mozilla · larseggert · May 20, 2026 · May 20, 2026
@@ -0,0 +1,116 @@
+name: Vendor into Firefox
+
+on:
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  vendor:
+    name: Vendor into Gecko
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Check out nss-rs
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: nss-rs
+          persist-credentials: false
+
+      - name: Check out Gecko
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: mozilla-firefox/firefox
+          path: firefox
+          ref: main
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Vendor nss-rs into Gecko
+        working-directory: firefox
+        run: |
+          {
+            echo "mk_add_options MOZ_OBJDIR=../obj-firefox"
+            echo "ac_add_options --enable-application=browser"
+            echo "ac_add_options --disable-tests"
+            echo "ac_add_options --enable-release"
+          } > mozconfig
+
+          version=$(cargo metadata --manifest-path ../nss-rs/Cargo.toml --format-version 1 --no-deps \
+            | jq -r '.packages[] | select(.name == "nss-rs") | .version')
+
+          # Redirect the nss-rs patch to our local checkout.
+          # The section may or may not exist in Gecko's Cargo.toml.
+          python3 - <<'PYEOF'
+          import re, pathlib
+
+          p = pathlib.Path('Cargo.toml')
+          text = p.read_text()
+          hdr = '[patch."https://github.com/mozilla/nss-rs"]'
+          new = 'nss-rs = { path = "../nss-rs" }'
+          if hdr not in text:
+              text += f'\n{hdr}\n'
+          m = re.search(re.escape(hdr) + r'\n((?:(?!\[).*\n)*)', text)
+          body, n = re.subn(r'(?m)^nss-rs\s*=.*', new, m.group(1))
+          if not n:
+              body = new + '\n' + body
+          p.write_text(text[:m.start(1)] + body + text[m.end(1):])
+          PYEOF
+
+          # Full re-resolve: a targeted `cargo update nss-rs` would keep the
+          # stale v0.9.0 lock entry (path-dep entries carry no source field,
+          # so cargo can't match the old entry to the changed [patch] path).
+          cargo update
+
+          {
+            echo "[[audits.nss-rs]]"
+            echo 'who = "CI"'
+            echo 'criteria = "safe-to-deploy"'
+            echo "version = \"$version\""
+            echo 'notes = "Placeholder created by CI."'
+            echo ""
+          } >> supply-chain/audits.toml
+
+          # Hide .git to prevent mach from running git operations
+          mv .git .git.bak
+          trap 'mv .git.bak .git' EXIT
+
+          if ./mach vendor rust --ignore-modified 2>&1 | tee vendor.log; then
+            echo "Vendoring succeeded"
+            exit 0
+          fi
+
+          if [ ! -s vendor.log ]; then
+            echo "::error::Vendoring failed with no output"
+            exit 1
+          fi
+
+          if grep -qE "Vet error|Missing audit for" vendor.log; then
+            FAILING_CRATES=$(grep -oE '[a-zA-Z_][a-zA-Z0-9_-]*:[0-9]+\.[0-9]+' vendor.log \
+              | cut -d: -f1 | sort -u) || true
+            if echo "$FAILING_CRATES" | grep -qxF "nss-rs"; then
+              echo "::error::Vet failure for nss-rs"
+              cat vendor.log
+              exit 1
+            fi
+            echo "::warning::Vet failures are unrelated to nss-rs, forcing"
+            ./mach vendor rust --ignore-modified --force
+          else
+            echo "::error::Vendoring failed for non-vet reasons:"
+            cat vendor.log
+            exit 1
+          fi
@@ -99,7 +99,7 @@ verbose_file_reads = "warn"
 
 [package]
 name = "nss-rs"
-version = "0.12.1"
+version = "0.12.2"
 authors = ["Martin Thomson <mt@lowentropy.net>", "Andy Leiserson <aleiserson@mozilla.com>", "John M. Schanck <jschanck@mozilla.com>", "Benjamin Beurdouche <beurdouche@mozilla.com>", "Anna Weine <anna.weine@mozilla.com>"]
 categories = ["network-programming", "web-programming"]
 keywords = ["nss", "crypto", "mozilla", "firefox"]

@@ -229,6 +229,10 @@ fn dynamic_link() {
     for lib in dynamic_libs {
         println!("cargo:rustc-link-lib=dylib={lib}");
     }
+    maybe_link_freebl3();
+}
+
+fn maybe_link_freebl3() {
     if env::var("CARGO_FEATURE_BLAPI").is_ok() {
         println!("cargo:rustc-link-lib=dylib=freebl3");
     }
@@ -445,8 +449,8 @@ fn pkg_config() -> Result<Vec<String>, Box<dyn Error>> {
             "blapi feature requires {freebl_lib} in the pkg-config \
              library paths. Set NSS_DIR to a standalone NSS source build."
         );
-        println!("cargo:rustc-link-lib=dylib=freebl3");
     }
+    maybe_link_freebl3();
 
     Ok(flags)
 }
@@ -510,11 +514,20 @@ fn setup_for_gecko() -> Vec<String> {
         println!("cargo:rustc-link-lib=dylib={}", lib);
     }
 
+    maybe_link_freebl3();
+
     if fold_libs {
         println!(
             "cargo:rustc-link-search=native={}",
             TOPOBJDIR.join("security").to_str().unwrap()
         );
+        if env::var("CARGO_FEATURE_BLAPI").is_ok() {
+            // freebl3 is not folded into nss3; it lives in dist/bin.
+            println!(
+                "cargo:rustc-link-search=native={}",
+                TOPOBJDIR.join("dist").join("bin").to_str().unwrap()
+            );
+        }
     } else {
         println!(
             "cargo:rustc-link-search=native={}",