ci: cache and verify Zig tarball, harden against truncated downloads#550
Merged
ci: cache and verify Zig tarball, harden against truncated downloads#550
Conversation
Recent CI runs on main and PR branches have been failing intermittently with `tar: Unexpected EOF in archive` during the "Install Zig and cargo-zigbuild" step. The root cause is `curl | tar` with no retries — when the connection to ziglang.org gets truncated, tar errors out and the whole step fails. Make the Zig install robust: - Cache the tarball at /tmp/zig.tar.xz keyed by version+arch via actions/cache, so repeated runs don't hit ziglang.org at all. - On cache miss, download with `curl --fail --retry 5 --retry-all-errors --retry-delay 3` to a temp file, verify SHA256, then extract. - If a cached tarball fails the SHA256 check (extremely rare but possible on a bad cache hit), redownload. Applies to both ci.yml (x86_64 and aarch64 build jobs) and release.yml (linux build matrix). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Apply the same retry+checksum hardening to the two remaining places that download the Zig tarball without retries or verification: - Dockerfile (used by docker-publish workflow): add curl --fail --retry 5 --retry-all-errors --retry-delay 3 plus SHA256 verify - scripts/cross-compile/setup-zig-cross.sh (developer setup): same hardening so local cross-compile setup is robust Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…inary Two changes that together cut the install step from ~25 min to ~10 sec (plus the cargo-zigbuild compile, which can take ~10 min from source): 1. Zig tarball: switch primary URL to the community mirror `zigmirror.hryx.net` (verified 200 OK, full content-length, no throttling), fall back to ziglang.org on failure. The upstream URL was throttling GitHub Actions runners to single-digit kbps, causing 25 min downloads. 2. cargo-zigbuild: replace `cargo install --locked cargo-zigbuild` (compiles from source on every run) with download of the prebuilt binary from cargo-zigbuild's own GitHub Releases (~1.2 MB, version 0.22.3 pinned). SHA256 verified. Both downloads are cached and SHA256-verified; cache miss or checksum mismatch triggers redownload. Apply to ci.yml (x86_64 + aarch64), release.yml (linux matrix), Dockerfile (used by docker-publish), and the cross-compile dev setup script. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tar: Unexpected EOF in archiveduring the "Install Zig and cargo-zigbuild" step. Both main and PR branches affected. Root cause:curl ... | tarwith no retries — when ziglang.org connection is truncated, tar errors out and the step fails./tmp/zig.tar.xzkeyed by version+arch viaactions/cache, so repeated runs don't hit ziglang.org at all.curl --fail --retry 5 --retry-all-errors --retry-delay 3to a temp file, verify SHA256, then extract.Dockerfile(used by docker-publish workflows) andscripts/cross-compile/setup-zig-cross.sh(developer setup).Files changed
.github/workflows/ci.yml— both linux build jobs (x86_64 + aarch64).github/workflows/release.yml— linux release matrixDockerfile— root, used by docker-publishscripts/cross-compile/setup-zig-cross.sh— local dev setupZig 0.13.0 SHA256s pinned from upstream
https://ziglang.org/download/index.json:d45312e61ebcc48032b77bc4cf7fd6915c11fa16e4aad116b66c9468211230ea041ac42323837eb5624068acd8b00cd5777dac4cf91179e8dad7a7e90dd0c556Test plan
bash -n scripts/cross-compile/setup-zig-cross.shclean (verified)🤖 Generated with Claude Code