.bazelrc

@@ -366,7 +366,7 @@ build:release_windows --copt="-fstrict-aliasing"
 build:windows --cxxopt='/std:c++20' --host_cxxopt='/std:c++20'
 build:windows --copt='/D_CRT_USE_BUILTIN_OFFSETOF' --host_copt='/D_CRT_USE_BUILTIN_OFFSETOF'
 build:windows --copt='/DWIN32_LEAN_AND_MEAN' --host_copt='/DWIN32_LEAN_AND_MEAN'
-# The `/std:c++20` argument is unused during boringssl compilation and we don't
+# The `/std:c++20` argument is unused during BoringSSL compilation and we don't
 # want a warning when compiling each file.
 build:windows --copt='-Wno-unused-command-line-argument' --host_copt='-Wno-unused-command-line-argument'
 

.github/secret_scanning.yml

@@ -3,3 +3,28 @@ paths-ignore:
   - "src/workerd/api/node/crypto_dh-test.js"
   - "src/workerd/jsg/url-test-corpus-success.h"
   - "src/workerd/api/node/tests/crypto_x509-test.js"
+  - "src/workerd/api/node/tests/fixtures/dh_private.pem"
+  - "src/workerd/api/node/tests/fixtures/dsa_private_pkcs8.pem"
+  - "src/workerd/api/node/tests/fixtures/ed25519_private.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private_encrypted.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha1_sha1_20.pem"
+  - "src/workerd/api/node/tests/fixtures/dsa_private_1025.pem"
+  - "src/workerd/api/node/tests/fixtures/ec_p256_private.pem"
+  - "src/workerd/api/node/tests/fixtures/ed448_private.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha256_sha256_16.pem"
+  - "src/workerd/api/node/tests/fixtures/dsa_private_encrypted_1025.pem"
+  - "src/workerd/api/node/tests/fixtures/ec_p384_private.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private_2048.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private_pkcs8_bad.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha512_sha256_20.pem"
+  - "src/workerd/api/node/tests/fixtures/dsa_private_encrypted.pem"
+  - "src/workerd/api/node/tests/fixtures/ec_p521_private.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private_4096.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private_pkcs8.pem"
+  - "src/workerd/api/node/tests/fixtures/x25519_private.pem"
+  - "src/workerd/api/node/tests/fixtures/dsa_private.pem"
+  - "src/workerd/api/node/tests/fixtures/ec_secp256k1_private.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_private_b.pem"
+  - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048.pem"
+  - "src/workerd/api/node/tests/fixtures/x448_private.pem"

.github/workflows/cla.yml

@@ -11,8 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "CLA Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.5.1
+        if: (github.event.issue.pull_request && (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
         env:
           # CLA Action uses this in-built GitHub token to make the API calls for interacting with GitHub.
           # It is built into Github Actions and does not need to be manually specified in your secrets store.

.github/workflows/internal-build.yml

@@ -0,0 +1,35 @@
+name: Run internal build
+
+on:
+  pull_request:
+    paths-ignore:
+      - 'doc/**'
+
+concurrency:
+  # Cancel existing builds for the same PR.
+  # Otherwise, all other builds will be allowed to run through.
+  group: internal-build.yml-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  internal-build:
+    if: "${{! github.event.pull_request.head.repo.fork}}" # Don't run on forks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: Run internal build
+        env:
+          CI_URL: ${{ secrets.CI_URL }}
+          CI_CLIENT_ID: ${{ secrets.CI_CF_ACCESS_CLIENT_ID }}
+          CI_CLIENT_SECRET: ${{ secrets.CI_CF_ACCESS_CLIENT_SECRET }}
+        run: |
+          python3 -u ./tools/cross/internal_build.py \
+            ${{github.event.pull_request.number}} \
+            ${{github.event.pull_request.head.sha}} \
+            ${{github.run_attempt}} \
+            "${{github.event.pull_request.head.ref}}" \
+            $CI_URL \
+            $CI_CLIENT_ID \
+            $CI_CLIENT_SECRET

.github/workflows/semgrep.yml

@@ -1,11 +1,6 @@
 
 on:
-  pull_request: {}
   workflow_dispatch: {}
-  push: 
-    branches:
-      - main
-      - master
   schedule:
     - cron: '0 0 * * *'
 name: Semgrep config

.ruff.toml

@@ -22,6 +22,7 @@ select = [
 ]
 ignore = [
   "E402",  # module import not at top of file
+  "E501", # line too long
   "PLR0912", # too many branches
   "PLR0915", # too many statements
   "PLR2004", # Magic value used in comparison

RELEASE.md

@@ -2,37 +2,10 @@
 
 The primary distribution channel for `workerd` right now is through `npm`. We use a (mostly) automatic CI setup to release and publish both `workerd` and `workers-types`.
 
