curl/.github/workflows/macos.yml

# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# SPDX-License-Identifier: curl

name: macOS

'on':
  push:
    branches:
      - master
      - '*/ci'
    paths-ignore:
      - '**/*.md'
      - '.circleci/**'
      - 'appveyor.*'
      - 'packages/**'
      - 'plan9/**'
      - 'projects/**'
      - 'winbuild/**'
  pull_request:
    branches:
      - master
    paths-ignore:
      - '**/*.md'
      - '.circleci/**'
      - 'appveyor.*'
      - 'packages/**'
      - 'plan9/**'
      - 'projects/**'
      - 'winbuild/**'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

permissions: {}

# Deprecated Apple APIs and the macos-version-min value required to avoid
# deprecation warnings with llvm/clang:
#
# - 10.7  Lion (2011)          - GSS
# - 10.8  Mountain Lion (2012) - CFURLCreateDataAndPropertiesFromResource (used by curl Secure Transport code)
# - 10.9  Maverick (2013)      - LDAP
# - 10.14 Mojave (2018)        - Secure Transport
#
# For Secure Transport, curl implements features that require a target
# newer than the 10.8 required by `CFURLCreateDataAndPropertiesFromResource`.
# In this case `-Wno-deprecated-declarations` still comes handy to pacify
# deprecation warnings, though the real solution would be to avoid calling
# that function.

env:
  LDFLAGS: -w  # suppress 'object file was built for newer macOS version than being linked' warnings
  MAKEFLAGS: -j 4

jobs:
  autotools:
    name: 'AM ${{ matrix.compiler }} ${{ matrix.name }}'
    runs-on: 'macos-latest'
    timeout-minutes: 60
    env:
      DEVELOPER_DIR: "/Applications/Xcode${{ matrix.xcode && format('_{0}', matrix.xcode) || '' }}.app/Contents/Developer"
      CC: ${{ matrix.compiler }}
      CFLAGS: '-mmacosx-version-min=${{ matrix.macos-version-min }}'
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: '!ssl !debug brotli zstd'
            compiler: clang
            install: brotli zstd
            configure: --without-ssl --with-brotli --with-zstd
            macos-version-min: '10.9'
          - name: '!ssl !debug'
            compiler: gcc-12
            configure: --without-ssl
            macos-version-min: '10.9'
          - name: '!ssl'
            compiler: clang
            configure: --enable-debug --without-ssl
            macos-version-min: '10.9'
          - name: '!ssl libssh2 AppleIDN'
            compiler: clang
            configure: --enable-debug --with-libssh2=$(brew --prefix libssh2) --without-ssl --with-apple-idn
            macos-version-min: '10.9'
          - name: 'OpenSSL libssh c-ares'
            compiler: clang
            install: libssh
            configure: --enable-debug --with-libssh --with-openssl=$(brew --prefix openssl) --enable-ares
            macos-version-min: '10.9'
          - name: 'OpenSSL libssh'
            compiler: llvm@15
            install: libssh
            configure: --enable-debug --with-libssh --with-openssl=$(brew --prefix openssl)
            macos-version-min: '10.9'
          - name: '!ssl c-ares'
            compiler: clang
            configure: --enable-debug --enable-ares --without-ssl
            macos-version-min: '10.9'
          - name: '!ssl HTTP-only'
            compiler: clang
            configure: |
              --enable-debug \
              --disable-alt-svc --disable-dict --disable-file --disable-ftp --disable-gopher --disable-imap \
              --disable-ldap --disable-pop3 --disable-rtmp --disable-rtsp --disable-scp --disable-sftp \
              --disable-shared --disable-smb --disable-smtp --disable-telnet --disable-tftp --disable-unix-sockets \
              --without-brotli --without-gssapi --without-libidn2 --without-libpsl --without-librtmp --without-libssh2 \
              --without-nghttp2 --without-ntlm-auth --without-ssl --without-zlib --without-zstd

