From 677b8ed413eb2b6fdf4876b251a778ce45ba18f3 Mon Sep 17 00:00:00 2001 From: Rudi Floren Date: Thu, 21 May 2026 14:52:56 +0200 Subject: [PATCH 1/2] feat(core): add reqwest-rustls-no-provider-tls feature Adds a new opt-in Cargo feature `reqwest-rustls-no-provider-tls` that maps to `reqwest/rustls-no-provider`. This lets downstream users enable rustls without forcing `aws-lc-rs` as the crypto provider, so they can install their own (e.g. `ring`). The existing `reqwest-rustls-tls` feature and the default feature set are unchanged, so this is purely additive. Part of: #7571 --- core/Cargo.toml | 1 + core/core/Cargo.toml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/core/Cargo.toml b/core/Cargo.toml index 5f4d4723d265..aa25cd44121a 100644 --- a/core/Cargo.toml +++ b/core/Cargo.toml @@ -119,6 +119,7 @@ layers-tail-cut = ["dep:opendal-layer-tail-cut"] layers-throttle = ["dep:opendal-layer-throttle"] layers-timeout = ["dep:opendal-layer-timeout"] layers-tracing = ["dep:opendal-layer-tracing"] +reqwest-rustls-no-provider-tls = ["opendal-core/reqwest-rustls-no-provider-tls"] reqwest-rustls-tls = ["opendal-core/reqwest-rustls-tls"] services-aliyun-drive = ["dep:opendal-service-aliyun-drive"] services-alluxio = ["dep:opendal-service-alluxio"] diff --git a/core/core/Cargo.toml b/core/core/Cargo.toml index a543974a6893..881bfcba99ba 100644 --- a/core/core/Cargo.toml +++ b/core/core/Cargo.toml @@ -42,6 +42,11 @@ default = ["reqwest-rustls-tls", "executors-tokio"] # Enable reqwest rustls tls support. reqwest-rustls-tls = ["reqwest/rustls"] +# Enable reqwest rustls tls support without selecting a crypto provider. +# The downstream binary is responsible for installing a `rustls` +# `CryptoProvider` (e.g. `ring` or `aws-lc-rs`) before issuing requests. +reqwest-rustls-no-provider-tls = ["reqwest/rustls-no-provider"] + # Enable opendal's blocking support. blocking = ["internal-tokio-rt"] From 763991d104760bc39a430d865ca1159f01d8d43b Mon Sep 17 00:00:00 2001 From: Rudi Floren Date: Thu, 21 May 2026 15:45:30 +0200 Subject: [PATCH 2/2] ci(core): guard aws-lc-rs absence under reqwest-rustls-no-provider-tls The new feature exists specifically to keep `aws-lc-rs` out of the rustls crypto-provider slot so downstream crates can install their own provider (`ring`, etc.). That guarantee is a property of the dependency tree, not the source, so it can silently regress as transitive deps shift. Adds a job to `ci_core.yml` that runs `cargo tree` against `opendal` with the `services-gcs` and `reqwest-rustls-no-provider-tls` enabled and asserts no `aws-lc-rs` node. `--edges normal,build` mirrors what `cargo build` actually compiles (library deps + build scripts) and excludes workspace-only dev-deps that would otherwise trip false alarms. --- .github/workflows/ci_core.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/ci_core.yml b/.github/workflows/ci_core.yml index 2cd06aaca981..23f9d53f7d46 100644 --- a/.github/workflows/ci_core.yml +++ b/.github/workflows/ci_core.yml @@ -92,6 +92,29 @@ jobs: working-directory: core run: cargo +${OPENDAL_MSRV} clippy -- -D warnings + check_tls_features: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Setup Rust toolchain + uses: ./.github/actions/setup + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Assert aws-lc-rs is absent under reqwest-rustls-no-provider-tls + working-directory: core + run: | + set -euo pipefail + tree=$(cargo tree -p opendal \ + --no-default-features \ + --features services-gcs,reqwest-rustls-no-provider-tls \ + --edges normal,build \ + --prefix none) + if echo "$tree" | grep -E '^aws-lc-rs( |$)' ; then + echo "::error::aws-lc-rs is reachable from opendal with only reqwest-rustls-no-provider-tls enabled" + echo "$tree" + exit 1 + fi + build_default_features: runs-on: ${{ matrix.os }} strategy: