fix: Link freebl3 when building for Gecko

[larseggert]

And add a Firefox vendoring CI workflow.

[github-actions]

The maybe_link_freebl3() extraction is a clean refactor that correctly centralizes the freebl3 linking logic and fills the gap in the setup_for_gecko path. Version bump to 0.12.2 is appropriate for this fix.

The new Firefox vendoring workflow is a solid CI addition — it catches integration issues early by exercising the actual Gecko vendoring flow. The concurrency, permissions, and persist-credentials: false settings are all consistent with the existing CI workflows.

One architectural concern flagged inline: when MOZ_FOLD_LIBS is true, the gecko link-search paths may not cover where freebl3 lives, so the blapi feature could fail to link in that configuration. Worth verifying against the actual Gecko build layout.

[Copilot]

Pull request overview

This PR updates nss-rs to correctly link freebl3 when the blapi feature is enabled in Gecko builds, and introduces a GitHub Actions workflow intended to validate vendoring into Firefox/Gecko.

Changes:

• Bump crate version to 0.12.2.
• Update build.rs to emit a freebl3 link directive when blapi is enabled (including in gecko builds).
• Add a Vendor into Firefox CI workflow that attempts to vendor the local checkout into a Gecko checkout.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
Cargo.toml	Bumps nss-rs version to 0.12.2.
Cargo.lock	Updates lock entry for nss-rs to 0.12.2.
build.rs	Adds a shared helper to conditionally link freebl3 when blapi is enabled, including for Gecko builds.
.github/workflows/firefox.yml	Adds a workflow to test vendoring nss-rs into Gecko/Firefox.

Comments suppressed due to low confidence (2)

.github/workflows/firefox.yml:95

• The ./mach vendor rust ... | tee vendor.log pipeline is used as the condition of an if, but without set -o pipefail the exit status will be that of tee, so vendoring failures can be incorrectly treated as success and the job will exit 0. Ensure the workflow propagates the ./mach exit status (e.g., enable pipefail or explicitly check the pipeline status).

          if ./mach vendor rust --ignore-modified 2>&1 | tee vendor.log; then
            echo "Vendoring succeeded"
            exit 0
          fi

.github/workflows/firefox.yml:78

• cargo update without arguments updates the entire Gecko dependency graph, which can cause this vendoring check to fail for reasons unrelated to nss-rs (e.g., new upstream versions or additional vet requirements). Consider limiting the update to nss-rs (or regenerating the lockfile in a way that only reflects the local patch) so this workflow stays focused on validating the vendoring of this PR.

          cargo update

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

The maybe_link_freebl3() extraction is clean and correct—it centralizes the three call sites (dynamic, pkg-config, gecko) into a single function. The key fix in setup_for_gecko correctly adds both the freebl3 link directive and the dist/bin search path for the fold_libs case, where freebl3 is not folded into nss3. The non-fold_libs path already includes dist/bin unconditionally, so no additional search path is needed there.

The vendoring workflow is well-structured: pinned action SHAs, persist-credentials: false, minimal contents: read permissions, and sensible concurrency settings consistent with the existing CI. One architectural consideration: this runs on every pull_request, and the Firefox shallow clone is still non-trivial. If CI cost becomes a concern, restricting to merge_group + workflow_dispatch would keep the safety net while reducing per-PR overhead.

Version bump to 0.12.2 is appropriate for a build-script-only fix.

[github-actions]

The build.rs changes are correct and well-structured. maybe_link_freebl3() cleanly centralizes the three call sites. The gecko fix properly addresses both aspects of the problem: emitting the freebl3 link directive (via maybe_link_freebl3()) and adding the dist/bin search path when MOZ_FOLD_LIBS is active (where freebl3 is not folded into nss3 and the existing security/ search path wouldn't cover it). The non-fold_libs path already includes dist/bin unconditionally, so no additional search path is needed there.

The vendoring workflow is consistent with the existing CI conventions (pinned action SHAs, persist-credentials: false, contents: read permissions, concurrency settings). The switch from Python-based Cargo.lock manipulation to cargo update in the latest revision is a good simplification—it sidesteps the regex fragility issues raised in earlier review comments.

One architectural note on the cargo update approach: since it re-resolves the entire Gecko dependency graph, unrelated upstream version bumps could cause non-vet vendoring failures, which the error-handling logic (lines 102–116) doesn't recover from. This is a known tradeoff (the inline comment on lines 74–76 explains the cargo limitation), but it's worth keeping in mind if this job becomes flaky on merge_group. The existing inline review comments on robustness (assert guard for the regex match, empty FAILING_CRATES handling, timeout-minutes) are all still applicable and would improve reliability.

Version bump to 0.12.2 is appropriate for a build-script-only fix.