Squashed commit of the following:

commit 298973d9eab33705133b6cd8081de88de8a89284
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Jan 24 21:48:18 2025 -0500

    openssh: regen ssh_namespace.h

commit 3107488b7a1f5606dbd3f725bfe67b467dd83755
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Jan 24 21:45:42 2025 -0500

    openssh: run freebsd-configure.sh

commit 90fe2b07724036b43b0e8978ef892b3a07c7fabc
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Jan 24 16:25:59 2025 -0500

    openssh: Bump VersionAddendum date

commit 2dcb19e247b7caf46624ea234bd3576b63f3a0d1
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Jan 24 16:15:22 2025 -0500

    openssh: Remove rebase leftovers

commit 61d26e562c5d4adf29dcfce93e59cafbd1e7172b
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Jan 24 16:13:46 2025 -0500

    openssh: Break style(9) to match upstream

commit 7cf86867661ed675fad6b445f6bc91817b123b40
Merge: ca36371 126e0f4
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Jan 24 16:10:09 2025 -0500

    Merge commit '126e0f4f7dcb4ed8d46dc373a4d00e022c457db4' into openssh-9.9p1-update

commit ca36371
Author: Ahmad Khalifa <ahmadkhalifa570@gmail.com>
Date:   Mon Jan 6 03:52:06 2025 +0200

    checkstyle9.pl: Remove unneeded checks

    Both the bad email check and the signoff check are handled in the
    "checklist" github workflow now.

    Reviewed by:	emaste, imp
    Pull request:	freebsd#1570

    Signed-off-by: Ahmad Khalifa <ahmadkhalifa570@gmail.com>

commit a9a6a51
Author: Ahmad Khalifa <ahmadkhalifa570@gmail.com>
Date:   Sun Jan 5 07:01:07 2025 +0200

    github: Add new checklist workflow

    Add a new 'checklist' workflow that checks the commit messages on pull
    requests. Currently, the workflow creates a comment on the pull request
    if any of these conditions are hit:
      - Missing Signed-off-by
      - Malformed Signed-off-by
      - Bad email (i.e *noreply*)

    Reviewed by:	emaste, imp
    Pull request:	freebsd#1570

    Signed-off-by: Ahmad Khalifa <ahmadkhalifa570@gmail.com>

commit c814172
Author: CismonX <admin@cismon.net>
Date:   Fri Jan 3 18:52:34 2025 +0800

    open.2: update description for O_PATH

    - Add fstatfs(), fchdir(), fchroot(), extattr_*_fd(), cap_*_get(),
      cap_*_limit() to the list of syscalls that can take an O_PATH fd.
    - Remove readlinkat() from the list, since it is already discussed
      in the first few lines of the paragraph.  It was originally added
      to the list when readlinkat() adds support for non-dir fd with
      an empty relative path (as if with AT_EMPTY_PATH), however,
      such use case is also discussed in the next paragraph.
    - Add funlinkat() to the list, since it accepts an extra fd
      (of the file to be unlinked), which is worth extra mentioning.
    - Fix a syntax issue which causes a bogus space to be rendered
      before a closing parentheses.

    Signed-off-by: CismonX <admin@cismon.net>

    Reviewed by:	markj, jhb
    MFC after:	2 weeks
    Pull Request:	freebsd#1564

commit 813f244
Author: Chattrapat Sangmanee <aomsin27@hotmail.co.th>
Date:   Wed Oct 16 21:49:22 2024 +0700

    ps3disk.c: Rewrite ps3disk_transfer

    This function is bugged since the beginning, but it never hit because
    its variable doesn't allow.  However, since commit
    a77e1f0 it happen now.

    First, it assume that ds_len will always equal to real user requested
    size.  So it being used for sector count calculation.  This is no longer
    true, and will fail if attempt to read last few sectors.  Use
    bp->bio_length instead.

    Second, this being a loop is pointless because nsegs will never be > 1
    as specified at bus_dma_tag_create() call.  And all it doing is to
    repeat very same command again but with different ds_addr.  Since
    bio_driver2 tag ident pointer are being reused, the result will be
    discarded at ps3disk_intr().

