From af7c36eae323a0d6383f2e51b346d1b5e2ab67a5 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Fri, 6 Feb 2026 17:29:49 +0100
Subject: [PATCH] make curl error on non success status codes

By default something like a 404 will not make curl exit with an error
code. This is problematic for obvious reasons and instead of the file
you want you may now have some 404 html text instead.

I noticed this in #28003 which well just build fine installers except
the binary downloaded by the installer Makefile simply did not exist.

So to address that add --fail to most curl commands.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 .github/workflows/machine-os-pr.yml    | 4 ++--
 .github/workflows/release.yml          | 2 +-
 Makefile                               | 4 ++--
 contrib/cirrus/pr-should-include-tests | 2 +-
 contrib/cirrus/pr-should-link-jira     | 2 +-
 contrib/cirrus/setup_environment.sh    | 2 +-
 contrib/pkginstaller/Makefile          | 6 +++---
 winmake.ps1                            | 8 ++++----
 8 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml
index 41f99ccf61..3f3417adc9 100644
--- a/.github/workflows/machine-os-pr.yml
+++ b/.github/workflows/machine-os-pr.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Get version
         id: getversion
         run: |
-          VERSION=$(curl "https://raw.githubusercontent.com/$PODMAN_REPO/$SHA/version/rawversion/version.go" | sed -n 's/^const RawVersion = \"\([0-9]\+\.[0-9]\+\.[0-9]\+\(-rc[0-9]\+\|-dev\)\?\)"$/\1/p')
+          VERSION=$(curl --fail "https://raw.githubusercontent.com/$PODMAN_REPO/$SHA/version/rawversion/version.go" | sed -n 's/^const RawVersion = \"\([0-9]\+\.[0-9]\+\.[0-9]\+\(-rc[0-9]\+\|-dev\)\?\)"$/\1/p')
           # ignore -dev version bumps unless on main
           if [[ -z "$VERSION" ]] ; then
             echo "::error:: Invalid version string"
@@ -48,7 +48,7 @@ jobs:
       - name: Check machine-os-branch
         if: steps.getversion.outputs.update == 'true'
         run: |
-          if ! curl -s "https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches" | jq -e --arg branch "${GITHUB_BASE_REF}" '.[] | select(.name==$branch)'; then
+          if ! curl --fail -s "https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches" | jq -e --arg branch "${GITHUB_BASE_REF}" '.[] | select(.name==$branch)'; then
             echo "::error:: Release branch does not exist."
             echo "::error:: Please push $branch to $UPSTREAM_MACHINE_OS, then re-run this task."
             exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5a9d6657b9..4857b186d7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -289,7 +289,7 @@ jobs:
           title="${title/rc/"RC"}"
         else
           # check if this version should not be marked latest
-          prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest")
+          prevrelease=$(curl --fail --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest")
           prevvers=$(echo "$prevrelease" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed -e "s/^v//")
           vers=${VERSION#"v"}
           echo "${prevvers},${vers}"
diff --git a/Makefile b/Makefile
index 96141a20ff..0c96f76efe 100644
--- a/Makefile
+++ b/Makefile
@@ -852,8 +852,8 @@ win-gvproxy-%: test/version/version
 	$(eval GVPROXY_FILENAME := $(if $(filter arm64,$(GOARCH)), gvproxy-windows-arm64.exe,gvproxy-windowsgui.exe))
 	$(eval SSHPROXY_FILENAME :=  $(if $(filter arm64,$(GOARCH)), win-sshproxy-arm64.exe, win-sshproxy.exe))
 	mkdir -p bin/windows/
-	curl -sSL -o bin/windows/gvproxy.exe --retry 5 https://github.com/containers/gvisor-tap-vsock/releases/download/$(GVPROXY_VERSION)/$(GVPROXY_FILENAME)
-	curl -sSL -o bin/windows/win-sshproxy.exe --retry 5 https://github.com/containers/gvisor-tap-vsock/releases/download/$(GVPROXY_VERSION)/$(SSHPROXY_FILENAME)
+	curl --fail -sSL -o bin/windows/gvproxy.exe --retry 5 https://github.com/containers/gvisor-tap-vsock/releases/download/$(GVPROXY_VERSION)/$(GVPROXY_FILENAME)
+	curl --fail -sSL -o bin/windows/win-sshproxy.exe --retry 5 https://github.com/containers/gvisor-tap-vsock/releases/download/$(GVPROXY_VERSION)/$(SSHPROXY_FILENAME)
 
 .PHONY: rpm
 rpm:  ## Build rpm packages
diff --git a/contrib/cirrus/pr-should-include-tests b/contrib/cirrus/pr-should-include-tests
index a2374314c8..a8e905651f 100755
--- a/contrib/cirrus/pr-should-include-tests
+++ b/contrib/cirrus/pr-should-include-tests
@@ -70,7 +70,7 @@ query="{
 }\"
 }"
 
