Windows wheels: init submodules in pre-build script with OpenSSL#18262
Windows wheels: init submodules in pre-build script with OpenSSL#18262manuelcandales merged 2 commits intomainfrom
Conversation
The previous fix (setting sslBackend in pre_build_script.sh) only applied to nested tokenizer submodules. The top-level submodule checkout still used schannel via the reusable workflow's `submodules: true`, causing SEC_E_ILLEGAL_MESSAGE errors when cloning from git.gitlab.arm.com. Move all submodule initialization into the pre-build script where we can control the SSL backend, and disable submodule checkout in the workflow.
🔗 Helpful Links🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18262
Note: Links to docs will display an error until the docs builds have been completed. ❌ 6 New Failures, 4 Cancelled Jobs, 3 Unrelated FailuresAs of commit 77989a2 with merge base 94e9ca6 ( NEW FAILURES - The following jobs have failed:
CANCELLED JOBS - The following jobs were cancelled. Please retry:
BROKEN TRUNK - The following jobs failed but were present on the merge base:👉 Rebase onto the `viable/strict` branch to avoid these failures
This comment was automatically generated by Dr. CI and updates every 15 minutes. |
meta-cla
bot
added
the
CLA Signed
manuelcandales
added
ciflow/binaries
ciflow/binaries/all
There was a problem hiding this comment.
Pull request overview
Updates the Windows wheel build workflow to avoid Git TLS failures on Windows (schannel SEC_E_ILLEGAL_MESSAGE) when initializing submodules hosted outside GitHub, by moving submodule initialization into the pre-build script where the SSL backend can be controlled.
Changes:
- Disable submodule checkout in the Windows wheels reusable workflow invocation.
- Initialize top-level submodules in
pre_build_script.sh, usinghttp.sslBackend=opensslon Windows. - Keep the existing tokenizers nested-submodule initialization workaround (path-length related), now after top-level init.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/build-wheels-windows.yml | Disables checkout-time submodules and documents that submodules are initialized in the pre-build script. |
| .ci/scripts/wheel/pre_build_script.sh | Adds top-level submodule init with OpenSSL on Windows; retains nested tokenizers submodule init. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
manuelcandales
added
the
release notes: none
Move submodule initialization above the aarch64 sed workaround so the file it edits is guaranteed to exist even if the caller disables submodule checkout. Also remove the redundant UNAME_S assignment later in the script.
There was a problem hiding this comment.
Pull request overview
Adjusts the Windows wheel CI pipeline to avoid schannel-related TLS failures when cloning submodules from non-GitHub hosts by moving all submodule initialization into the pre-build script (where the SSL backend can be forced to OpenSSL).
Changes:
- Disable submodule checkout in the Windows wheels reusable workflow invocation.
- Initialize top-level submodules in
pre_build_script.sh, usinghttp.sslBackend=opensslon Windows. - Minor refactor/reordering in
pre_build_script.shto support the new initialization flow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/build-wheels-windows.yml |
Disables submodule checkout and documents that submodules are initialized in the pre-build script; adds a 120-minute timeout input. |
.ci/scripts/wheel/pre_build_script.sh |
Adds top-level submodule initialization (OpenSSL on Windows), keeps tokenizers’ nested submodule init, and reorders the aarch64 atomic workaround accordingly. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| popd | ||
|
|
||
| if [[ "$(uname -m)" == "aarch64" ]]; then | ||
| # On some Linux aarch64 systems, the "atomic" library is not found during linking. |
There was a problem hiding this comment.
what is this? Is this part of this PR or accidently inclusion?
There was a problem hiding this comment.
This was already here, I moved the submodule initialization above the aarch64 sed
digantdesai
left a comment
digantdesai
left a comment
There was a problem hiding this comment.
Stamping to unblock you.
manuelcandales
force-pushed
the
manuel/build-windows-wheels-fix-2
branch
from
8033f32 to
77989a2
Compare
|
@pytorchbot cherry-pick --onto release/1.2 -c critical |
) The previous fix (setting sslBackend in pre_build_script.sh) only applied to nested tokenizer submodules. The top-level submodule checkout still used schannel via the reusable workflow's `submodules: true`, causing SEC_E_ILLEGAL_MESSAGE errors when cloning from git.gitlab.arm.com. Move all submodule initialization into the pre-build script where we can control the SSL backend, and disable submodule checkout in the workflow. (cherry picked from commit 1cbc24c)
Cherry picking #18262The cherry pick PR is at #18378 and it is recommended to link a critical cherry pick PR with an issue. The following tracker issues are updated: Details for Dev Infra teamRaised by workflow job |
The previous fix (setting sslBackend in pre_build_script.sh) only applied to nested tokenizer submodules. The top-level submodule checkout still used schannel via the reusable workflow's
submodules: true, causing SEC_E_ILLEGAL_MESSAGE errors when cloning from git.gitlab.arm.com.Move all submodule initialization into the pre-build script where we can control the SSL backend, and disable submodule checkout in the workflow.