    Signed-off-by: Chattrapat Sangmanee <aomsin27@hotmail.co.th>
    Reviewed by: imp,mav
    Pull Request: freebsd#1414

commit 3c61bbe
Author: Keve Müller <kevemueller@users.noreply.github.com>
Date:   Sun Oct 27 14:09:24 2024 +0100

    Update rc.initdiskless, fix error handling of remount_optional

    chkerr() ignores the exit code of a preceding mount command in case a
    file ```remount_optional``` exists.  The check is performed and a
    subshell is launched to log the informational message and return.  The
    return is executed in the context of the subshell, not the context of
    the chkerr() function, hence is a NOP.  The remount_optional check is
    hence ineffective.

    Change the code to if/then/fi, so the return is evaluated in the context
    of the chkerr function, to make the check effective.

    Reviewed by: imp, emaste
    Pull Request: freebsd#1497

commit d726bc2
Author: Franco Fichtner <franco@opnsense.org>
Date:   Thu Jan 23 12:27:09 2025 +0100

    bsdinstall: hook up help line and prompt for ZFS disk selection

    Previously we were passing the wrong variable names for the prompt and
    help line, so the intended action wasn't clear to the user.

    Reviewed by:	jhb, markj
    MFC after:	3 days
    See also:	opnsense/installer#22
    Pull Request:	freebsd#1579

commit dc27305
Author: FUKAUMI Naoki <naoki@radxa.com>
Date:   Thu Jan 23 10:43:59 2025 +0900

    ure(4): Add support for ELECOM EDC-QUA3C

    ELECOM EDC-QUA3C is a USB3.1 Gen1 Type-A/C 2.5GBASE-T network adapter.
    This also works as a cdce(4) device by:

    usbconfig -d X.Y set_config 1
      or
    usbconfig -d X.Y set_config 2

    Signed-off-by: FUKAUMI Naoki <naoki@radxa.com>

    MFC after:	2 weeks
    Pull Request:	freebsd#1578

commit 126e0f4
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Fri Sep 20 05:24:23 2024 -0400

    Vendor import of OpenSSH 9.9p1

    Sponsored by:	The FreeBSD Foundation

commit d565364
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Mon Jul 1 10:01:36 2024 -0400

    Vendor import of OpenSSH 9.8p1

crypto/openssh/.git_allowed_signers

@@ -1,4 +1,6 @@
 dtucker@dtucker.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
+dtucker@dtucker.net sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDV81zWQ1+XVfWH5z4L4klDQ/z/6l2GLphfSTX/Rmq6kL5H8mkfzUlryxLlkN8cD9srtVJBAmwJWfJBNsCo958YAAAAEc3NoOg==
+
 djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLnJo3ZVDENYZGXm5uO9lU7b0iDFq5gHpTu1MaHPWTEfPdvw+AjFQQ/q5YizuMJkXGsMdYmblJEJZYHpm9IS7ZkAAAAEc3NoOg==
 djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJoAXBTQalfg+kC5wy1vE7HkIHtVnmV6AUuuIo9KQ1P+70juHwvsFKpsGaqQbrHJkTVgYDGVP02XHj8+Fb18yBIAAAAEc3NoOg==
 djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBH+z1I48s6ydOhP5SJmI02zVCLf0K15B+UMHgoTIKVfUIv5oDoVX7e9f+7QiRmTeEOdZfQydiaVqsfi7qPSve+0AAAAEc3NoOg==

