From 6017e783b74a6b632adec51b8a286dea4f74ac1d Mon Sep 17 00:00:00 2001
From: "Toby C. Cornish" <tcornish@gmail.com>
Date: Sat, 27 Jun 2026 20:26:47 -0500
Subject: [PATCH] ci: pin Iris-Codec AVIF to brew libavif to dodge gitiles 503
 flake

The IFE conformance gate installs Iris-Codec from source (its pyproject
hardcodes IRIS_BUILD_DEPENDENCIES=ON). Its AVIF dependency ExternalProject-
clones libavif and FetchContent-pulls libaom from aomedia.googlesource.com,
whose gitiles "+archive" tarball endpoint intermittently returns HTTP 503
under load, reddening the whole macOS job before the validator runs (hit on
two consecutive main runs).

cmake/avif.cmake only triggers that ExternalProject when AVIF_LIBRARY or
AVIF_INCLUDE is unset. Point both at the brew libavif already installed by
the cgo-deps step so the clone/fetch is skipped; all other Iris-Codec deps
still build vendored. Verified locally that the override suppresses the
gitiles libaom fetch (build proceeds past AVIF with no aomedia/libavif.git
network access).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e894d77..85f6614 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -140,8 +140,22 @@ jobs:
       # is Homebrew-managed (PEP 668 externally-managed-environment) and rejects
       # bare pip install without the flag. No venv needed for a single-package CI
       # install; --quiet suppresses the pip progress bar noise.
+      # Iris-Codec builds its dependencies from source (its pyproject hardcodes
+      # IRIS_BUILD_DEPENDENCIES=ON). Its AVIF dependency ExternalProject-clones
+      # libavif and FetchContent-pulls libaom from aomedia.googlesource.com, whose
+      # gitiles "+archive" on-the-fly tarball endpoint intermittently returns HTTP
+      # 503 under load and reds the entire job before the validator even runs. Point
+      # AVIF_LIBRARY/AVIF_INCLUDE at the brew libavif already installed above so
+      # cmake/avif.cmake skips that ExternalProject — it only clones when either var
+      # is unset (lines guard `if (NOT AVIF_LIBRARY OR NOT AVIF_INCLUDE)`). Every
+      # other Iris-Codec dependency still builds vendored exactly as before.
       - name: Install Iris-Codec (IFE validator)
-        run: python3 -m pip install --quiet --break-system-packages 'Iris-Codec==2025.3.1'
+        run: |
+          AVIF_PREFIX="$(brew --prefix libavif)"
+          python3 -m pip install --quiet --break-system-packages \
+            --config-settings=cmake.define.AVIF_LIBRARY="$AVIF_PREFIX/lib/libavif.dylib" \
+            --config-settings=cmake.define.AVIF_INCLUDE="$AVIF_PREFIX/include" \
+            'Iris-Codec==2025.3.1'
       - name: IFE conformance (Iris-Codec validator)
         env:
           WSI_TOOLS_TESTDIR: ${{ github.workspace }}/sample_files