-The release is a 3-step process:
-1. Cut release, wait for all binaries to be published (5 platforms total, can take few hours)
-2. Publish workerd
-3. Publish workers-types
-
 ## Versioning
 
 `workerd` and `workers-types` follow the same versioning system. The major version is currently `1` for `workerd` and `4` for `workers-types`. The minor version for both is the compatibility date specified in [supported-compatibility-date.txt](src/workerd/io/supported-compatibility-date.txt) (the latest compatibility date that the `workerd` release will support).
 
 ## Cutting Releases
 
-This is pretty simple, and completely automatic—every time the compatibility date in [supported-compatibility-date.txt](src/workerd/io/supported-compatibility-date.txt) changes, a new release is generated, along with the built binaries for `linux-64`, `darwin-64` and `windows-64`. This is governed by the [release.yml](.github/workflows/release.yml) GitHub Action. Binaries for `darwin-arm64` and `linux-arm64` are automatically built with internal runners. It may take a few hours for all binaries to appear on the release.
-
-When there is a build failure with the internal arm64 builders, those releases might not be automatically pushed to the release page. In this case, the binary can be built manually with the [build-releases.sh](build-releases.sh) script and uploaded to the release page. Note that this requires an Apple Silicon Mac. If only the Linux binary is missing, it can be built using [Dockerfile.release](Dockerfile.release) on arm64 Linux using the docker build command used in the build-releases script. Based on these limitations, building binaries manually is discouraged; fixing the CI configuration and restarting the release job should be preferred when possible.
-
-## Publishing `workerd`
-
-Once all binaries (5 platforms) have been automatically added to the release (few hours):
-
-- navigate to "Actions" github tab
-- pick "Publish to NPM" workflow
-- select the tag created for the release. (Ex v1.20240327.0 where the middle version is the new compat date)
-- *keep* patch 0 unless there was a problem with release and you need to publish a patch version (increment in that case).
-- if this is a pre-release, check "Is Prerelease" box. If it _is_ a prerelease, the published NPM version will be tagged with `beta`, and have a version number starting with `0.`. Otherwise, the published NPM version will be tagged `latest`, and have a version number starting with `1.`.
-
-## Publishing `workers-types`
-
-Once all binaries (5 platforms) have been automatically added to the release (few hours):
-
-- navigate to "Actions" github tab
-- pick "Publish types to NPM" workflow
-- select the tag created for the release. (Ex v1.20240327.0 where the middle version is the new compat date)
-- *keep* patch 0 unless there was a problem with release and you need to publish a patch version (increment in that case).
-- if this is a pre-release, check "Is Prerelease" box. If it _is_ a prerelease, the published NPM version will be tagged with `beta`, and have a version number starting with `0.`.  Otherwise, the published NPM version will be tagged `latest`, and have a version number starting with `4.`.
+This is pretty simple, and completely automatic—every time the compatibility date in [supported-compatibility-date.txt](src/workerd/io/supported-compatibility-date.txt) changes, a new release is generated, along with the built binaries for `linux-64`, `linux-arm64`, `darwin-64`, `darwin-arm64` and `windows-64`. The types will also be generated and published automatically. This is governed by the [release.yml](.github/workflows/release.yml) GitHub Action.

