTTPS #46

Merged
David merged 1 commit from david/fix/agit-libgit2-tls-FJ-38 into main 2026-06-08 04:49:13 +02:00 AGit
Conversation 0 Commits 1 Files changed 4 +52 -3
David commented 2026-06-08 04:44:25 +02:00
Owner
Copy link

Fixes FJ-38: fj pr create -aA failed against https:// remotes with there is no TLS stream available; class=Ssl (16).

Root cause

git2 0.21.0 changed its default feature set from ["ssh", "https"] (0.20) to []. The 0.20 -> 0.21 bump therefore silently built the vendored libgit2 with no TLS and no SSH transport. Every API-backed command kept working (fj's HTTP client links OpenSSL separately, which is why ldd looked healthy), but the AGit fetch/push path goes through libgit2 and died at the first https connection. Confirmed via cargo tree -i libgit2-sys -e features (only default, no https/ssh) and by the new test failing against the pre-fix graph.

Changes

  • crates/fj/Cargo.toml: enable https and ssh features on git2 explicitly, restoring 0.20 default parity, with a comment naming the trap. Cargo.lock picks up libssh2-sys and openssl-probe.
  • crates/fj/tests/libgit2_features.rs: integration test asserting git2::Version::get().https() and .ssh(), so a feature regression fails CI (cargo test in check.yml and the pre-commit hook) instead of failing the first user push. Verified red on the old graph, green on the new one.
  • crates/fj/src/prs.rs: class=Ssl fetch/push failures against an https remote now wrap the libgit2 error with an actionable hint ("rebuild fj with the git2 https feature enabled, or use an ssh:// remote").

Verification

This PR was itself opened with the fixed binary via fj pr create --agit over the https remote, which is acceptance criterion 1 exercised end to end. Note for other environments: libgit2 does not read ~/.netrc, so the AGit path needs a git credential helper (or ssh remote); that auth gap is separate from the TLS fix and worth its own issue.

#FJ-38

Fixes FJ-38: `fj pr create -aA` failed against `https://` remotes with `there is no TLS stream available; class=Ssl (16)`. ## Root cause git2 0.21.0 changed its `default` feature set from `["ssh", "https"]` (0.20) to `[]`. The 0.20 -> 0.21 bump therefore silently built the vendored libgit2 with no TLS and no SSH transport. Every API-backed command kept working (fj's HTTP client links OpenSSL separately, which is why `ldd` looked healthy), but the AGit fetch/push path goes through libgit2 and died at the first https connection. Confirmed via `cargo tree -i libgit2-sys -e features` (only `default`, no `https`/`ssh`) and by the new test failing against the pre-fix graph. ## Changes - `crates/fj/Cargo.toml`: enable `https` and `ssh` features on git2 explicitly, restoring 0.20 default parity, with a comment naming the trap. Cargo.lock picks up `libssh2-sys` and `openssl-probe`. - `crates/fj/tests/libgit2_features.rs`: integration test asserting `git2::Version::get().https()` and `.ssh()`, so a feature regression fails CI (`cargo test` in check.yml and the pre-commit hook) instead of failing the first user push. Verified red on the old graph, green on the new one. - `crates/fj/src/prs.rs`: `class=Ssl` fetch/push failures against an https remote now wrap the libgit2 error with an actionable hint ("rebuild fj with the git2 `https` feature enabled, or use an ssh:// remote"). ## Verification This PR was itself opened with the fixed binary via `fj pr create --agit` over the https remote, which is acceptance criterion 1 exercised end to end. Note for other environments: libgit2 does not read `~/.netrc`, so the AGit path needs a git credential helper (or ssh remote); that auth gap is separate from the TLS fix and worth its own issue. #FJ-38
fix(prs): restore TLS and SSH transports in libgit2 (AGit push)
All checks were successful
Check / fmt + clippy + build + tests (pull_request) Successful in 41s
Details
Create release / Create release from merged PR (pull_request) Has been skipped
Details
0d5700f7b1 
git2 0.21 changed its default feature set from ["ssh", "https"] to empty, so the 0.20 -> 0.21 bump silently built libgit2 with no TLS or SSH stream and `fj pr create -aA` failed against https remotes with "there is no TLS stream available; class=Ssl (16)". Enable the `https` and `ssh` features explicitly on the git2 dependency.

Add an integration test asserting `git2::Version::get()` reports https and ssh support, so a feature regression fails CI instead of failing the first user push. Verified the test fails against the pre-fix dependency graph.

Map class=Ssl fetch/push failures against an https remote to an actionable error naming the rebuild (git2 `https` feature) instead of the raw libgit2 error class.

#FJ-38

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
David merged commit 361ce9cfde into main 2026-06-08 04:49:13 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pandoras-box/forgejo-cli!46
No description provided.