Skip to content

Allow using system trusted store by PREK_NATIVE_TLS#959

Merged
j178 merged 6 commits intoj178:masterfrom
st1971:feat/tls-trust
Oct 25, 2025
Merged

Allow using system trusted store by PREK_NATIVE_TLS#959
j178 merged 6 commits intoj178:masterfrom
st1971:feat/tls-trust

Conversation

@st1971
Copy link
Copy Markdown
Contributor

@st1971 st1971 commented Oct 24, 2025

update reqwest cargo import to add feature rustls-tls-native-roots, this allow prek to work in an enviroment where additional system level trusted certificates are required, feature rustls-tls-native-roots respected the SSL_CERT_FILE env var.

Verified on macos / linux only.

@st1971
feat: allow reqwest to use system tls
d5f7e43 
update reqwest cargo import to add feature rustls-tls-native-roots

Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
@codecov
Copy link
Copy Markdown

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 85.86957% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.10%. Comparing base (c2f0468) to head (4e88411).
⚠️ Report is 3 commits behind head on master.

Files with missing lines Patch % Lines
src/languages/mod.rs 83.07% 11 Missing ⚠️
src/languages/python/uv.rs 90.90% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #959      +/-   ##
==========================================
- Coverage   90.15%   90.10%   -0.06%     
==========================================
  Files          66       66              
  Lines       12244    12289      +45     
==========================================
+ Hits        11039    11073      +34     
- Misses       1205     1216      +11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 24, 2025
edited
Loading

📦 Cargo Bloat Comparison

Binary size change: +0.62% (16.1 MiB → 16.2 MiB)

Expand for cargo-bloat output

PR Branch Results

 File  .text     Size          Crate Name
 0.6%   1.3% 101.1KiB          prek? <prek::cli::Command as clap_builder::derive::Subcommand>::augment_subcommands
 0.5%   1.2%  88.0KiB           prek prek::languages::<impl prek::config::Language>::run::{{closure}}
 0.5%   1.1%  85.8KiB           prek prek::builtin::pre_commit_hooks::Implemented::run::{{closure}}
 0.4%   0.9%  70.0KiB           prek prek::run::{{closure}}
 0.4%   0.9%  63.8KiB           prek prek::archive::unpack::{{closure}}
 0.3%   0.6%  42.0KiB           prek prek::languages::<impl prek::config::Language>::install::{{closure}}
 0.2%   0.5%  40.9KiB regex_automata regex_automata::meta::strategy::new
 0.2%   0.5%  40.1KiB          prek? <prek::cli::RunArgs as clap_builder::derive::Args>::augment_args
 0.2%   0.5%  38.5KiB           prek prek::identify::by_extension::{{closure}}
 0.2%   0.4%  32.9KiB           prek prek::workspace::Workspace::discover
 0.2%   0.4%  32.8KiB           prek prek::cli::run::run::run::{{closure}}
 0.2%   0.4%  32.3KiB           prek prek::languages::node::installer::NodeInstaller::install::{{closure}}
 0.2%   0.4%  31.8KiB             h2 h2::proto::connection::DynConnection<B>::recv_frame
 0.2%   0.4%  31.7KiB             h2 h2::proto::connection::Connection<T,P,B>::poll
 0.2%   0.3%  26.2KiB     hyper_util hyper_util::client::legacy::client::Client<C,B>::send_request::{{closure}}
 0.2%   0.3%  25.8KiB     hyper_util hyper_util::client::legacy::client::Client<C,B>::connect_to::{{closure}}::{{closure}}::{{closure}}
 0.2%   0.3%  25.0KiB        globset globset::GlobSetBuilder::build
 0.2%   0.3%  25.0KiB           prek prek::main
 0.1%   0.3%  24.2KiB           prek prek::languages::golang::installer::GoInstaller::install::{{closure}}
 0.1%   0.3%  23.7KiB          hyper hyper::proto::h1::dispatch::Dispatcher<D,Bs,I,T>::poll_loop
39.6%  87.3%   6.4MiB                And 10179 smaller methods. Use -n N to show more.
45.4% 100.0%   7.3MiB                .text section size, the file size is 16.2MiB

