build: add --enable-all-experimentals build flag

.github/CODEOWNERS

@@ -243,3 +243,11 @@
 # dev container
 /.devcontainer/* @nodejs/devcontainer
 /doc/contributing/using-devcontainer.md @nodejs/devcontainer
+
+# FFI
+/deps/libffi/ @nodejs/ffi
+/doc/api/ffi.md @nodejs/ffi
+/lib/ffi.js @nodejs/ffi
+/src/ffi/ @nodejs/ffi
+/src/node_ffi.* @nodejs/ffi
+/test/ffi/ @nodejs/ffi

.github/actions/build-shared/action.yml

@@ -0,0 +1,72 @@
+name: Build Node.js (shared libraries)
+description: >
+  Downloads the slim tarball built by the `build-tarball` job, extracts it,
+  installs Nix (+ cachix + sccache), then builds Node.js and runs the CI
+  test suite inside the pinned nix-shell.
+
+inputs:
+  system:
+    description: System label (e.g. x86_64-linux, aarch64-darwin).
+    required: true
+  extra-nix-args:
+    description: Additional arguments appended to the nix-shell invocation.
+    required: false
+    default: ''
+  cachix-auth-token:
+    description: Cachix auth token for nodejs.cachix.org.
+    required: false
+    default: ''
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+      if: ${{ github.event_name != 'workflow_dispatch' }}
+      with:
+        name: tarballs
+        path: tarballs
+
+    - name: Extract tarball
+      if: ${{ github.event_name != 'workflow_dispatch' }}
+      shell: bash
+      run: |
+        tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
+        echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
+
+    - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe  # v31.10.3
+      with:
+        extra_nix_config: sandbox = true
+
+    - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c  # v17
+      with:
+        name: nodejs
+        authToken: ${{ inputs.cachix-auth-token }}
+
+    - name: Configure sccache
+      if: github.base_ref == 'main' || github.ref_name == 'main'
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3  # v9.0.0
+      with:
+        script: |
+          core.exportVariable('SCCACHE_GHA_ENABLED', 'on');
+          core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on');
+          core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+          core.exportVariable('NIX_SCCACHE', '(import <nixpkgs> {}).sccache');
+
+    - name: Build Node.js and run tests
+      shell: bash
+      run: |
+        nix-shell \
+          -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
+          --pure --keep TAR_DIR --keep FLAKY_TESTS \
+          --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
+          --arg loadJSBuiltinsDynamically false \
+          --arg useSeparateDerivationForV8 true \
+          --arg ccache "${NIX_SCCACHE:-null}" \
+          --arg devTools '[]' \
+          --arg benchmarkTools '[]' \
+          ${{ endsWith(inputs.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
+          ${{ inputs.extra-nix-args }} \
+          --run '
+              make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS"
+          ' "$TAR_DIR/shell.nix"

.github/dependabot.yml

@@ -52,6 +52,8 @@ updates:
       semver-major-days: 5
       semver-minor-days: 5
       semver-patch-days: 5
+      exclude:
+        - '@node-core/doc-kit'
     commit-message:
       prefix: tools
     open-pull-requests-limit: 10

.github/workflows/auto-start-ci.yml

@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-slim
     steps:
       - name: Install Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 

.github/workflows/commit-lint.yml

@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
       - run: git reset HEAD^2
       - name: Install Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Validate commit message

.github/workflows/commit-queue.yml

@@ -69,7 +69,7 @@ jobs:
 
       # Install dependencies
       - name: Install Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Install @node-core/utils

.github/workflows/create-release-proposal.yml

@@ -40,7 +40,7 @@ jobs:
 
       # Install dependencies
       - name: Install Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 

.github/workflows/daily-wpt-fyi.yml

@@ -52,7 +52,7 @@ jobs:
         run: echo "NIGHTLY=$(curl -s https://nodejs.org/download/nightly/index.json | jq -r '[.[] | select(.files[] | contains("linux-arm64"))][0].version')" >> $GITHUB_ENV
       - name: Install Node.js
         id: setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NIGHTLY || matrix.node-version }}
           check-latest: true

.github/workflows/daily.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Environment Information

.github/workflows/doc.yml

@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Environment Information

.github/workflows/find-inactive-collaborators.yml

@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 

.github/workflows/find-inactive-tsc.yml

@@ -34,7 +34,7 @@ jobs:
           repository: nodejs/TSC
 
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 

.github/workflows/linters.yml

@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Environment Information
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Set up Python ${{ env.PYTHON_VERSION }}
@@ -99,7 +99,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Environment Information

.github/workflows/scorecard.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40  # v2.19.0
         with:
           egress-policy: audit  # TODO: change to 'egress-policy: block' after couple of runs
 

