[PR #542] [MERGED] Switch minreq TLS from webpki-roots to native certs (fixes #541) #556

New issue

Closed

opened 2026-03-02 04:13:57 +03:00 by kerem · 0 comments

kerem commented 2026-03-02 04:13:57 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/git-ai-project/git-ai/pull/542
Author: @svarlamov
Created: 2/17/2026
Status: ✅ Merged
Merged: 2/17/2026
Merged by: @svarlamov

Base: main ← Head: devin/1771338878-rustls-native-certs

---

📝 Commits (3)

• 528c9d2 Switch minreq TLS from webpki-roots to native certs (fixes #541)
• 947b2a8 Fix cargo fmt in TLS test file
• 4ee6336 Update rustls-native-certs to 0.8, remove flaky/env-dependent tests

📊 Changes

4 files changed (+146 additions, -10 deletions)

View changed files

📝 Cargo.lock (+66 -9)
📝 Cargo.toml (+2 -1)
📝 src/ci/gitlab.rs (+70 -0)
➕ tests/tls_native_certs.rs (+8 -0)

📄 Description

Switch minreq TLS to native OS certificate store (fixes #541)

Summary

Changes the minreq feature flag from https-rustls to https-rustls-probe so that TLS connections use the OS certificate store (rustls-native-certs) instead of the compiled-in Mozilla root CA bundle (webpki-roots). This allows users running self-hosted GitLab with custom/internal CA certificates to use git-ai ci gitlab by installing their CA into the system trust store.

The one-line Cargo.toml change affects all minreq HTTPS calls (GitLab CI API, main API client, Sentry, PostHog, JetBrains plugin downloads).

Also adds unit tests for the GitLab CI module (MR JSON deserialization, template YAML) and an integration test verifying the native cert store can be loaded.

Updates since last revision

• Updated rustls-native-certs dev-dependency from 0.6 → 0.8 (latest)
• Removed all tests that hit external URLs (gitlab.com, httpbin.org, etc.) — no more network-dependent tests
• Removed env-var-manipulating #[serial] tests (the unsafe set_var/remove_var tests)
• Remaining tests are all pure/deterministic: 4 deserialization/template unit tests + 1 local cert store loading test

Review & Testing Checklist for Human

• Verify fallback in minimal containers: webpki-roots is fully removed from the dep tree. In stripped Docker images (e.g., FROM scratch or minimal Alpine without ca-certificates), the bundled Mozilla roots were silently making things work. With https-rustls-probe, if the OS cert store is empty, TLS connections will fail. Confirm this trade-off is acceptable for your user base.
• Note: two versions of rustls-native-certs in lockfile: minreq internally pulls 0.6.3 (its own dependency); the dev-dep for tests is 0.8.3. This is harmless (test-only) but worth being aware of.
• Recommended manual test: In a Docker container with a self-signed CA cert installed to the system store, run git-ai ci gitlab run against a self-hosted GitLab instance and confirm the UnknownIssuer error from #541 is resolved.

Notes

• No test exercises a custom/self-signed CA end-to-end — the integration test only confirms the native cert store loads successfully. The actual fix is validated by the manual test above.
• Requested by: @svarlamov
• Link to Devin run