Base Branch Results

 File  .text     Size          Crate Name
 0.6%   1.4% 101.1KiB          prek? <prek::cli::Command as clap_builder::derive::Subcommand>::augment_subcommands
 0.5%   1.2%  88.0KiB           prek prek::languages::<impl prek::config::Language>::run::{{closure}}
 0.5%   1.1%  85.8KiB           prek prek::builtin::pre_commit_hooks::Implemented::run::{{closure}}
 0.4%   0.9%  70.0KiB           prek prek::run::{{closure}}
 0.4%   0.9%  63.8KiB           prek prek::archive::unpack::{{closure}}
 0.3%   0.6%  42.0KiB           prek prek::languages::<impl prek::config::Language>::install::{{closure}}
 0.2%   0.5%  40.9KiB regex_automata regex_automata::meta::strategy::new
 0.2%   0.5%  40.1KiB          prek? <prek::cli::RunArgs as clap_builder::derive::Args>::augment_args
 0.2%   0.5%  38.5KiB           prek prek::identify::by_extension::{{closure}}
 0.2%   0.4%  32.9KiB           prek prek::workspace::Workspace::discover
 0.2%   0.4%  32.8KiB           prek prek::cli::run::run::run::{{closure}}
 0.2%   0.4%  32.7KiB           prek prek::languages::node::installer::NodeInstaller::install::{{closure}}
 0.2%   0.4%  31.8KiB             h2 h2::proto::connection::DynConnection<B>::recv_frame
 0.2%   0.4%  31.7KiB             h2 h2::proto::connection::Connection<T,P,B>::poll
 0.2%   0.4%  26.2KiB     hyper_util hyper_util::client::legacy::client::Client<C,B>::send_request::{{closure}}
 0.2%   0.3%  25.8KiB     hyper_util hyper_util::client::legacy::client::Client<C,B>::connect_to::{{closure}}::{{closure}}::{{closure}}
 0.2%   0.3%  25.0KiB        globset globset::GlobSetBuilder::build
 0.2%   0.3%  25.0KiB           prek prek::main
 0.1%   0.3%  24.6KiB           prek prek::languages::golang::installer::GoInstaller::install::{{closure}}
 0.1%   0.3%  23.7KiB          hyper hyper::proto::h1::dispatch::Dispatcher<D,Bs,I,T>::poll_loop
39.6%  87.2%   6.4MiB                And 10127 smaller methods. Use -n N to show more.
45.4% 100.0%   7.3MiB                .text section size, the file size is 16.1MiB

@j178 j178 added the enhancement New feature or request label Oct 24, 2025
@j178
Copy link
Copy Markdown
Owner

j178 commented Oct 24, 2025

I noticed that in uv, you have to pass the --native-tls flag to enable native TLS roots, because "reading the native certificates can add hundreds of milliseconds to client initialization." For performance reasons, should we maybe make this opt-in too? Check out astral-sh/uv#2362

@st1971
fix: update to make native tls optional
c6b5633 
use native tls if environment variable SSL_CERT_FILE is populated and
the file exists or the environment variable PREK_NATIVE_TLS exists and
set to true

Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
st1971 added 2 commits October 24, 2025 18:03
@st1971
Merge branch 'master' into feat/tls-trust
2a00ae6
@st1971
chore: update cargo lock
97f7d9a 
Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
@st1971
Copy link
Copy Markdown
Contributor Author

st1971 commented Oct 24, 2025

the PR that was highlighted is no longer used in UV, however, looked at the UV code and have used a similer method to what is current in use. If SSL_CERT_FILE is set to a file that exists or PREK_NATIVE_TLS is set to true then system tls trust store will be used, if these are not set it will fall back to webpki-roots.

the change has dropped the test coverage level, however to put some meaninful tests on this change we would need to update the environment table during testing which would require making the test single threaded.

@j178
Copy link
Copy Markdown
Owner

j178 commented Oct 24, 2025

put some meaninful tests on this change we would need to update the environment table during testing which would require making the test single threaded

Since we call prek in a subprocess during integration tests, I assume it's safe to use subprocess-specific environment variables here?

Could you also document the new environment variables in docs/configuration.md?

@st1971
Copy link
Copy Markdown
Contributor Author

st1971 commented Oct 25, 2025

Sorry, struggling a little with this, to be honest this change should be covered using unit test which as we should really be testing that the returned client can access an https end point when configured in different ways, which is only possible if the unit tests are single threaded as the mutation of the environment table is not safe, could do some stuff with extra locks if the EnvVars type was in the same scope as the main binary code.

Testing this within integration tests, not really sure how to make this work, within the integration test cannot construct a reqwest client instance so would have to set-up multiple language tests just to trigger downloads, which seems somewhat excessive.

What i could do is move the reqwest client creation and resource downloading code into a lib, in the same way EnvVars is, in this way it can be tested independently of the rest of the code.

Thoughts?