.github/workflows/test-shared.yml

@@ -47,6 +47,7 @@ on:
       - vcbuild.bat
       - .**
       - '!.github/workflows/test-shared.yml'
+      - '!.github/actions/build-shared/**'
     types: [opened, synchronize, reopened, ready_for_review]
   push:
     branches:
@@ -97,6 +98,7 @@ on:
       - vcbuild.bat
       - .**
       - '!.github/workflows/test-shared.yml'
+      - '!.github/actions/build-shared/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -144,59 +146,121 @@ jobs:
         include:
           - runner: ubuntu-24.04
             system: x86_64-linux
-          - runner: ubuntu-24.04-arm
-            system: aarch64-linux
+          # built separately in build-aarch64-linux-v8
+          # - runner: ubuntu-24.04-arm
+          #   system: aarch64-linux
           - runner: macos-15-intel
             system: x86_64-darwin
           - runner: macos-latest
             system: aarch64-darwin
     name: '${{ matrix.system }}: with shared libraries'
     runs-on: ${{ matrix.runner }}
     steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        with:
+          persist-credentials: false
+          sparse-checkout: .github/actions
+      - uses: ./.github/actions/build-shared
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        with:
+          system: ${{ matrix.system }}
+          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+  build-aarch64-linux-v8:
+    needs: build-tarball
+    runs-on: ubuntu-24.04-arm
+    name: 'aarch64-linux: Cache V8 build'
+    steps:
+      - name: Check if Cachix is available
+        id: cachix-check
+        run: echo 'IS_AVAILABLE=${{ secrets.CACHIX_AUTH_TOKEN && 'true' }}' >> "$GITHUB_OUTPUT"
+
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         with:
           name: tarballs
           path: tarballs
 
       - name: Extract tarball
-        if: ${{ github.event_name != 'workflow_dispatch' }}
+        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
+        shell: bash
         run: |
           tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
           echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
 
       - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe  # v31.10.3
+        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         with:
           extra_nix_config: sandbox = true
 
       - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c  # v17
+        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
         with:
           name: nodejs
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-      - name: Configure sccache
-        if: github.base_ref == 'main' || github.ref_name == 'main'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
+      - name: Build V8 derivation
+        if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }}
+        run: |
+          nix-build "$(
+            nix-instantiate -E "builtins.filter (p: p.pname == ''v8'') (import $TAR_DIR/shell.nix { useSeparateDerivationForV8=true; }).buildInputs"
+          )"
+
+  # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json.
+  # Output shape:
+  # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...]
+  collect-openssl-versions:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-slim
+    outputs:
+      matrix: ${{ steps.query.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          script: |
-            core.exportVariable('SCCACHE_GHA_ENABLED', 'on');
-            core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on');
-            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
-            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
-            core.exportVariable('NIX_SCCACHE', '(import <nixpkgs> {}).sccache');
-
-      - name: Build Node.js and run tests
+          persist-credentials: false
+          sparse-checkout: tools/nix/openssl-matrix.json
+          sparse-checkout-cone-mode: false
+      - id: query
         run: |
-          nix-shell \
-            -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
-            --pure --keep TAR_DIR --keep FLAKY_TESTS \
-            --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
-            --arg loadJSBuiltinsDynamically false \
-            --arg useSeparateDerivationForV8 true \
-            --arg ccache "${NIX_SCCACHE:-null}" \
-            --arg devTools '[]' \
-            --arg benchmarkTools '[]' \
-            ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
-            --run '
-                make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS"
-            ' "$TAR_DIR/shell.nix"
+          {
+            echo 'matrix<<EOF'
+            cat tools/nix/openssl-matrix.json
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+
+  # Builds and tests Node.js with shared libraries against every supported
+  # OpenSSL release version available in the repo-pinned nixpkgs. The default
+  # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix
+  # entry, while all other shared libs remain at their defaults. Only runs on
+  # a single runner/system (aarch64-linux) to keep the matrix to a minimum.
+  build-openssl:
+    needs:
+      - build-aarch64-linux-v8
+      - collect-openssl-versions
+    strategy:
+      fail-fast: false
+      matrix:
+        openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }}
+    name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})'
+    runs-on: ubuntu-24.04-arm
+    continue-on-error: ${{ matrix.openssl['continue-on-error'] }}
+    env:
+      OPENSSL_ATTR: ${{ matrix.openssl.attr }}
+      OPENSSL_VERSION: ${{ matrix.openssl.version }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: .github/actions
+      - uses: ./.github/actions/build-shared
+        with:
+          system: aarch64-linux
+          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          # Override just the `openssl` attr of the default shared-lib set with
+          # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All
+          # other shared libs (brotli, cares, libuv, …) keep their defaults.
+          # `permittedInsecurePackages` whitelists just the matrix-selected
+          # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support
+          # cycles evaluate without relaxing nixpkgs' meta check globally.
+          extra-nix-args: --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR; }"