            macos-version-min: '10.15'  # Catalina (2019)
          - name: 'SecureTransport libssh2'
            compiler: clang
            configure: --enable-debug --with-secure-transport --with-libssh2=$(brew --prefix libssh2)
            macos-version-min: '10.8'
          - name: 'SecureTransport libssh2 10.12'
            compiler: clang
            configure: --enable-debug --with-secure-transport --with-libssh2=$(brew --prefix libssh2)
            macos-version-min: '10.12'  # for monotonic timers
            cflags: '-Wno-deprecated-declarations'
          - name: 'SecureTransport libssh2'
            compiler: gcc-12
            configure: --enable-debug --with-secure-transport --with-libssh2=$(brew --prefix libssh2)
            macos-version-min: '10.8'
          - name: 'LibreSSL +examples'
            compiler: clang
            install: libressl
            configure: --enable-debug --with-openssl=$(brew --prefix libressl)
            macos-version-min: '10.9'
          - name: 'OpenSSL'
            compiler: clang
            configure: --enable-debug --with-openssl=$(brew --prefix openssl)
            macos-version-min: '10.9'
          - name: 'OpenSSL event-based'
            compiler: clang
            configure: --enable-debug --with-openssl=$(brew --prefix openssl)
            macos-version-min: '10.9'
            tflags: -e
          - name: 'OpenSSL libssh2 !ldap 10.15'
            compiler: clang
            configure: --enable-debug --disable-ldap --with-openssl=$(brew --prefix openssl)
            macos-version-min: '10.15'
    steps:
      - name: 'brew install'
        # Run this command with retries because of spurious failures seen
        # while running the tests, for example
        # https://github.com/curl/curl/runs/4095721123?check_suite_focus=true
        run: |
          echo automake libtool pkg-config libpsl libssh2 nghttp2 stunnel ${{ matrix.install }} | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
          while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done

      - name: 'brew unlink openssl'
        run: |
          if test -d $(brew --prefix)/include/openssl; then
            brew unlink openssl
          fi

      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4

      - name: 'toolchain versions'
        run: |
          [[ '${{ matrix.compiler }}' = 'llvm'* ]] && CC="$(brew --prefix ${{ matrix.compiler }})/bin/clang"
          [[ '${{ matrix.compiler }}' = 'gcc'* ]] && \
            grep -h -r -E -o '.+[0-9.]+\.sdk/' "$(dirname "$("${CC}" -print-libgcc-file-name)")/include-fixed" | sed -E 's/^\t+//g' | tr -d '"' | sort -u || true
          which "${CC}"; "${CC}" --version || true
          xcodebuild -version || true
          xcrun --sdk macosx --show-sdk-path 2>/dev/null || true
          xcrun --sdk macosx --show-sdk-version || true
          echo '::group::macros predefined'; "${CC}" -dM -E - < /dev/null | sort || true; echo '::endgroup::'
          echo '::group::brew packages installed'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::'

      - name: 'autoreconf'
        run: autoreconf -fi

      - name: 'configure'
        run: |
          if [[ '${{ matrix.compiler }}' = 'llvm'* ]]; then
            CC="$(brew --prefix ${{ matrix.compiler }})/bin/clang"
            CC+=" --sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
            CC+=" --target=$(uname -m)-apple-darwin"
            options+=" --target=$(uname -m)-apple-darwin"
          fi
          CFLAGS+=' ${{ matrix.cflags }}'
          if [[ '${{ matrix.compiler }}' = 'gcc'* ]]; then
            libgccdir="$(dirname "$("${CC}" -print-libgcc-file-name)")"
            echo '::group::gcc include-fixed details'; find "${libgccdir}/include-fixed" | sort; echo '::endgroup::'
            for f in dispatch os AvailabilityInternal.h stdio.h; do
              if [ -r "${libgccdir}/include-fixed/${f}" ]; then
                echo "Zap gcc hack: '${libgccdir}/include-fixed/${f}'"
                mv "${libgccdir}/include-fixed/${f}" "${libgccdir}/include-fixed/${f}-BAK"
              fi
            done
          fi
          if [ '${{ matrix.compiler }}' != 'clang' ]; then
            options+=" --with-sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
            CFLAGS+=" --sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
          fi
          mkdir bld && cd bld && ../configure --enable-unity --enable-test-bundles --enable-warnings --enable-werror \
            --disable-dependency-tracking \
            --with-libpsl=$(brew --prefix libpsl) \
            ${{ matrix.configure }} ${options}