@j178 j178 changed the title Allow reqwest to use system tls Allow using system trusted store by PREK_NATIVE_TLS Oct 25, 2025
@j178
Copy link
Copy Markdown
Owner

j178 commented Oct 25, 2025

I extracted the env var reading from get_reqwest_client, so now we can create a native TLS client without messing with the process env table. I also added a basic test just to make sure the native TLS client actually works.

And I took the opportunity to do a bit more refactoring by making the client a global shared instance - hope that makes sense.

@st1971
Copy link
Copy Markdown
Contributor Author

st1971 commented Oct 25, 2025
edited
Loading

Nice, had been messing about moving the client / download_and_extract to a lib which also works well from a test perspective, but yours is cleaner. if your happy with it then i am.

its really hard to get reqwest to error even when you want it to!

@j178 j178 merged commit 7161581 into j178:master Oct 25, 2025
21 checks passed
@st1971 st1971 deleted the feat/tls-trust branch October 26, 2025 07:17
@BrewTestBot BrewTestBot mentioned this pull request Oct 27, 2025
Merged
j178 added a commit that referenced this pull request Oct 28, 2025
@janosh @j178 @st1971
support Deno auto installation (#968)
be74a68 
* Do not check for `script` subprocess status (#964)

* Update README

* Allow using system trusted store by `PREK_NATIVE_TLS` (#959)

* Fix compatibility with older luarocks (#967)

* support isolated hook environments for `language: deno`

- Implement Deno language handler with dependency isolation
- Support npm packages via `additional_dependencies`
- Add 8 tests covering basic usage, dependencies, and error cases
- example config showing deno fmt, lint, and npm eslint hook usage

* support Deno auto installation

Implement full-fledged Deno language support with automatic version management,
mirroring the installation patterns used for Node.js and Go.

- **installer.rs**: New DenoInstaller that downloads and installs Deno versions
  - Downloads from GitHub releases (https://github.com/denoland/deno/releases)
  - Searches installed versions in $PREK_HOME/tools/deno
  - Falls back to system Deno if version matches
  - Supports all platforms: Linux, macOS, Windows (x86_64, aarch64)
  - Uses file locking to prevent concurrent installations
  - Implements proper binary extraction and permission setup

- **version.rs**: New DenoVersion and DenoRequest types
  - Supports version specifications: exact (1.40.0), major (1), major.minor (1.40)
  - Supports semver ranges: ">= 1.40, < 1.50"
  - Handles "deno", "deno@version", "latest", "system" formats
  - Supports local path specifications
  - Comprehensive unit tests for version parsing

- **deno.rs**: Updated to use DenoInstaller
  - Removed manual system-only detection
  - Integrated with DenoInstaller for automatic downloads
  - Simplified installation flow
  - Proper health checks with version validation

* Update language support status (#970)

* Update language support status

* Tweak

* Fix DenoRequest parsing

* Generate cli reference

* Fail windows CI when an error occured (#971)

* Fail windows CI when an error occured

* Fix tests

* Use global client

* delete outdated test, deno auto-installs after 2nd commit

addresses #968 (comment)

* refactor(deno): symlink deno executable into hook bin dir and use PATH resolution

- Create bin/ directory in hook environment with symlinked deno executable
- Prepend bin/ to PATH during install and run, matching Node implementation
- Use entry.resolve() to find commands in PATH instead of manual replacement
- Enables shell scripts to call `deno` directly with correct isolated version
- add test verifying deno is available in PATH for shell scripts

addresses #968 (comment)

* refactor(deno): simplify install logic and add dependency caching

- Simplify find_script_to_cache() using functional approach
- Fix is_cacheable_script() to only match JS/TS files (prevents caching shell scripts)
- Add support for .mjs, .tsx, .jsx extensions
- Extract deno_bin variable to reduce duplication
- Consolidate PATH setup to single location
- Simplify deno.json creation logic
- Add deno cache call during install for offline hook execution

---------

Co-authored-by: Jo <10510431+j178@users.noreply.github.com>
Co-authored-by: Steven Taylor <steven@taylormuff.co.uk>
feliblo pushed a commit to feliblo/prek that referenced this pull request Oct 29, 2025
@st1971 @feliblo
Allow using system trusted store by PREK_NATIVE_TLS (j178#959)
927e42e
feliblo pushed a commit to feliblo/prek that referenced this pull request Oct 29, 2025
@st1971 @feliblo
Allow using system trusted store by PREK_NATIVE_TLS (j178#959)
08a6b10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@st1971 @j178