crypto/openssh/.git_allowed_signers.asc

@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmMMMiIACgkQKj9BTnNg
-YLpyGhAAhZ1RxmD62JnT0gnor1aD0inq1fGPRadaFvXH2OScPcxXMIZWx+otnyZ/
-H9s0bIti42dPHqurgh92KS2mDGVIW8Y8MvxFUr678+hdem1U7Xvjoo0uaveNhJhe
-GxuQDOvXKRmmfL2c6w3wnFChFA1o3K+JNshjCHhWz7u6+UmY0Q9yIxqbSi+vmEPP
-NfWPfGdu4h8r7q11UgTxRSUQkfZXMqpBtb367B9BLduGuKRFKEJNyi6WpjBrqy38
-BvEbAaL52KX8hEp3TKMjo38RbOK+veSoPV5zlLui0WlEwwasgljal3f4RkqCAJob
-hqpFJRogM5XNnA2e68TDTf3buJ3wRRjuK39/CusOJz5v4i6+VCdte+BET1Y4gD6y
-v8KV4pRyumcdbN3khFUkmaQsjo+fyQjWNrgOvv60J2xUWZdchn8lxHOxrfRVKnOi
-BD4bdks7tPQY/XsS5GNJIp21Ji9HGyBajjHo0BlesLodw7FEOf6YE18A3n9qzosR
-RliuP4Hs/Z4sCUuDTbpKtQiUVs40kBbkhEL8kS8FsXz3VO89hAWaUqNUYom8AkKv
-nfDjrZDBLXuVj1Mi8qNPXxqrB/1Cza2/W4U7SK4TlMFXfoXXWxxhefN5vIdMhAJB
-u9Mdz1pY9mowKbd0c0dR+3fauvjM133dzKuyeDHMqDa5JPyd59o=
-=kgnS
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmYHnZ8ACgkQKj9BTnNg
+YLquuQ/6A8E6P2jcgn3wmbbCTXP7kmxoh3nmw/e6PC8CEua1512oT3GHOKVD5cGK
+cgYRObpWvjOjg7L1HRABftq7a9M2zfsGnY/WNe3/fbetfkyY8hG8c31vA1ePIOt2
+AjBLCWFblH0CtyH/MssoQ19JCLtXK/GmekB1Q0JzyOog7w/0r3CKuUnZ0juCYR1R
+4FBePl5l3nFSZEcFEdptGlNGeuolS5XBCqB9Y91TCzkVkH5eXUUW+shgjNhWCEhT
+pZvkxfhsmOEnwNofyPdgKVfDBVkHmvuC67EU395mJVN4c2NZ8pOztb9hOt3xr980
+q44I4kT2NpaApCx1dWIGhMy/37LJ8heI0W1B+ofTA5n34/RU8UXH3SCkj2AK6Ao5
+H2u8vbmuWKUCiECmrw35EeKGmtuK/bWJzx3KBP7fx5J9S3mWUgT4W4xlWNN9RWoU
+sSvH1ppie5ARINVaAWl5k44fk60ahTf80DbQBIOZBmQn7myZZka+yGcQbAiZZ1Gc
+0l8+Nf5Ao1ckmuyY5o8FyWdsyDeK3+MqjPn5Rr1CqbKCn2VnqrVWbI33Eyu8c96U
+bxVgU5H1BDhNjJC8UrT3LFPvJMO8p3a0IJ3eHydjk2jVOhOdBZmA0yoqUTrhPpXq
+ymIHESjDJR8TDe4TCfb46o9oEC3cdbDwgnzPqdg0n+0uIsJLYiU=
+=gl+l
 -----END PGP SIGNATURE-----

crypto/openssh/.github/ci-status.md

@@ -6,10 +6,10 @@ master :
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
 [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
 
-9.4 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_4)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_4)
+9.8 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
 
-9.3 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3)
+9.7 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)

crypto/openssh/.github/configs

@@ -187,7 +187,7 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-5]|valgrind-unit)
+    valgrind-[1-4]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
@@ -197,17 +197,17 @@ case "$config" in
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into separate tests.
-	tests2="integrity try-ciphers"
+	tests2="integrity try-ciphers rekey"
 	tests3="krl forward-control sshsig agent-restrict kextype sftp"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
-	tests5="rekey"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind),
 		# connection-timeout (which doesn't work since it's so slow)
 		# and hostbased (since valgrind won't let ssh exec keysign).
 		# Slow ones are run separately to increase parallelism.
 		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
+		SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
 		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
 		;;
 	    valgrind-2)
@@ -219,9 +219,6 @@ case "$config" in
 	    valgrind-4)
 		LTESTS="${tests4}"
 		;;
-	    valgrind-5)
-		LTESTS="${tests5}"
-		;;
 	    valgrind-unit)
 		TEST_TARGET="unit USE_VALGRIND=1"
 		;;
@@ -289,7 +286,7 @@ case "${TARGET_HOST}" in
 	    hostkey-agent key-options keyscan knownhosts-command login-timeout
 	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
 	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
-	    transfer"
+	    transfer penalty penalty-expire"
 	SKIP_LTESTS="$(echo $T)"
 	TEST_TARGET=t-exec
 	SUDO=""

