build(deps): drop OpenSSL, move TLS stack to rustls

[art049]

Move the runner's HTTP/TLS stack entirely to rustls, removing openssl-sys and native-tls from the dependency tree.

Some users installing the runner on macOS hit errors about OpenSSL not being installed. The cause is that our HTTP stack pulled in native-tls, which links OpenSSL on Linux and complicates static (musl) and source builds. Moving to rustls eliminates the OpenSSL dependency on every platform — the same approach Astral's uv takes, and the direction reqwest itself is going (0.13 now defaults to rustls).

Changes:

• reqwest 0.12 → 0.13 with explicit rustls (dropped native-tls-vendored)
• reqwest-middleware 0.4 → 0.5, reqwest-retry 0.7 → 0.9 (required for reqwest 0.13)
• gql_client fork (CodSpeedHQ/gql-client-rs) bumped from reqwest 0.11/native-tls to 0.13/rustls, with the git rev repointed

Verification: cargo build, cargo test --no-run, and codspeed --version all pass. cargo tree -i openssl-sys and cargo tree -i native-tls both return no matches (Linux included). The only remaining openssl-named crate is openssl-probe, a cert-path env helper pulled by rustls that does not link OpenSSL.

Follow-up: the samply fork still pulls a second reqwest 0.12 (also rustls, no OpenSSL) — worth bumping later to unify on a single reqwest version.

Fixes COD-2857

[codspeed-hq]

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 7 untouched benchmarks

---

_{Comparing cod-2857-drop-openssl-move-runner-tls-stack-to-rustls (9d735bb) with main (41f4db9)}

[greptile-apps]

Greptile Summary

This PR migrates the runner's HTTP/TLS stack from native-tls (which links OpenSSL) to rustls, resolving installation failures on macOS and enabling fully static musl builds. The upgrade also bumps reqwest from 0.12 to 0.13, reqwest-middleware 0.4→0.5, and reqwest-retry 0.7→0.9, and repoints the gql_client fork to a new rev that also uses reqwest 0.13/rustls.

• reqwest 0.13 is configured with default-features = false and explicit ["json", "stream", "rustls", "charset", "http2", "system-proxy"]; the rustls feature name is correct (renamed from rustls-tls in 0.13), and rustls-platform-verifier is correctly resolved in the lock file for native-cert validation.
• Dozens of previously-duplicated crates (OpenSSL, native-tls, older hyper/h2/http stacks) are removed; a second reqwest 0.12.28 remains in the lock (used by axoupdater, not the samply fork as the PR description states) and uses rustls with no OpenSSL linkage.
• All git dependencies (gql_client, linux-perf-data, samply) remain pinned to a rev, satisfying the repo's git-dep pinning rule.

Confidence Score: 5/5

Safe to merge. The TLS migration is self-contained to dependency declarations, all features are correctly specified for reqwest 0.13, and the build is verified to pass.

The change is purely a dependency upgrade with no application logic changes. Feature flags for reqwest 0.13 are correct (rustls is the renamed form of rustls-tls, charset/http2/system-proxy correctly re-enable defaults that were disabled by default-features = false). The lock file confirms openssl-sys and native-tls are fully removed. The one remaining reqwest 0.12 entry (axoupdater) also routes through rustls with no OpenSSL linkage.

No files require special attention.

Important Files Changed

Filename	Overview
Cargo.toml	Bumps reqwest to 0.13 with correct rustls feature flags, upgrades reqwest-middleware and reqwest-retry, and repoints gql_client git rev. Feature list correctly includes charset, http2, and system-proxy which are non-default in 0.13 when default-features is disabled.
Cargo.lock	Lock correctly removes openssl, openssl-sys, openssl-src, native-tls, tokio-native-tls, hyper 0.14, h2 0.3, http 0.2, and related old crates. One reqwest 0.12.28 entry remains (used by axoupdater), now also using only rustls with no OpenSSL linkage.

_{Reviews (1): Last reviewed commit: "build(deps): drop OpenSSL, move TLS stac..." | Re-trigger Greptile}