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/git-ai-project/git-ai/pull/542 **Author:** [@svarlamov](https://github.com/svarlamov) **Created:** 2/17/2026 **Status:** ✅ Merged **Merged:** 2/17/2026 **Merged by:** [@svarlamov](https://github.com/svarlamov) **Base:** `main` ← **Head:** `devin/1771338878-rustls-native-certs` --- ### 📝 Commits (3) - [`528c9d2`](https://github.com/git-ai-project/git-ai/commit/528c9d23cb5c5bd1a04d245da2dcca39826a6928) Switch minreq TLS from webpki-roots to native certs (fixes #541) - [`947b2a8`](https://github.com/git-ai-project/git-ai/commit/947b2a8bebb9dfbf59493be8463fd878b7b91e0e) Fix cargo fmt in TLS test file - [`4ee6336`](https://github.com/git-ai-project/git-ai/commit/4ee633690994b4b9114570bf1d03984d9a0a394c) Update rustls-native-certs to 0.8, remove flaky/env-dependent tests ### 📊 Changes **4 files changed** (+146 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+66 -9) 📝 `Cargo.toml` (+2 -1) 📝 `src/ci/gitlab.rs` (+70 -0) ➕ `tests/tls_native_certs.rs` (+8 -0) </details> ### 📄 Description # Switch minreq TLS to native OS certificate store (fixes #541) ## Summary Changes the `minreq` feature flag from `https-rustls` to `https-rustls-probe` so that TLS connections use the OS certificate store (`rustls-native-certs`) instead of the compiled-in Mozilla root CA bundle (`webpki-roots`). This allows users running self-hosted GitLab with custom/internal CA certificates to use `git-ai ci gitlab` by installing their CA into the system trust store. The one-line `Cargo.toml` change affects **all** `minreq` HTTPS calls (GitLab CI API, main API client, Sentry, PostHog, JetBrains plugin downloads). Also adds unit tests for the GitLab CI module (MR JSON deserialization, template YAML) and an integration test verifying the native cert store can be loaded. ### Updates since last revision - Updated `rustls-native-certs` dev-dependency from `0.6` → `0.8` (latest) - Removed all tests that hit external URLs (gitlab.com, httpbin.org, etc.) — no more network-dependent tests - Removed env-var-manipulating `#[serial]` tests (the `unsafe` set_var/remove_var tests) - Remaining tests are all pure/deterministic: 4 deserialization/template unit tests + 1 local cert store loading test ## Review & Testing Checklist for Human - [ ] **Verify fallback in minimal containers**: `webpki-roots` is fully removed from the dep tree. In stripped Docker images (e.g., `FROM scratch` or minimal Alpine **without** `ca-certificates`), the bundled Mozilla roots were silently making things work. With `https-rustls-probe`, if the OS cert store is empty, TLS connections will fail. Confirm this trade-off is acceptable for your user base. - [ ] **Note: two versions of `rustls-native-certs` in lockfile**: minreq internally pulls `0.6.3` (its own dependency); the dev-dep for tests is `0.8.3`. This is harmless (test-only) but worth being aware of. - [ ] **Recommended manual test**: In a Docker container with a self-signed CA cert installed to the system store, run `git-ai ci gitlab run` against a self-hosted GitLab instance and confirm the `UnknownIssuer` error from #541 is resolved. ### Notes - No test exercises a custom/self-signed CA end-to-end — the integration test only confirms the native cert store loads successfully. The actual fix is validated by the manual test above. - Requested by: @svarlamov - [Link to Devin run](https://app.devin.ai/sessions/f44ce4708a064a9ea56868004e4789a2) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-02 04:13:57 +03:00

• closed this issue
• added the
  pull-request
  label

kerem referenced this issue 2026-03-02 04:13:59 +03:00

[PR #556] Add core hooks support and worktree coverage #564

kerem referenced this issue 2026-03-02 04:14:00 +03:00

[PR #560] Add core hooks support and worktree coverage #567

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

sessions-v2-drop-legacy-wrapper

worktree-windsurf-fixes

fix/windsurf-dirty-type-fix

sessions-v2

johnw/review-fix-tests

johnw/review-attribution-test-guidelines

johnw/review-integration-tests

johnw/review-refactor-api

johnw/review-silent-errors

johnw/review-harden-daemon

dependabot/cargo/cargo-1a59d422c9

johnw/synopsis

codex/windows-daemon-restart-upgrade-fix

dependabot/npm_and_yarn/agent-support/vscode/main/eslint-10.2.1

dependabot/cargo/main/interprocess-2.4.2

dependabot/npm_and_yarn/agent-support/vscode/main/typescript-6.0.3

dependabot/npm_and_yarn/agent-support/vscode/main/vscode/vsce-3.9.1

dependabot/cargo/main/openssl-0.10.78

dependabot/npm_and_yarn/agent-support/vscode/main/typescript-eslint/eslint-plugin-8.58.2