      - name: 'configure log'
        if: ${{ !cancelled() }}
        run: cat bld/config.log || true

      - name: 'curl_config.h'
        run: |
          echo '::group::raw'; cat bld/lib/curl_config.h || true; echo '::endgroup::'
          cat bld/lib/curl_config.h | grep -F '#define' | sort || true

      - name: 'build-cert'
        if: contains(matrix.configure, '--with-secure-transport')
        run: |
          make -C bld/tests/certs clean-certs
          make -C bld/tests/certs build-certs -j1

      - name: 'make'
        run: make -C bld V=1

      - name: 'curl version'
        run: bld/src/curl --disable --version

      - name: 'make tests'
        run: make -C bld V=1 -C tests

      - name: 'pip3 install'
        run: |
          python3 -m venv $HOME/venv
          source $HOME/venv/bin/activate
          python3 -m pip install impacket

      - name: 'run tests'
        timeout-minutes: 20
        run: |
          export TFLAGS='-j20 ${{ matrix.tflags }}'
          TFLAGS+=' ~2037 ~2041'  # flaky
          if [[ '${{ matrix.compiler }}' = 'gcc'* ]]; then
            TFLAGS+=' ~RTSP'  # 567 568 569 570 571 572 577 689 3100
            TFLAGS+=' ~1156 ~1539'  # HTTP Content-Range, Content-Length
            if [[ '${{ matrix.configure }}' = *'--with-secure-transport'* ]]; then
              TFLAGS+=' ~2100'  # 2100:'HTTP GET using DoH' https://github.com/curl/curl/actions/runs/9942146678/job/27462937524#step:15:5059
              TFLAGS+=' ~HTTP/2'  # 2400 2401 2402 2403 2404 2406, Secure Transport + nghttp2
            else
              TFLAGS+=' ~2402 ~2404'  # non-Secure Transport + nghttp2
            fi
          fi
          if [[ '${{ matrix.configure }}' = *'--with-secure-transport'* ]]; then
            TFLAGS+=' ~313'  # Secure Transport does not support crl file
            TFLAGS+=' ~1631 ~1632'  # Secure Transport is not able to shutdown ftp over https gracefully yet
          fi
          source $HOME/venv/bin/activate
          rm -f $HOME/.curlrc
          make -C bld V=1 test-ci

      - name: 'make examples'
        if: ${{ contains(matrix.build.name, '+examples') }}
        run: make -C bld V=1 examples