WORKSPACE

@@ -80,6 +80,14 @@ http_archive(
     url = "https://github.com/nodejs/nbytes/archive/refs/tags/v0.1.1.tar.gz",
 )
 
+http_archive(
+    name = "ncrypto",
+    sha256 = "b438cf71b1c24036e388f191a348cdc76aca75310eabca0fef5d81d5032a5d20",
+    strip_prefix = "ncrypto-1.0.1",
+    type = "tgz",
+    url = "https://github.com/nodejs/ncrypto/archive/refs/tags/1.0.1.tar.gz",
+)
+
 http_archive(
     name = "pyodide",
     build_file = "//:build/BUILD.pyodide",
@@ -172,10 +180,10 @@ bind(
 # OK, now we can bring in tcmalloc itself.
 http_archive(
     name = "com_google_tcmalloc",
-    sha256 = "81f285cb337f445276f37c308cb90120f8ba4311d1be9daf3b93dccf4bfdba7d",
-    strip_prefix = "google-tcmalloc-69c409c",
+    integrity = "sha256-8joG3SxfLYqR2liUznBAcMkHKYMmUtsO1qGr505VBMY=",
+    strip_prefix = "google-tcmalloc-91765c1",
     type = "tgz",
-    url = "https://github.com/google/tcmalloc/tarball/69c409c344bdf894fc7aab83e2d9e280b009b2f3",
+    url = "https://github.com/google/tcmalloc/tarball/91765c11461a01579fcbdddf430a556b818818c4",
 )
 
 # ========================================================================================
@@ -222,6 +230,18 @@ load("@rules_rust//tools/rust_analyzer:deps.bzl", "rust_analyzer_dependencies")
 
 rust_analyzer_dependencies()
 
+# Protobuf
+load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps")
+
+protobuf_deps()
+
+# rules_shell
+load("@rules_shell//shell:repositories.bzl", "rules_shell_dependencies", "rules_shell_toolchains")
+
+rules_shell_dependencies()
+
+rules_shell_toolchains()
+
 # ========================================================================================
 # Node.js bootstrap
 #

build/deps/build_deps.jsonc

@@ -77,6 +77,20 @@
       "type": "crate",
       "build_file": "//deps/rust:BUILD.cxxbridge-cmd"
     },
+    {
+      "name": "rules_cc",
+      "type": "github_release",
+      "owner": "bazelbuild",
+      "repo": "rules_cc",
+      "file_regex": "^rules_cc-"
+    },
+    {
+      "name": "rules_shell",
+      "type": "github_release",
+      "owner": "bazelbuild",
+      "repo": "rules_shell",
+      "file_regex": "^rules_shell-"
+    },
     {
       "name": "aspect_rules_esbuild",
       "type": "github_release",

build/deps/deps.jsonc

@@ -15,9 +15,9 @@
       "owner": "google",
       "repo": "boringssl",
       "branch": "master",
-      // boringssl may subtly break backwards compatibility and behave differently than the latest
+      // BoringSSL may subtly break backwards compatibility and behave differently than the latest
       // FIPS version, often by rejecting key values that it considers invalid/unsafe even though
-      // they are still accepted by boringssl. Update with caution and only after confirming this
+      // they are still accepted by BoringSSL. Update with caution and only after confirming this
       // is compatible with the downstream build.
       "freeze_commit": "6abe18402eb2a5e9b00158c6459646a948c53060"
     },

build/deps/gen/build_deps.bzl

@@ -23,10 +23,12 @@ load("@//build/deps:gen/dep_cxxbridge_cmd.bzl", "dep_cxxbridge_cmd")
 load("@//build/deps:gen/dep_ruff_darwin_arm64.bzl", "dep_ruff_darwin_arm64")
 load("@//build/deps:gen/dep_ruff_linux_amd64.bzl", "dep_ruff_linux_amd64")
 load("@//build/deps:gen/dep_ruff_linux_arm64.bzl", "dep_ruff_linux_arm64")
+load("@//build/deps:gen/dep_rules_cc.bzl", "dep_rules_cc")
 load("@//build/deps:gen/dep_rules_nodejs.bzl", "dep_rules_nodejs")
 load("@//build/deps:gen/dep_rules_pkg.bzl", "dep_rules_pkg")
 load("@//build/deps:gen/dep_rules_python.bzl", "dep_rules_python")
 load("@//build/deps:gen/dep_rules_rust.bzl", "dep_rules_rust")
+load("@//build/deps:gen/dep_rules_shell.bzl", "dep_rules_shell")
 load("@//build/deps:gen/dep_wpt.bzl", "dep_wpt")
 
 def deps_gen():
@@ -40,6 +42,8 @@ def deps_gen():
     dep_cargo_bazel_macos_arm64()
     dep_cargo_bazel_win_x64()
     dep_cxxbridge_cmd()
+    dep_rules_cc()
+    dep_rules_shell()
     dep_aspect_rules_esbuild()
     dep_rules_pkg()
     dep_rules_nodejs()

build/deps/gen/dep_ada_url.bzl

@@ -2,10 +2,10 @@
 
 load("@//:build/http.bzl", "http_archive")
 