-result=$(curl -s -H "Authorization: bearer $CIRRUS_REPO_CLONE_TOKEN" -H "Accept: application/vnd.github.antiope-preview+json" -H "Content-Type: application/json" -X POST --data @- https://api.github.com/graphql <<<"$query")
+result=$(curl --fail -s -H "Authorization: bearer $CIRRUS_REPO_CLONE_TOKEN" -H "Accept: application/vnd.github.antiope-preview+json" -H "Content-Type: application/json" -X POST --data @- https://api.github.com/graphql <<<"$query")
 
 labels=$(jq -r '.data.repository.pullRequest.labels.nodes[].name' <<<"$result")
 
diff --git a/contrib/cirrus/pr-should-link-jira b/contrib/cirrus/pr-should-link-jira
index 1f4c7d08df..69f6c3c735 100755
--- a/contrib/cirrus/pr-should-link-jira
+++ b/contrib/cirrus/pr-should-link-jira
@@ -52,7 +52,7 @@ query="{
 }\"
 }"
 
-result=$(curl -s -H "Authorization: bearer $CIRRUS_REPO_CLONE_TOKEN" -H "Accept: application/vnd.github.antiope-preview+json" -H "Content-Type: application/json" -X POST --data @- https://api.github.com/graphql <<<"$query")
+result=$(curl --fail -s -H "Authorization: bearer $CIRRUS_REPO_CLONE_TOKEN" -H "Accept: application/vnd.github.antiope-preview+json" -H "Content-Type: application/json" -X POST --data @- https://api.github.com/graphql <<<"$query")
 
 labels=$(jq -r '.data.repository.pullRequest.labels.nodes[]?.name' <<<"$result")
 
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index 9d67774da8..45719c9eb1 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -360,7 +360,7 @@ case "$TEST_FLAVOR" in
         ;;
     compose_v2)
         showrun dnf -y remove docker-compose
-        showrun curl -SL https://github.com/docker/compose/releases/download/v2.32.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
+        showrun curl --fail -SL https://github.com/docker/compose/releases/download/v2.32.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
         showrun chmod +x /usr/local/bin/docker-compose
         ;& # Continue with next item
     apiv2)
diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile
index f02115536b..f4214cc989 100644
--- a/contrib/pkginstaller/Makefile
+++ b/contrib/pkginstaller/Makefile
@@ -25,15 +25,15 @@ podman_version:
 
 $(TMP_BIN)/gvproxy:
 	mkdir -p $(TMP_BIN)
-	cd $(TMP_BIN) && curl -sLo gvproxy $(GVPROXY_RELEASE_URL)
+	cd $(TMP_BIN) && curl --fail -sLo gvproxy $(GVPROXY_RELEASE_URL)
 
 $(TMP_BIN)/vfkit:
 	mkdir -p $(TMP_BIN)
-	cd $(TMP_BIN) && curl -sLo vfkit $(VFKIT_RELEASE_URL)
+	cd $(TMP_BIN) && curl --fail -sLo vfkit $(VFKIT_RELEASE_URL)
 
 $(TMP_BIN)/krunkit.tgz:
 	mkdir -p $(TMP_BIN)
-	cd $(TMP_BIN) && curl -sLo krunkit.tgz $(KRUNKIT_RELEASE_URL)
+	cd $(TMP_BIN) && curl --fail -sLo krunkit.tgz $(KRUNKIT_RELEASE_URL)
 
 packagedir: podman_version package_root Distribution welcome.html
 	mkdir -p $(PACKAGE_DIR)
diff --git a/winmake.ps1 b/winmake.ps1
index 63eac5f8c5..b199a78cbf 100644
--- a/winmake.ps1
+++ b/winmake.ps1
@@ -106,12 +106,12 @@ function Win-SSHProxy {
     }
     Write-Host "Downloading gvproxy version $version"
     if ($architecture -eq 'amd64') {
-        curl.exe -sSL -o './bin/windows/gvproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/gvproxy-windowsgui.exe"
-        curl.exe -sSL -o './bin/windows/win-sshproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/win-sshproxy.exe"
+        curl.exe --fail -sSL -o './bin/windows/gvproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/gvproxy-windowsgui.exe"
+        curl.exe --fail -sSL -o './bin/windows/win-sshproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/win-sshproxy.exe"
     }
     else {
-        curl.exe -sSL -o './bin/windows/gvproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/gvproxy-windows-arm64.exe"
-        curl.exe -sSL -o './bin/windows/win-sshproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/win-sshproxy-arm64.exe"
+        curl.exe --fail -sSL -o './bin/windows/gvproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/gvproxy-windows-arm64.exe"
+        curl.exe --fail -sSL -o './bin/windows/win-sshproxy.exe' --retry 5 "https://github.com/containers/gvisor-tap-vsock/releases/download/$Version/win-sshproxy-arm64.exe"
     }
 }