  cmake:
    name: 'CM ${{ matrix.compiler }} ${{ matrix.build.name }}'
    runs-on: 'macos-latest'
    timeout-minutes: 30
    env:
      DEVELOPER_DIR: "/Applications/Xcode${{ matrix.xcode && format('_{0}', matrix.xcode) || '' }}.app/Contents/Developer"
      CC: ${{ matrix.compiler }}
    strategy:
      fail-fast: false
      matrix:
        compiler: [clang, llvm@15, gcc-12]
        build:
          - name: 'OpenSSL ws gsasl AppleIDN'
            install: gsasl
            generate: -DOPENSSL_ROOT_DIR=$(brew --prefix openssl) -DCURL_USE_GSASL=ON -DUSE_APPLE_IDN=ON
            macos-version-min: '10.9'
          - name: 'OpenSSL +static libssh'
            install: libssh
            generate: -DOPENSSL_ROOT_DIR=$(brew --prefix openssl) -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON
            macos-version-min: '10.9'
          - name: 'SecureTransport ws debug'
            generate: -DCURL_USE_SECTRANSP=ON -DENABLE_DEBUG=ON
            macos-version-min: '10.8'
          - name: 'LibreSSL !ldap heimdal c-ares +examples'
            install: libressl heimdal
            generate: -DOPENSSL_ROOT_DIR=$(brew --prefix libressl) -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=$(brew --prefix heimdal) -DCURL_DISABLE_LDAP=ON
            macos-version-min: '10.15'
          - name: 'wolfSSL !ldap brotli zstd'
            install: brotli wolfssl zstd
            generate: -DCURL_USE_WOLFSSL=ON -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DCURL_DISABLE_LDAP=ON
            macos-version-min: '10.15'
          - name: 'GnuTLS !ldap krb5'
            install: gnutls nettle krb5
            generate: -DCURL_USE_GNUTLS=ON -DCURL_USE_OPENSSL=OFF -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=$(brew --prefix krb5) -DCURL_DISABLE_LDAP=ON
            macos-version-min: '10.15'
          - name: 'OpenSSL torture !FTP'
            generate: -DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DENABLE_THREADED_RESOLVER=OFF -DOPENSSL_ROOT_DIR=$(brew --prefix openssl) -DCURL_BROTLI=ON -DCURL_ZSTD=ON
            tflags: -t --shallow=25 !FTP
            macos-version-min: '10.9'
            torture: true
          - name: 'OpenSSL torture FTP'
            generate: -DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DENABLE_THREADED_RESOLVER=OFF -DOPENSSL_ROOT_DIR=$(brew --prefix openssl) -DCURL_BROTLI=ON -DCURL_ZSTD=ON
            tflags: -t --shallow=20 FTP
            macos-version-min: '10.9'
            torture: true
        exclude:
          - { compiler: llvm@15, build: { macos-version-min: '10.15' } }
          - { compiler: llvm@15, build: { macos-version-min: '10.9' } }
          - { compiler: gcc-12, build: { torture: true } }
    steps:
      - name: 'brew install'
        run: |
          echo ninja pkg-config libpsl libssh2 nghttp2 stunnel ${{ matrix.build.install }} | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
          while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done

      - name: 'brew unlink openssl'
        run: |
          if test -d $(brew --prefix)/include/openssl; then
            brew unlink openssl
          fi

      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4

      - name: 'toolchain versions'
        run: |
          [[ '${{ matrix.compiler }}' = 'llvm'* ]] && CC="$(brew --prefix ${{ matrix.compiler }})/bin/clang"
          [[ '${{ matrix.compiler }}' = 'gcc'* ]] && \
            grep -h -r -E -o '.+[0-9.]+\.sdk/' "$(dirname "$("${CC}" -print-libgcc-file-name)")/include-fixed" | sed -E 's/^\t+//g' | tr -d '"' | sort -u || true
          which "${CC}"; "${CC}" --version || true
          xcodebuild -version || true
          xcrun --sdk macosx --show-sdk-path 2>/dev/null || true
          xcrun --sdk macosx --show-sdk-version || true
          echo '::group::macros predefined'; "${CC}" -dM -E - < /dev/null | sort || true; echo '::endgroup::'
          echo '::group::brew packages installed'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::'

      - name: 'cmake configure'
        run: |
          if [[ '${{ matrix.compiler }}' = 'llvm'* ]]; then
            CC="$(brew --prefix ${{ matrix.compiler }})/bin/clang"
            CC+=" --sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
            CC+=" --target=$(uname -m)-apple-darwin"
          fi
          if [[ '${{ matrix.compiler }}' = 'gcc'* ]]; then
            libgccdir="$(dirname "$("${CC}" -print-libgcc-file-name)")"
            echo '::group::gcc include-fixed details'; find "${libgccdir}/include-fixed" | sort; echo '::endgroup::'
            for f in dispatch os AvailabilityInternal.h stdio.h; do
              if [ -r "${libgccdir}/include-fixed/${f}" ]; then
                echo "Zap gcc hack: '${libgccdir}/include-fixed/${f}'"
                mv "${libgccdir}/include-fixed/${f}" "${libgccdir}/include-fixed/${f}-BAK"
              fi
            done
          fi
          cmake -B bld -G Ninja -DCMAKE_UNITY_BUILD=ON -DCURL_TEST_BUNDLES=ON -DCURL_WERROR=ON \
            -DCMAKE_OSX_DEPLOYMENT_TARGET=${{ matrix.build.macos-version-min }} \
            "-DCMAKE_OSX_SYSROOT=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)" \
            "-DCMAKE_C_COMPILER_TARGET=$(uname -m | sed 's/arm64/aarch64/')-apple-darwin$(uname -r)" \
            ${{ matrix.build.generate }}

