Skip to content

Fix CI: harden OpenSSL download and move it before MSBuild#18

Merged
mzagozda merged 2 commits intomainfrom
copilot/fix-github-actions-job-failure
Mar 27, 2026
Merged

Fix CI: harden OpenSSL download and move it before MSBuild#18
mzagozda merged 2 commits intomainfrom
copilot/fix-github-actions-job-failure

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 27, 2026
edited
Loading

The build job was failing after a successful MSBuild because the Download OpenSSL Libraries step ran after the build and used a bare Invoke-WebRequest with no validation — if the URL returned HTML (redirect/rate-limit/404), Expand-Archive would silently consume the HTML and exit 1, printing raw GitHub HTML/CSS/JSON to the log.

Changes

Step reorder

  • Moved Download OpenSSL Libraries to run before Build Solution, so libs are available during the link phase.

Hardened download logic

  • shell: pwsh + $ErrorActionPreference = 'Stop' — any cmdlet failure immediately aborts the step.
  • -MaximumRedirection 10 -PassThru — follows redirects and captures the HTTP response for inspection.
  • Prints HTTP status code, Content-Type header, and downloaded file size on every run for diagnostics.
  • Validates ZIP magic bytes (PK / 0x50 0x4B) before extraction; on mismatch, prints the first bytes and first 20 lines of the file and throws an actionable error:
$bytes = Get-Content -Path $opensslZip -Encoding Byte -TotalCount 2
if ($bytes[0] -ne 0x50 -or $bytes[1] -ne 0x4B) {
  Write-Host "First bytes: $('{0:X2} {1:X2}' -f $bytes[0], $bytes[1])"
  Write-Host "File head (as text):"
  Get-Content -Path $opensslZip -TotalCount 20 | ForEach-Object { $_ }
  throw "OpenSSL download is not a ZIP (likely received HTML). URL may have changed or requires different source."
}
  • Uses $env:RUNNER_TEMP as the download location instead of the workspace root.
Original prompt

Fix failing GitHub Actions job in workflow .github/workflows/build-installer.yml (run 23660136284, job 68927890948 at ref a331a8c).

Observed behavior:

  • MSBuild reports Build succeeded. 0 Error(s).
  • Job fails immediately after with exit code 1 while printing raw GitHub HTML/CSS/JSON into the logs (suggesting a download step received HTML rather than a ZIP artifact).

Root cause candidate:

  • The workflow downloads OpenSSL via Invoke-WebRequest from a GitHub raw/master URL and then extracts it. If the URL redirects/404s/rate-limits, the downloaded file can be HTML and subsequent steps fail.

Required changes:

  1. Update .github/workflows/build-installer.yml to make the OpenSSL download step robust:

    • Use shell: pwsh.
    • Set $ErrorActionPreference = 'Stop'.
    • Use Invoke-WebRequest with -MaximumRedirection 10 and -PassThru to capture status.
    • Print HTTP status code, content-type header, and downloaded file size.
    • Validate the downloaded file is a ZIP by checking the first two bytes are PK (0x50 0x4B). If not, print a short file head and fail with a clear error.
    • Extract to utils as before.

  2. Reorder steps so the OpenSSL download occurs before the MSBuild step (since build/link may depend on the libs).

  3. Keep the rest of the workflow behavior intact.

Acceptance criteria:

  • Workflow no longer fails due to HTML being extracted as ZIP.
  • If the OpenSSL URL is invalid, the job fails with an explicit, actionable error message that includes status/content-type and confirms the artifact was not a ZIP.

Files to change:

  • .github/workflows/build-installer.yml

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The build itself is not failing—MSBuild reports “Build succeeded. 0 Error(s)”—but the job fails immediately afterward with exit code 1 while printing what looks like raw GitHub HTML/CSS/JSON into the logs (e.g. :root { --tab-size-preference: 4; } ... {"locale":"en","featureFlags":...}). That pattern almost always means a later step is trying to download or parse something and is instead receiving an HTML page (often a redirect/auth page/404) and then the script treats it as an error.

In your workflow (.github/workflows/build-installer.yml at ref a331a8cb47203cebd4d639c649b7e473ee29803c), the most likely culprit is the “Download OpenSSL Libraries” step (lines 35–40), because it fetches a URL from GitHub and then unzips it:

  • Invoke-WebRequest -Uri "https://github.com/IndySockets/OpenSSL-Binaries/raw/master/Archive/openssl-1.0.2u-x64_86-win64.zip" -OutFile openssl.zip
  • Expand-Archive -Path openssl.zip -DestinationPath "utils" -Force

If that URL returns HTML (rate limiting, moved file, blocked TLS/cipher mismatch, etc.), Expand-Archive (or a later consumer) will fail and the step ends with exit code 1.

Fix (recommended): download from a stable “release asset” URL + validate it’s really a ZIP

Replace the “Download OpenSSL Libraries” step with a more robust version that:

  1. uses a stable direct URL (or at least follows redirects explicitly),
  2. fails fast if the content isn’t a ZIP,
  3. prints HTTP status/content-type for debugging.

Example replacement:

- name: Download OpenSSL Libraries
  shell: pwsh
  run: |
    $ErrorActionPreference = "Stop"

    $opensslZip = Join-Path $env:RUNNER_TEMP "openssl.zip"
    $uri = "https://github.com/IndySockets/OpenSSL-Binaries/raw/master/Archive/openssl-1.0.2u-x64_86-win64.zip"

    # Download
    $resp = Invoke-WebRequest -Uri $uri -OutFile $opensslZip -MaximumRedirection 10 -PassThru
    Write-Host "HTTP status: $($resp.StatusCode)"
    Write-Host "Content-Type: $($resp.Headers.'Content-Type')"
    Write-Host "Downloaded bytes: $((Get-Item $opensslZip).Length)"

    # Validate: ZIP files start with 'PK' (0x50 0x4B)
    $bytes = Get-Content -Path $opensslZip -Encoding Byte -TotalCount 2
    if ($bytes[0] -ne 0x50 -or $bytes[1] -ne 0x4B) {
      Write-Host "First bytes: $('{0:X2} {1:X2}' -f $bytes[0], $bytes[1])"
      Write-Host "File head (as text):"
      Get-Content -Path $opensslZip -TotalCount 20 | ForEach-Object { $_ }
      throw "OpenSSL download is not a ZIP (likely received HTML). URL may have changed or requires different source."
    }

    Expand-Archive -Path $opensslZip -DestinationPath "utils" -Force

If the URL is no longer valid, switch to a maintained OpenSSL binary source (preferred: a tagged release asset you control or a known vendor URL). The key is: don’t rely on a mutable raw master path.

Fix (also important): do the OpenSSL download before building if the build consumes it

Right now, you build first (step “Bu...

This pull request was created from Copilot chat.

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

@mzagozda mzagozda marked this pull request as ready for review March 27, 2026 21:22
Copilot AI changed the title [WIP] Fix failing GitHub Actions job in workflow build-installer.yml Fix CI: harden OpenSSL download and move it before MSBuild Mar 27, 2026
Copilot AI requested a review from mzagozda March 27, 2026 21:23
@mzagozda mzagozda merged commit a2a3a63 into main Mar 27, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mzagozda mzagozda Awaiting requested review from mzagozda

Assignees

@mzagozda mzagozda

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mzagozda