-TAG_NAME = "v2.9.2"
-URL = "https://github.com/ada-url/ada/releases/download/v2.9.2/singleheader.zip"
+TAG_NAME = "v3.1.0"
+URL = "https://github.com/ada-url/ada/releases/download/v3.1.0/singleheader.zip"
 STRIP_PREFIX = ""
-SHA256 = "b2cce630590b490d79ea4f4460ba77efd5fb29c5a87a4e8cb7ebc4859bc4b564"
+SHA256 = "54de2c093a94ab0b6ffc3c16d01a89ef7cacbd743f08b5fa63fd06b8684efbd6"
 TYPE = "zip"
 
 def dep_ada_url():

build/deps/gen/dep_aspect_rules_js.bzl

@@ -2,10 +2,10 @@
 
 load("@//:build/http.bzl", "http_archive")
 
-TAG_NAME = "v2.1.2"
-URL = "https://github.com/aspect-build/rules_js/releases/download/v2.1.2/rules_js-v2.1.2.tar.gz"
-STRIP_PREFIX = "rules_js-2.1.2"
-SHA256 = "fbc34d815a0cc52183a1a26732fc0329e26774a51abbe0f26fc9fd2dab6133b4"
+TAG_NAME = "v2.1.3"
+URL = "https://github.com/aspect-build/rules_js/releases/download/v2.1.3/rules_js-v2.1.3.tar.gz"
+STRIP_PREFIX = "rules_js-2.1.3"
+SHA256 = "875b8d01af629dbf626eddc5cf239c9f0da20330f4d99ad956afc961096448dd"
 TYPE = "tgz"
 
 def dep_aspect_rules_js():

build/deps/gen/dep_aspect_rules_ts.bzl

@@ -2,10 +2,10 @@
 
 load("@//:build/http.bzl", "http_archive")
 
-TAG_NAME = "v3.4.0"
-URL = "https://github.com/aspect-build/rules_ts/releases/download/v3.4.0/rules_ts-v3.4.0.tar.gz"
-STRIP_PREFIX = "rules_ts-3.4.0"
-SHA256 = "013a10b2b457add73b081780e604778eb50a141709f9194298f97761acdcc169"
+TAG_NAME = "v3.5.0"
+URL = "https://github.com/aspect-build/rules_ts/releases/download/v3.5.0/rules_ts-v3.5.0.tar.gz"
+STRIP_PREFIX = "rules_ts-3.5.0"
+SHA256 = "4263532b2fb4d16f309d80e3597191a1cb2fb69c19e95d91711bd6b97874705e"
 TYPE = "tgz"
 
 def dep_aspect_rules_ts():

build/deps/gen/dep_buildifier_darwin_amd64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "v8.0.1"
-URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-darwin-amd64"
-SHA256 = "802b013211dbcf91e3c0658ba33ecb3932ef5a6f6764a0b13efcec4e2df04c83"
+TAG_NAME = "v8.0.3"
+URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-darwin-amd64"
+SHA256 = "b7a3152cde0b3971b1107f2274afe778c5c154dcdf6c9c669a231e3c004f047e"
 
 def dep_buildifier_darwin_amd64():
     http_file(

build/deps/gen/dep_buildifier_darwin_arm64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "v8.0.1"
-URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-darwin-arm64"
-SHA256 = "833e2afc331b9ad8f6b038ad3d69ceeaf97651900bf2a3a45f54f42cafe0bfd3"
+TAG_NAME = "v8.0.3"
+URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-darwin-arm64"
+SHA256 = "674c663f7b5cd03c002f8ca834a8c1c008ccb527a0a2a132d08a7a355883b22d"
 