      - name: 'configure log'
        if: ${{ !cancelled() }}
        run: cat bld/CMakeFiles/CMakeConfigureLog.yaml 2>/dev/null || true

      - name: 'curl_config.h'
        run: |
          echo '::group::raw'; cat bld/lib/curl_config.h || true; echo '::endgroup::'
          cat bld/lib/curl_config.h | grep -F '#define' | sort || true

      - name: 'build-cert'
        if: contains(matrix.build.generate, '-DCURL_USE_SECTRANSP=ON')
        run: |
          ninja -C bld clean-certs
          ninja -C bld build-certs -j 1

      - name: 'cmake build'
        run: ninja -C bld --verbose

      - name: 'curl version'
        run: bld/src/curl --disable --version

      - name: 'cmake build tests'
        run: ninja -C bld testdeps

      - name: 'pip3 install'
        run: |
          python3 -m venv $HOME/venv
          source $HOME/venv/bin/activate
          python3 -m pip install impacket

      - name: 'cmake run tests'
        timeout-minutes: ${{ matrix.build.torture && 20 || 10 }}
        run: |
          export TFLAGS='-j20 ${{ matrix.build.tflags }}'
          if [ -z '${{ matrix.build.torture }}' ]; then
            TFLAGS+=' ~2037 ~2041'  # flaky
            if [[ '${{ matrix.compiler }}' = 'gcc'* ]]; then
              TFLAGS+=' ~RTSP'  # 567 568 569 570 571 572 577 689 3100
              TFLAGS+=' ~1156 ~1539'  # HTTP Content-Range, Content-Length
              if [[ '${{ matrix.build.generate }}' = *'-DCURL_USE_SECTRANSP=ON'* ]]; then
                TFLAGS+=' ~2100'  # 2100:'HTTP GET using DoH' https://github.com/curl/curl/actions/runs/9942146678/job/27462937524#step:15:5059
                TFLAGS+=' ~HTTP/2'  # 2400 2401 2402 2403 2404 2406, Secure Transport + nghttp2
              else
                TFLAGS+=' ~2402 ~2404'  # non-Secure Transport + nghttp2
              fi
            fi
            if [[ '${{ matrix.build.generate }}' = *'-DCURL_USE_SECTRANSP=ON'* ]]; then
              TFLAGS+=' ~313'  # Secure Transport does not support crl file
              TFLAGS+=' ~1631 ~1632'  # Secure Transport is not able to shutdown ftp over https gracefully yet
            fi
          fi
          source $HOME/venv/bin/activate
          rm -f $HOME/.curlrc
          ninja -C bld test-ci

      - name: 'cmake build examples'
        if: ${{ contains(matrix.name, '+examples') }}
        run: make -C bld VERBOSE=1