crypto/openssh/.github/run_test.sh

@@ -9,6 +9,7 @@ set -ex
 # If we want to test hostbased auth, set up the host for it.
 if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
     sshconf=/usr/local/etc
+    $SUDO mkdir -p "${sshconf}"
     hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
     echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
     $SUDO mkdir -p $sshconf

crypto/openssh/.github/setup_ci.sh

@@ -14,7 +14,7 @@ case "$host" in
 	echo Removing extended ACLs so umask works as expected.
 	setfacl -b . regress
 	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
-	PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
+	PACKAGES="$PACKAGES,make,openssl,libssl-devel,zlib-devel"
 	;;
 *-darwin*)
 	PACKAGER=brew

crypto/openssh/.github/workflows/c-cpp.yml

@@ -2,12 +2,13 @@ name: C/C++ CI
 
 on:
   push:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
   pull_request:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
 
 jobs:
   ci:
+    name: "${{ matrix.target }} ${{ matrix.config }}"
     if: github.repository != 'openssh/openssh-portable-selfhosted'
     strategy:
       fail-fast: false
@@ -16,9 +17,9 @@ jobs:
         target:
           - ubuntu-20.04
           - ubuntu-22.04
-          - macos-11
           - macos-12
           - macos-13
+          - macos-14
           - windows-2019
           - windows-2022
         config: [default]
@@ -31,7 +32,6 @@ jobs:
           - { target: ubuntu-20.04, config: valgrind-2 }
           - { target: ubuntu-20.04, config: valgrind-3 }
           - { target: ubuntu-20.04, config: valgrind-4 }
-          - { target: ubuntu-20.04, config: valgrind-5 }
           - { target: ubuntu-20.04, config: valgrind-unit }
           - { target: ubuntu-20.04, config: c89 }
           - { target: ubuntu-20.04, config: clang-6.0 }
@@ -62,8 +62,8 @@ jobs:
           - { target: ubuntu-latest, config: libressl-3.5.3 }
           - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
-          - { target: ubuntu-latest, config: libressl-3.8.3 }
-          - { target: ubuntu-latest, config: libressl-3.9.0 }
+          - { target: ubuntu-latest, config: libressl-3.8.4 }
+          - { target: ubuntu-latest, config: libressl-3.9.1 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
@@ -74,9 +74,12 @@ jobs:
           - { target: ubuntu-latest, config: openssl-3.1.0 }
           - { target: ubuntu-latest, config: openssl-3.1.5 }
           - { target: ubuntu-latest, config: openssl-3.2.1 }
+          - { target: ubuntu-latest, config: openssl-3.3.0 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
+          - { target: ubuntu-latest, config: openssl-3.1 }  # stable branch
           - { target: ubuntu-latest, config: openssl-3.2 }  # stable branch
+          - { target: ubuntu-latest, config: openssl-3.3 }  # stable branch
           - { target: ubuntu-latest, config: putty-0.71 }
           - { target: ubuntu-latest, config: putty-0.72 }
           - { target: ubuntu-latest, config: putty-0.73 }
@@ -97,9 +100,9 @@ jobs:
           - { target: ubuntu-22.04, config: selinux }
           - { target: ubuntu-22.04, config: kitchensink }
           - { target: ubuntu-22.04, config: without-openssl }
-          - { target: macos-11, config: pam }
           - { target: macos-12, config: pam }
           - { target: macos-13, config: pam }
+          - { target: macos-14, config: pam }
     runs-on: ${{ matrix.target }}
     steps:
     - name: set cygwin git params

