From 3ee4162866a3d94070177e5368a8f885a0049656 Mon Sep 17 00:00:00 2001
From: Andrii Tsok <andrii@tsok.org>
Date: Sun, 19 Apr 2026 16:50:55 +0000
Subject: [PATCH] fix(env-setup): connectivity smoke tolerates 4xx from
 anti-bot gates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Rust diagnostics probe was running
`curl -fsS -o /dev/null --max-time 5` against three hosts. The `-f`
flag makes curl exit non-zero on HTTP 4xx, so when github.com's /
(or crates.io's /) returns 403 to anonymous curl under anti-bot
rules, the step exits 22 and flags a yellow X in the job summary —
noise, because the point of a connectivity probe is to prove
DNS + TCP + TLS, not that the endpoint serves anonymous GETs.

Changes:
- Drop `-f` and tolerate non-transport curl errors via `|| echo ERR`
  so any HTTP response counts as reachable. A real outage shows up
  as `--max-time` timeout with code "000" or "ERR".
- Swap the probed paths to endpoints that reliably return 200 to
  anonymous callers:
  - crates.io/ → index.crates.io/config.json (sparse-index config)
  - static.rust-lang.org/ → .../dist/channel-rust-stable.toml
  - github.com/ → api.github.com/zen

The step already has `continue-on-error: true`, so this was cosmetic
— but the yellow X on every CI run was misleading.
---
 actions/environment-setup/action.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/actions/environment-setup/action.yml b/actions/environment-setup/action.yml
index ba27b3c..fba4980 100644
--- a/actions/environment-setup/action.yml
+++ b/actions/environment-setup/action.yml
@@ -390,9 +390,19 @@ runs:
         # -o /dev/null: throw away body, only report status
         # --write-out: print status code
         # --max-time: hard 5s cap
-        # -f (fail on non-2xx) so a 403 surfaces as a real error at step level.
-        for host in https://crates.io/ https://static.rust-lang.org/ https://github.com/; do
-          CODE=$(curl -fsS -o /dev/null --max-time 5 -w "%{http_code}" "$host")
+        # NOTE: we do NOT pass `-f` — the point of this probe is to
+        # confirm DNS + TCP + TLS work, not to assert the endpoint
+        # returns 2xx to anonymous traffic. Some of these hosts
+        # (github.com/, crates.io/) return 403/429 to unauthenticated
+        # curl under anti-bot rules; that still proves connectivity.
+        # A real network break surfaces as `--max-time` timeout or a
+        # non-zero curl exit code for transport errors, which we let
+        # through without `-f`.
+        for host in \
+            https://index.crates.io/config.json \
+            https://static.rust-lang.org/dist/channel-rust-stable.toml \
+            https://api.github.com/zen; do
+          CODE=$(curl -sS -o /dev/null --max-time 5 -w "%{http_code}" "$host" || echo "ERR")
           echo "  $host → HTTP $CODE"
         done
         if [[ -f Cargo.toml ]]; then