  combinations:  # Test buildability with host OS, Xcode / SDK, compiler, target-OS, Secure Transport/not, built tool, combinations
    if: true  # Set to `true` to enable this test matrix. It runs quickly.
    name: "${{ matrix.build == 'cmake' && 'CM' || 'AM' }} ${{ matrix.compiler }} ${{ matrix.image }} ${{ matrix.xcode }} ${{ matrix.config }}"
    runs-on: ${{ matrix.image }}
    timeout-minutes: 10
    env:
      DEVELOPER_DIR: "/Applications/Xcode${{ matrix.xcode && format('_{0}', matrix.xcode) || '' }}.app/Contents/Developer"
      CC: ${{ matrix.compiler }}
    strategy:
      fail-fast: false
      matrix:
        config: [SecureTransport]  # also: OpenSSL
        compiler: [gcc-12, gcc-13, gcc-14, llvm@15, llvm@18, clang]
        # Xcode support matrix as of 2024-07, with default macOS SDK versions and OS names, years:
        # * = default Xcode on the runner.
        # macos-13: 14.1, 14.2, 14.3.1, 15.0.1, 15.1,*15.2
        # macos-14:                     15.0.1, 15.1, 15.2, 15.3,*15.4
        # macos-15:                                                    *16.0, 16.1
        # macOSSDK: 13.0, 13.1, 13.3,   14.0,   14.2, 14.2, 14.4, 14.5, 15.0, 15.1
        #           Ventura (2022)      Sonoma (2023)                   Sequoia (2024)
        # https://github.com/actions/runner-images/tree/main/images/macos
        # https://en.wikipedia.org/wiki/MacOS_version_history
        image: [macos-13, macos-14, macos-15]
        # Can skip these to reduce jobs:
        #   15.1 has the same default macOS SDK as 15.2 and identical test result.
        #   14.1, 15.4 not revealing new fallouts.
        #xcode: ['14.1', '14.2', '14.3.1', '15.0.1', '15.1', '15.2', '15.3', '15.4', '16.0', '16.1']  # all Xcode
        #xcode: ['14.1', '14.2', '14.3.1', '15.0.1'        , '15.2', '15.3', '15.4', '16.0', '16.1']  # all SDK
        #xcode: [        '14.2', '14.3.1', '15.0.1'        , '15.2', '15.3'        , '16.0'        ]  # coverage
        xcode: ['']  # default Xcodes
        macos-version-min: ['10.8']
        build: [autotools, cmake]
        exclude:
          # Combinations uncovered by runner images:
          - { image: macos-13, xcode: '15.3'   }
          - { image: macos-13, xcode: '15.4'   }
          - { image: macos-13, xcode: '16.0'   }
          - { image: macos-13, xcode: '16.1'   }
          - { image: macos-14, xcode: '14.1'   }
          - { image: macos-14, xcode: '14.2'   }
          - { image: macos-14, xcode: '14.3.1' }
          - { image: macos-14, xcode: '16.0'   }
          - { image: macos-14, xcode: '16.1'   }
          - { image: macos-15, xcode: '14.1'   }
          - { image: macos-15, xcode: '14.2'   }
          - { image: macos-15, xcode: '14.3.1' }
          - { image: macos-15, xcode: '15.0.1' }
          - { image: macos-15, xcode: '15.1'   }
          - { image: macos-15, xcode: '15.2'   }
          - { image: macos-15, xcode: '15.3'   }
          - { image: macos-15, xcode: '15.4'   }
          - { image: macos-13, compiler: 'llvm@18' }
          - { image: macos-14, compiler: 'llvm@18' }
          - { image: macos-15, compiler: 'llvm@15' }
          # Reduce build combinations, by dropping less interesting ones
          - { compiler: gcc-12, config: SecureTransport }
          - { compiler: gcc-13, build: cmake }
          - { compiler: gcc-13, image: macos-13 }
          - { compiler: gcc-14, config: SecureTransport }
    steps:
      - name: 'install autotools'
        if: ${{ matrix.build == 'autotools' }}
        run: |
          echo automake libtool | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
          while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done

      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4

      - name: 'toolchain versions'
        run: |
          [[ '${{ matrix.compiler }}' = 'llvm'* ]] && CC="$(brew --prefix ${{ matrix.compiler }})/bin/clang"
          [[ '${{ matrix.compiler }}' = 'gcc'* ]] && \
            grep -h -r -E -o '.+[0-9.]+\.sdk/' "$(dirname "$("${CC}" -print-libgcc-file-name)")/include-fixed" | sed -E 's/^\t+//g' | tr -d '"' | sort -u || true
          which "${CC}"; "${CC}" --version || true
          xcodebuild -version || true
          xcrun --sdk macosx --show-sdk-path 2>/dev/null || true
          xcrun --sdk macosx --show-sdk-version || true
          echo '::group::macros predefined'; "${CC}" -dM -E - < /dev/null | sort || true; echo '::endgroup::'
          echo '::group::brew packages preinstalled'; ls -l "$(brew --prefix)/opt"; echo '::endgroup::'

      - name: 'autoreconf'
        if: ${{ matrix.build == 'autotools' }}
        run: autoreconf -fi

      - name: 'configure / ${{ matrix.build }}'
        run: |
          if [[ '${{ matrix.compiler }}' = 'llvm'* ]]; then
            CC="$(brew --prefix ${{ matrix.compiler }})/bin/clang"
            CC+=" --sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
            CC+=" --target=$(uname -m)-apple-darwin"
          fi

          # gcc ships with an `include-fixed` header set, which overrides SDK
          # headers with the intent of making them compatible with gcc. The
          # source for these headers is:
          #   https://github.com/gcc-mirror/gcc/tree/master/fixincludes
          # with extra Apple-specific patches applied from here for Homebrew:
          #   https://github.com/iains/gcc-12-branch
          #
          # They pass through a generator phase at build-time which seems to
          # pick the SDK installed on the build machine (maintained by the
          # Homebrew project in our case) and patches it according to a set
          # of rules in `inclhack.def`.
          #
          # Homebrew builds and ships different binaries for different macOS
          # versions and CPUs, built on machines using the same OS version as
          # the target one. Each of these machines have a particular version
          # of Apple CommandLineTools with a default SDK version installed with
          # them.
          #
          # Then this binary gets installed onto the end-user machine,
          # matching the OS version at the time of installation.
          #
          # The problem with this approach is that the SDK version picked up
          # at gcc build-time has a high chance of being or becoming out of
          # sync with actual SDK installed on the end-user machine. This
          # can happen after upgrading the OS, Xcode, selecting an SDK version
          # manually, or other reasons.
          #
          # When the SDK versions do not match, the gcc hacks, instead of
          # improving compatibility the SDK, are actively _breaking_
          # compatibility, in an unexpected, hard to diagnose way.
          #
          # The SDK version used for gcc-hacks is not advertised. We can
          # extract the major SDK version from the generated gcc-hack header
          # files, assuming someone knows what to look for and where.
          #
          # Basically it also means that the same `gcc-N` Homebrew package
          # behaves differently depending on the OS it was built on. Causing
          # an explosion of build combination. It may also mean that a minor
          # gcc version bump is built against a different SDK version, and due
          # to the extra patch for the hack applied by Homebrew, there may
          # be extra changes as well.
          #
          # For GHA runners, it means that the default Xcode + OS combo have
          # and SDK mismatch in 8 out of 12 combinations (66%). All fail to
          # build, plus one more with matching SDK. This is 9 in total (75%)
          # that fail to build out of the box. These are the 3 lucky default
          # combinations that worked to build curl:
          #   macos-14 + Xcode 15.0.1 + gcc-12, gcc-14
          #
          # Of all possible valid GHA runner, gcc, manually selected Xcode
          # combinations, 40% are broken.
          #
          # Compared to mainline llvm: llvm ships the same binaries regardless
          # of build-OS or environment, it contains no SDK-version-specific
          # hacks, and has no 3rd party patches. This still leaves some
          # occasional issues, but works much closer to expectations.
          #
          # Some of these hacks are helpful, in particular for fixing this
          # issue via math.h:
          #   /Applications/Xcode_14.3.1.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/math.h:53:5: error: #error "Unsupported value of
          #      53 | #   error "Unsupported value of __FLT_EVAL_METHOD__."
          #
          # Errors seen in available CI combinations:
          #   error: two or more data types in declaration specifiers # fatal error: AvailabilityInternalLegacy.h: No such file or directory
          #     gcc-13 + macos-14 + Xcode 14.3.1
          #   error: two or more data types in declaration specifiers
          #     gcc-13 + macos-12 + Xcode 14.1, 14.2
          #     gcc-13 + Xcode 15.0.1, 15.1, 5.2
          #   error: expected ';' before 'extern'
          #     gcc-12, gcc-14 + macos-12 + Xcode 14.1, 14.2
          #   error: unknown type name 'dispatch_queue_t'
          #     gcc-12 + macos-13 + Xcode 15.0.1, 15.1, 15.2
          #   error: type defaults to 'int' in declaration of 'DISPATCH_DECL_FACTORY_CLASS_SWIFT' [-Wimplicit-int]
          #     gcc-14 macos-13 Xcode 15.0.1, 15.1, 15.2
          #   error: unknown type name 'FILE'
          #     Xcode 16.0
          #
          # Unbreak Homebrew gcc builds by moving problematic SDK header overlay
          # directories/files out of the way:
          if [[ '${{ matrix.compiler }}' = 'gcc'* ]]; then
            # E.g.:
            #   $(brew --prefix)/Cellar/gcc@11/11.4.0/lib/gcc/11/gcc/aarch64-apple-darwin23/11/include-fixed
            #   $(brew --prefix)/Cellar/gcc@11/11.4.0/lib/gcc/11/gcc/x86_64-apple-darwin21/11/include-fixed
            #   $(brew --prefix)/Cellar/gcc/14.1.0_1/lib/gcc/14/gcc/x86_64-apple-darwin21/14/include-fixed
            libgccdir="$(dirname "$("${CC}" -print-libgcc-file-name)")"
            echo '::group::gcc include-fixed details'; find "${libgccdir}/include-fixed" | sort; echo '::endgroup::'
            patch_out='dispatch os AvailabilityInternal.h'
            patch_out+=' stdio.h'  # for Xcode 16 error: unknown type name 'FILE'
            for f in ${patch_out}; do
              if [ -r "${libgccdir}/include-fixed/${f}" ]; then
                echo "Zap gcc hack: '${libgccdir}/include-fixed/${f}'"
                mv "${libgccdir}/include-fixed/${f}" "${libgccdir}/include-fixed/${f}-BAK"
              fi
            done
          fi