 def dep_buildifier_darwin_arm64():
     http_file(

build/deps/gen/dep_buildifier_linux_amd64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "v8.0.1"
-URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-linux-amd64"
-SHA256 = "1976053ed4decd6dd93170885b4387eddc76ec70dc2697b2e91a9af83269418a"
+TAG_NAME = "v8.0.3"
+URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-linux-amd64"
+SHA256 = "c969487c1af85e708576c8dfdd0bb4681eae58aad79e68ae48882c70871841b7"
 
 def dep_buildifier_linux_amd64():
     http_file(

build/deps/gen/dep_buildifier_linux_arm64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "v8.0.1"
-URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-linux-arm64"
-SHA256 = "93078c57763493bdc2914ed340544500b8f3497341a62e90f00e9e184c4d9c2c"
+TAG_NAME = "v8.0.3"
+URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-linux-arm64"
+SHA256 = "bdd9b92e2c65d46affeecaefb54e68d34c272d1f4a8c5b54929a3e92ab78820a"
 
 def dep_buildifier_linux_arm64():
     http_file(

build/deps/gen/dep_buildifier_windows_amd64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "v8.0.1"
-URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-windows-amd64.exe"
-SHA256 = "6edc9247e6d42d27fb67b9509bb795d159a12468faa89e9f290dcadc26571c31"
+TAG_NAME = "v8.0.3"
+URL = "https://github.com/bazelbuild/buildtools/releases/download/v8.0.3/buildifier-windows-amd64.exe"
+SHA256 = "63a242f57e253efe7b9573d739c08a3d0e628efd84015c8dad17d87b6429e443"
 
 def dep_buildifier_windows_amd64():
     http_file(

build/deps/gen/dep_capnp_cpp.bzl

@@ -2,11 +2,11 @@
 
 load("@//:build/http.bzl", "http_archive")
 
-URL = "https://github.com/capnproto/capnproto/tarball/f600d249496c55289fa07fd6a21cadeeb340edb9"
-STRIP_PREFIX = "capnproto-capnproto-f600d24/c++"
-SHA256 = "1d96cd31ad93eaf8194ba51d4a009a4f08332ad643740c4b49c081a515a27a60"
+URL = "https://github.com/capnproto/capnproto/tarball/3497c484729231105a08a5703b8b7297d090732d"
+STRIP_PREFIX = "capnproto-capnproto-3497c48/c++"
+SHA256 = "7056f4ebf3d3f3d73e56c6f75e7c6da05bc4b220e1997ca4384475ece942f448"
 TYPE = "tgz"
-COMMIT = "f600d249496c55289fa07fd6a21cadeeb340edb9"
+COMMIT = "3497c484729231105a08a5703b8b7297d090732d"
 
 def dep_capnp_cpp():
     http_archive(

build/deps/gen/dep_cargo_bazel_linux_arm64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "0.56.0"
-URL = "https://github.com/bazelbuild/rules_rust/releases/download/0.56.0/cargo-bazel-aarch64-unknown-linux-gnu"
-SHA256 = "f3a35b137221d4627ba0ed62f775c4d3cbb45b6db839ae47f2ebfd48abe44a91"
+TAG_NAME = "0.57.1"
+URL = "https://github.com/bazelbuild/rules_rust/releases/download/0.57.1/cargo-bazel-aarch64-unknown-linux-gnu"
+SHA256 = "1d687a7e30ee16def6cf80a24c57a5b04fbe6ef44a730e27b6d73790d5b87671"
 
 def dep_cargo_bazel_linux_arm64():
     http_file(

build/deps/gen/dep_cargo_bazel_linux_x64.bzl

@@ -2,9 +2,9 @@
 
 load("@//:build/http.bzl", "http_file")
 
-TAG_NAME = "0.56.0"
-URL = "https://github.com/bazelbuild/rules_rust/releases/download/0.56.0/cargo-bazel-x86_64-unknown-linux-gnu"
-SHA256 = "53418ae5457040e84009f7c69b070e1f12f10a9a3a3ef4f5d0829c66e5438ba1"
+TAG_NAME = "0.57.1"
+URL = "https://github.com/bazelbuild/rules_rust/releases/download/0.57.1/cargo-bazel-x86_64-unknown-linux-gnu"
+SHA256 = "536e2ea4b030e38231f2012c63a87443f89c6860a7022ab4c928594b65a5cfa1"
 
 def dep_cargo_bazel_linux_x64():
     http_file(