crypto/openssh/.github/workflows/cifuzz.yml

@@ -1,9 +1,9 @@
 name: CIFuzz
 on:
   push:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/cifuzz.yml' ]
   pull_request:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/cifuzz.yml' ]
 
 jobs:
   Fuzzing:

crypto/openssh/.github/workflows/selfhosted.yml

@@ -2,17 +2,25 @@ name: C/C++ CI self-hosted
 
 on:
   push:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/selfhosted.yml' ]
 
 jobs:
   selfhosted:
+    name: "${{ matrix.target }} ${{ matrix.config }}"
     if: github.repository == 'openssh/openssh-portable-selfhosted'
     runs-on: ${{ matrix.host }}
     timeout-minutes: 600
     env:
+      DEBUG_ACTIONS: false
       HOST: ${{ matrix.host }}
       TARGET_HOST: ${{ matrix.target }}
       TARGET_CONFIG: ${{ matrix.config }}
+      TARGET_DOMAIN: ${{ startsWith(matrix.host, 'libvirt') && format('{0}-{1}-{2}', matrix.target, matrix.config, github.run_id) || matrix.target }}
+      EPHEMERAL: ${{ startsWith(matrix.host, 'libvirt') }}
+      PERSISTENT: ${{ startsWith(matrix.host, 'persist') }}
+      REMOTE: ${{ startsWith(matrix.host, 'remote') }}
+      VM: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') }}
+      SSHFS: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') || startsWith(matrix.host, 'remote') }}
     strategy:
       fail-fast: false
       # We use a matrix in two parts: firstly all of the VMs are tested with the
@@ -44,6 +52,7 @@ jobs:
           - obsd74
           - obsdsnap
           - obsdsnap-i386
+          - omnios
           - openindiana
           - ubuntu-2204
         config:
@@ -67,41 +76,55 @@ jobs:
           - { target: dfly58, config: pam, host: libvirt }
           - { target: dfly60, config: pam, host: libvirt }
           - { target: dfly62, config: pam, host: libvirt }
+          - { target: dfly64, config: pam, host: libvirt }
           - { target: fbsd10, config: pam, host: libvirt }
           - { target: fbsd12, config: pam, host: libvirt }
           - { target: fbsd13, config: pam, host: libvirt }
           - { target: fbsd14, config: pam, host: libvirt }
           - { target: nbsd8,  config: pam, host: libvirt }
           - { target: nbsd9,  config: pam, host: libvirt }
           - { target: nbsd10, config: pam, host: libvirt }
+          - { target: omnios, config: pam, host: libvirt }
+          # ARM64 VMs
+          - { target: obsd-arm64, config: default, host: libvirt-arm64 }
           # VMs with persistent disks that have their own runner.
-          - { target: win10, config: default, host: win10 }
-          - { target: win10, config: cygwin-release, host: win10 }
-          # Physical hosts, with either native runners or remote via ssh.
+          - { target: win10, config: default,        host: persist-win10 }
+          - { target: win10, config: cygwin-release, host: persist-win10 }
+          # Physical hosts with native runners.
           - { target: ARM, config: default, host: ARM }
           - { target: ARM64, config: default, host: ARM64 }
           - { target: ARM64, config: pam, host: ARM64 }
-          - { target: debian-riscv64, config: default, host: debian-riscv64 }
-          - { target: obsd-arm64, config: default, host: obsd-arm64 }
-          - { target: openwrt-mips, config: default, host: openwrt-mips }
-          - { target: openwrt-mipsel, config: default, host: openwrt-mipsel }
+          # Physical hosts with remote runners.
+          - { target: debian-riscv64, config: default, host: remote-debian-riscv64 }
+
+          - { target: openwrt-mips, config: default, host: remote-openwrt-mips }
+          - { target: openwrt-mipsel, config: default, host: remote-openwrt-mipsel }
     steps:
+    - name: unmount stale workspace
+      if: env.SSHFS == 'true'
+      run: fusermount -u ${GITHUB_WORKSPACE} || true
+      working-directory: ${{ runner.temp }}
     - name: shutdown VM if running
+      if: env.VM == 'true'
       run: vmshutdown
-      working-directory: ${{ runner.temp }}
     - uses: actions/checkout@main
     - name: autoreconf
       run: autoreconf
     - name: startup VM
+      if: env.VM == 'true'
       run: vmstartup
       working-directory: ${{ runner.temp }}
+    - name: copy and mount workspace
+      if: env.SSHFS == 'true'
+      run: sshfs_mount
+      working-directory: ${{ runner.temp }}
     - name: configure
       run: vmrun ./.github/configure.sh ${{ matrix.config }}
-    - name: save config
-      uses: actions/upload-artifact@main
-      with:
-        name: ${{ matrix.target }}-${{ matrix.config }}-config
-        path: config.h
+#    - name: save config
+#      uses: actions/upload-artifact@main
+#      with:
+#        name: ${{ matrix.target }}-${{ matrix.config }}-config
+#        path: config.h
     - name: make clean
       run: vmrun make clean
     - name: make
@@ -120,7 +143,10 @@ jobs:
           regress/*.log
           regress/log/*
           regress/valgrind-out/
+    - name: unmount workspace
+      if: always() && env.SSHFS == 'true'
+      run: fusermount -u ${GITHUB_WORKSPACE} || true
+      working-directory: ${{ runner.temp }}
     - name: shutdown VM
-      if: always()
+      if: always() && env.VM == 'true'
       run: vmshutdown
-      working-directory: ${{ runner.temp }}

