feat(install): add proxy-aware HTTPS agent while downloading pre-built binaries

[rohit-mondal-17]

Summary

• This PR updates packages/skia/scripts/install-skia.mjs to use a proxy-aware Agent for all HTTPS downloads performed during postinstall. Many enterprise environments sit behind an HTTP proxy (e.g., Squid), where HTTPS requires the client to open a tunnel via the CONNECT method. Node’s bare https.get() does not use a proxy unless an Agent is provided, so Skia’s prebuilt binary downloads from GitHub Releases fail in such networks. This change makes the downloader proxy-capable while remaining fully backward compatible for users with direct Internet access.

Background & Motivation

• React Native Skia relies on a postinstall script to download prebuilt Skia binaries from GitHub Releases and place them under packages/skia/libs/*. If this step fails, consumers hit build errors for missing native libraries.
• The current script performs raw HTTPS GET requests to GitHub assets. In corporate networks using an HTTP proxy (e.g., Squid), clients must create a CONNECT tunnel for HTTPS; otherwise, the connection is blocked and downloads fail. Environments that require TLS interception also supply a corporate CA via NODE_EXTRA_CA_CERTS. The script today doesn’t account for either case.

This PR solves the proxy routing problem (and keeps TLS validation intact). It does not change checksum verification, tar extraction, or the file layout.

What’s Changed (Implementation)

Proxy Agent (optional)

• Dynamically imports https-proxy-agent if available in the consumer’s dependency graph.
• If a proxy URL is present in standard env vars (HTTPS_PROXY, HTTP_PROXY, ALL_PROXY, case-insensitive), creates a single HttpsProxyAgent instance and reuses it for all requests (including redirect hops).
• If the agent isn’t available or env vars are absent, behavior is unchanged (direct HTTPS).
• We also add http client fallback for the rare case of HTTP redirects.
• We keep TLS verification on; organizations that do SSL interception can continue to set NODE_EXTRA_CA_CERTS out of band. The rest of the installer (checksum, extraction, folder layout) is untouched.

Robust redirect handling

• Resolves relative Location headers using new URL(location, currentUrl).
• Reuses the same agent across redirects (critical for proxied routes).

Request guardrails

• Adds a 30s request timeout to avoid indefinite hangs behind brittle proxies.
• Sends a browser-like User-Agent string to avoid over-zealous egress filters in some corporate setups (non-functional optimization).

Security Considerations

• TLS verification remains enabled. The script does not set rejectUnauthorized: false.
• For TLS interception, orgs continue to supply a corporate root CA via NODE_EXTRA_CA_CERTS.
• No credentials are logged.
• No change to the authenticity guarantees (checksum verification still guards corruption/mismatch).

Test Plan (local & CI)

Open Internet (baseline)

yarn install (or npm install) should:

• Run postinstall, download assets from GitHub Releases, verify checksums, extract libs, and complete successfully.
• Re-run should skip downloads if libs + checksums match.
• Confirm packages/skia/libs/android/* and libs/apple/* populated as before.

Proxied Network (Squid or equivalent)

Export proxy env vars and (optionally) a corporate CA:

export HTTPS_PROXY='http://<proxy-host>:<port>' export HTTP_PROXY=$HTTPS_PROXY export ALL_PROXY=$HTTPS_PROXY export NODE_EXTRA_CA_CERTS=/path/to/corporate-root-ca.pem

Ensure https-proxy-agent is present (consumer installs it; the script dynamically imports it).
yarn install should succeed; binaries download via CONNECT tunneling.

Redirect Handling

Manually test a URL with a known redirect (e.g., release asset short links) to verify relative/absolute Location headers are handled with the same agent.