          if [ '${{ matrix.build }}' = 'autotools' ]; then
            export CFLAGS
            if [[ '${{ matrix.compiler }}' = 'llvm'* ]]; then
              options+=" --target=$(uname -m)-apple-darwin"
            fi
            if [ '${{ matrix.compiler }}' != 'clang' ]; then
              options+=" --with-sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
              CFLAGS+=" --sysroot=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
            fi
            [ '${{ matrix.config }}' = 'OpenSSL' ]         && options+=" --with-openssl=$(brew --prefix openssl)"
            [ '${{ matrix.config }}' = 'SecureTransport' ] && options+=' --with-secure-transport'
            CFLAGS+=' -mmacosx-version-min=${{ matrix.macos-version-min }}'
            # would pick up nghttp2, libidn2, but libssh2 is disabled by default
            mkdir bld && cd bld && ../configure --enable-unity --enable-test-bundles --enable-warnings --enable-werror \
              --disable-dependency-tracking \
              --disable-docs --disable-manual \
              --without-nghttp2 --without-libidn2 \
              --without-libpsl \
              ${options}
          else
            [ '${{ matrix.config }}' = 'OpenSSL' ]         && options+=' -DCURL_USE_OPENSSL=ON'
            [ '${{ matrix.config }}' = 'SecureTransport' ] && options+=' -DCURL_USE_SECTRANSP=ON'
            # would pick up nghttp2, libidn2, and libssh2
            cmake -B bld -DCMAKE_UNITY_BUILD=ON -DCURL_TEST_BUNDLES=ON -DCURL_WERROR=ON \
              -DCMAKE_OSX_DEPLOYMENT_TARGET=${{ matrix.macos-version-min }} \
              "-DCMAKE_OSX_SYSROOT=$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)" \
              "-DCMAKE_C_COMPILER_TARGET=$(uname -m | sed 's/arm64/aarch64/')-apple-darwin$(uname -r)" \
              "-DCMAKE_IGNORE_PREFIX_PATH=$(brew --prefix)" \
              -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF \
              -DUSE_NGHTTP2=OFF -DUSE_LIBIDN2=OFF \
              -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF \
              ${options}
          fi

      - name: 'configure log'
        if: ${{ !cancelled() }}
        run: cat bld/config.log bld/CMakeFiles/CMakeConfigureLog.yaml 2>/dev/null || true

      - name: 'curl_config.h'
        run: |
          echo '::group::raw'; cat bld/lib/curl_config.h || true; echo '::endgroup::'
          cat bld/lib/curl_config.h | grep -F '#define' | sort || true

      - name: 'build / ${{ matrix.build }}'
        run: make -C bld V=1 VERBOSE=1

      - name: 'curl version'
        run: bld/src/curl --disable --version