crypto/openssh/.github/workflows/upstream.yml

@@ -3,37 +3,47 @@ name: Upstream self-hosted
 on:
   push:
     branches: [ master ]
-    paths: [ '**.c', '**.h', '.github/**' ]
+    paths: [ '**.c', '**.h', '**.sh', '.github/configs', '.github/workflows/upstream.yml' ]
 
 jobs:
   selfhosted:
+    name: "upstream ${{ matrix.target }} ${{ matrix.config }}"
     if: github.repository == 'openssh/openssh-portable-selfhosted'
     runs-on: 'libvirt'
     env:
+      DEBUG_ACTIONS: true
+      EPHEMERAL: true
       HOST: 'libvirt'
       TARGET_HOST: ${{ matrix.target }}
       TARGET_CONFIG: ${{ matrix.config }}
+      TARGET_DOMAIN: ${{ format('{0}-{1}-{2}', matrix.target, matrix.config, github.run_id) || matrix.target }}
     strategy:
       fail-fast: false
       matrix:
         target: [ obsdsnap, obsdsnap-i386 ]
         config: [ default, without-openssl, ubsan ]
     steps:
+    - name: unmount stale workspace
+      run: fusermount -u ${GITHUB_WORKSPACE} || true
+      working-directory: ${{ runner.temp }}
     - name: shutdown VM if running
       run: vmshutdown
       working-directory: ${{ runner.temp }}
     - uses: actions/checkout@main
     - name: startup VM
       run: vmstartup
       working-directory: ${{ runner.temp }}
+    - name: copy and mount workspace
+      run: sshfs_mount
+      working-directory: ${{ runner.temp }}
     - name: update source
       run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh"
     - name: make clean
       run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean && sudo chmod -R g-w /usr/src /usr/obj"
     - name: make
       run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
     - name: make install
-      run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
+      run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install && sudo /etc/rc.d/sshd -f restart"
     - name: make tests`
       run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
       env:
@@ -47,6 +57,10 @@ jobs:
         path: |
           /usr/obj/regress/usr.bin/ssh/obj/*.log
           /usr/obj/regress/usr.bin/ssh/obj/log/*
+    - name: unmount workspace
+      if: always()
+      run: fusermount -u ${GITHUB_WORKSPACE} || true
+      working-directory: ${{ runner.temp }}
     - name: shutdown VM
       if: always()
       run: vmshutdown