dependabot/cargo/main/ureq-3.3.0

dependabot/npm_and_yarn/agent-support/opencode/main/opencode-ai/plugin-1.14.19

dependabot/npm_and_yarn/agent-support/vscode/main/types/vscode-1.116.0

dependabot/cargo/main/tokio-1.52.1

dependabot/npm_and_yarn/agent-support/opencode/main/typescript-6.0.3

dependabot/cargo/main/uuid-1.23.1

worktree-agent-a97fd8c7

fix/partial-add-commit-attribution

perf/daemon-ingest-scalability

fix/daemon-wrapper-daemon-flakiness

johnw/nix-fix

fix/partial-stage-attribution-carryover

fix/rebase-notes-loss-v2

fix/issue-1025-reset-performance

fix/attribution-carryover-on-partial-commit

stats-bar-untracked

fix/rebase-notes-loss

fix/amend-total-additions-inflation

fix/sibling-heuristic-v2

fix/sibling-git-ai-heuristic

fix/total-additions-reset-inherited-prompts

feat/known-human-notepad-plus-plus

feat/known-human-eclipse

feat/known-human-zed

bump-stats-line-limit

feat/known-human-vim

feat/known-human-sublime-text

feat/known-human-visual-studio

feat/known-human-neovim

feat/known-human-xcode

johnw/review-vscode-extension

worktree-feat+git-version-warning

worktree-issue-211-empty-authorship

johnw/missing-notes

johnw/bash-support

feat/prompt-event-fields

devin/1775438423-filter-mock-ai-metrics

fix/external-rebase-preserves-ai-notes

devin/1775442585-mtime-race-checkpoint-promotion

fix/rebase-attribution-remaining-issues

fix/rebase-attribution-pull-rebase-no-verify-autosquash

fix/am-attribution-patch-headers

codeql-java-kotlin-fix

feat-log-dump-command

fix/allow-checkpoint-saving-when-debug-enabled

fix/async-mode-notes-sync

codex/fix-local-debug-daemon-connect

codex/cursor-explicit-checkpoint-paths

devin/1774989709-sentry-sdk-migration

devin/1775066168-fix-merge-commit-stats

devin/1775066000-disable-auth-feature-flag

feat-test-missing-notes-post-push

feat/ssh-alias-resolution

devin/1774936075-fix-show-prompt-commit-scope

fix/issue-870-preserve-prompts-in-ci-squash

devin/1774931412-amend-no-edit-regression

enable-flush-dev-logs

fix/async-mode-test-default

async-mode-default

fix/install-async-mode-config

feat/prompt-event-metric

perf/streaming-fast-import

claude/track-agent-version-WEWmR

hunk-opt

perf/checkpoint-2x-speedup

feat/sharded-notes-refs

remove/git-hooks-hard-cutover

perf/rebase-parallel-notes-and-file-reads

codex/windows-readonly-wrapper-fast-path

fix/stale-daemon-recovery

dev/simulate-authorship

devin/1774410513-cloud-default-ai-attribution

codex/fix-wrapper-default-hooks-forwarding

codex/daemon-phase1

codex/metrics-db-reliability-v2

codex/checkpoint-stress-benchmarks

codex/hook-telemetry-followups

johnw/fix-371

devin/1772084830-perf-batch-git-calls

devin/1772226661-fix-windows-paths-all-agents

codex/pathspec-benchmark-fastpath-fixes

codex/graphite-attribution-suite

codex/cherry-pick-hooks-perf-fix

devin/1771643297-memory-overflow-fixes

devin/1771642821-add-client-metrics-events

devin/1771599590-hooks-rebase-perf

devin/1771642594-memory-overflow-replication

fix/no-write-agent-metrics

fix/makosblade/migrate-initial-attributions

claude/fix-issue-426-buWz9

fix/misc-ci-cd-workflow-patches

feat/large-attr-perf-work

uninstall

feat/prompt-discovery

feat/cursor-tab-hooks

feat/git-diff-engine-experiments

fix/push-rewrite

fix/push

fix/mac-ci

fix/multi-push-signing-bug

wip/stats-delta-2

fix/seconds-waiting

feat/nicer-ci-stats

fix/range-stats-including-other-blames

fix/windows-initial-testing

fix/193

fix/authorship-saved-stats

feat/sentry

fix/bug-git-diff-diverges-on-duplicate-lines

fix/bug-squash

fix/rewrite-performance

fix/cursor-sqlite-prompt-race

fix/commit-single

fix/retain-all-prompts-in-authorship

feat/mockai-pathspecs

fix/time-on-initial

feat/dmp-rewrite-ops

feat/ignore-prev-ai-blame-for-perf

fix/ai-blame-file-paths-rel

fix/build-matrix

docs/update-enterprise-installation-opts

feat/agent_fmt1_preset

docs-support

fix/bare-repo-stats

fix/sync-authorship

feat/distributed-authorship

fix/pre-commit-performance2

feat/test-refactor

fix/commit-performance

feat/pop-stash-apply

feat/enterprise-allowlist

fix/conflicts-skipped

fix/merge-squash-new-method

fix/merge-squash

feat/post-commit-stats

feat/git-notes-for-authorship

fix/ai-blame-rename

fix/empty-repo

fix/unstaged-in-log

feat/git-notes-namespace

feat/local-rewrites-authorship

feat/handle-git-alias

feat/faster-checkpoints-slimmer-storage

feat/dev-env-setup

feat/cursor-hooks-auto-install

fix/ai-blame

fix/blame-issues

fix/perf

feat/cursor-preset

test

fix/pull-unplanned

fix/attribution-above-fix

feat/count-total-lines-per-prompt

feat/new-authorship-log-format

fix/windows-ci

feat/claude-cursor-presets

feat/git-compat

feat/track-squash-rebase

save-prompts

fix-git-push-rewrite

fix-linux-release

arm-linux-support

git-ai-stats-command

fix-new-files-not-getting-authorship

testing123

example123

fix/default-ref-upload

proxy

feat/proxy

fix/release-script-testing

fix/subdir-repo-not-found

cursor-extension

feat/demo-pr-comments

tests/in-ci

feat/test-suite-

fix-init

v1.3.5-next-8b86fcf

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.3.0-next-ba657b6

v1.3.0-next-a1321a5

v1.3.0-next-bacf066

v1.3.0-next-380a1f8

v1.2.8

v1.2.7

v1.2.7-next-e025db4

v1.2.7-next-f211688

v1.2.7-next-d2c85a4

v1.2.6

v1.2.5

v1.2.4

v1.2.4-next-46cbbb1

v1.2.4-next-051dfb9

v1.2.3

v1.2.2

v1.2.1

v1.1.23

v1.1.22

v1.1.21

v1.1.21-next-10b781d

v1.1.20

v1.1.20-next-2a8c946

v1.1.20-next-78623c6

v1.1.19

v1.1.18

v1.1.17

v1.1.16

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.11-next-81a4693

v1.1.10

v1.1.9

v1.1.8

v1.1.7

v1.1.7-next-7130b7a

v1.1.6

v1.1.6-next-b4b5f72

v1.1.6-next-3caf774

v1.1.5

v1.1.5-next-2d722eb

v1.1.4

v1.1.3

v1.1.2

v1.1.1-next-6ad2609

v1.1.1

v1.1.1-next-2772a32

v1.1.1-next-339d3a7

v1.0.42

v1.0.41

v1.0.40

v1.0.40-next-8d61135

v1.0.40-next-e763fe3

v1.0.39

v1.0.39-next-024d7cc

v1.0.38

v1.0.38-next-6927f27

v1.0.38-next-9863bf9

v1.0.38-next-ad241de

v1.0.37

v1.0.37-next-55ecea6

v1.0.36

v1.0.36-next-cec0576

v1.0.36-next-8b2936f

v1.0.35

v1.0.35-next-46ac366

v1.0.34

v1.0.34-next-9a90ccd

v1.0.33

v1.0.32

v1.0.32-next-b12d980

v1.0.31

v1.0.30

v1.0.30-next-29e16e1

v1.0.29

v1.0.29-next-93e7b75

v1.0.29-next-c7b2509

v1.0.29-next-7de1eb6

v1.0.29-next-c22b5ba

v1.0.28-next-2ef1b24

v1.0.28

v1.0.27

v1.0.26

v1.0.26-next-7b539aa

v1.0.26-next-3b147bf

v1.0.26-next-fca1a3c

v1.0.25

v1.0.24

v1.0.24-next-df615a7

v1.0.23

v1.0.23-next-5b6a63c

v1.0.23-next-7236db5

v1.0.23-next-96e7686

v1.0.23-next-2c08a4e

v1.0.22-next-b27457a

v1.0.22

v1.0.22-next-d75088f

v1.0.22-next-28c081b

v1.0.22-next-c39b714

v1.0.21

v1.0.21-next-06f6e8c

v1.0.20

v1.0.19

v1.0.18

v1.0.17

v1.0.16

v1.0.15

v1.0.14

v1.0.13

v1.0.12

v1.0.11

v1.0.11-prerelease

v1.0.10

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

agent-support

  

agent-support

  

bug

  

documentation

  

enhancement

  

good first issue

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

windows

  

working-on

No labels

agent-support

agent-support

bug

documentation

enhancement

good first issue

help wanted

pull-request

question

windows

working-on

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/git-ai#556

No description provided.