Skip to content

Commit 22a5bc9

Browse files
GaspardKiriraGaspardKirira
committed
ci(security): split sanitizer and package export jobs in umbrella CI
1 parent edd0ec9 commit 22a5bc9

File tree

1 file changed

+94
-89
lines changed

1 file changed

+94
-89
lines changed

.github/workflows/SECURITY_CI.yml

Lines changed: 94 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -69,18 +69,13 @@ env:
6969

7070
jobs:
7171
build-test:
72-
name: Build and Tests (${{ matrix.compiler }}, examples=${{ matrix.examples }}, sanitizers=${{ matrix.sanitizers }})
72+
name: Build and Tests (${{ matrix.compiler }}, examples=${{ matrix.examples }})
7373
runs-on: ubuntu-latest
7474
strategy:
7575
fail-fast: false
7676
matrix:
7777
compiler: [clang, gcc]
7878
examples: [ON, OFF]
79-
sanitizers: [OFF]
80-
include:
81-
- compiler: clang
82-
examples: ON
83-
sanitizers: ON
8479

8580
steps:
8681
- name: Checkout umbrella repository
@@ -119,7 +114,7 @@ jobs:
119114
-DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
120115
-DVIX_BUILD_TESTS=ON \
121116
-DVIX_BUILD_EXAMPLES=${{ matrix.examples }} \
122-
-DVIX_ENABLE_SANITIZERS=${{ matrix.sanitizers }} \
117+
-DVIX_ENABLE_SANITIZERS=OFF \
123118
-DVIX_ENABLE_WARNINGS=ON \
124119
-DVIX_ENABLE_LTO=OFF \
125120
-DVIX_ENABLE_INSTALL=ON \
@@ -152,15 +147,67 @@ jobs:
152147
153148
- name: Run ctest
154149
run: |
155-
set -e
156150
cd build
157-
if ctest --output-on-failure --timeout 120; then
158-
echo "Umbrella tests passed."
159-
else
160-
echo "::warning::Some umbrella tests failed or no tests were discovered."
161-
test -f Testing/Temporary/LastTest.log && cat Testing/Temporary/LastTest.log || true
162-
exit 0
163-
fi
151+
ctest --output-on-failure --timeout 120
152+
153+
sanitizers:
154+
name: Sanitizers (clang, examples=ON)
155+
runs-on: ubuntu-latest
156+
157+
steps:
158+
- name: Checkout umbrella repository
159+
uses: actions/checkout@v4
160+
with:
161+
fetch-depth: 0
162+
submodules: recursive
163+
164+
- name: Install dependencies
165+
run: |
166+
sudo apt-get update -y
167+
sudo apt-get install -y $DEPS
168+
169+
- name: Select clang
170+
run: |
171+
echo "CC=clang" >> "$GITHUB_ENV"
172+
echo "CXX=clang++" >> "$GITHUB_ENV"
173+
174+
- name: Configure sanitizer build
175+
run: |
176+
cmake -G Ninja -S . -B build-san \
177+
-DCMAKE_BUILD_TYPE=Debug \
178+
-DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
179+
-DVIX_BUILD_TESTS=ON \
180+
-DVIX_BUILD_EXAMPLES=ON \
181+
-DVIX_ENABLE_SANITIZERS=ON \
182+
-DVIX_ENABLE_WARNINGS=ON \
183+
-DVIX_ENABLE_LTO=OFF \
184+
-DVIX_ENABLE_INSTALL=OFF \
185+
-DVIX_FORCE_FETCH_JSON=OFF \
186+
-DVIX_FETCH_DEPS=OFF \
187+
-DVIX_ENABLE_ASYNC=ON \
188+
-DVIX_ENABLE_CRYPTO=ON \
189+
-DVIX_ENABLE_TIME=ON \
190+
-DVIX_ENABLE_WEBRPC=ON \
191+
-DVIX_ENABLE_VALIDATION=ON \
192+
-DVIX_ENABLE_CACHE=ON \
193+
-DVIX_ENABLE_P2P=ON \
194+
-DVIX_ENABLE_P2P_HTTP=ON \
195+
-DVIX_ENABLE_DB=ON \
196+
-DVIX_DB_USE_MYSQL=ON \
197+
-DVIX_DB_USE_SQLITE=OFF \
198+
-DVIX_ENABLE_ORM=ON \
199+
-DVIX_ENABLE_MIDDLEWARE=ON \
200+
-DVIX_ENABLE_CLI=ON \
201+
-DVIX_ENABLE_WEBSOCKET=ON
202+
203+
- name: Build sanitizer config
204+
run: |
205+
cmake --build build-san -j"${BUILD_JOBS}"
206+
207+
- name: Run sanitizer tests
208+
run: |
209+
cd build-san
210+
ctest --output-on-failure --timeout 120
164211
165212
runtime-smoke:
166213
name: Runtime Smoke and CLI Checks
@@ -187,7 +234,7 @@ jobs:
187234
-DVIX_ENABLE_SANITIZERS=OFF \
188235
-DVIX_ENABLE_WARNINGS=ON \
189236
-DVIX_ENABLE_LTO=OFF \
190-
-DVIX_ENABLE_INSTALL=ON \
237+
-DVIX_ENABLE_INSTALL=OFF \
191238
-DVIX_FORCE_FETCH_JSON=OFF \
192239
-DVIX_FETCH_DEPS=OFF \
193240
-DVIX_ENABLE_ASYNC=ON \
@@ -225,33 +272,21 @@ jobs:
225272
- name: Run CLI smoke checks
226273
shell: bash
227274
run: |
228-
set +e
229-
FAIL=0
230-
231-
echo "==> vix --help"
232-
timeout 10s "$VIX_BIN" --help >/tmp/vix_help.log 2>&1
233-
STATUS=$?
275+
set -e
276+
timeout 10s "$VIX_BIN" --help >/tmp/vix_help.log 2>&1 || STATUS=$?
234277
cat /tmp/vix_help.log || true
235-
if [ $STATUS -ne 0 ] && [ $STATUS -ne 124 ]; then
236-
echo "::warning::vix --help failed"
237-
FAIL=1
278+
if [ "${STATUS:-0}" -ne 0 ] && [ "${STATUS:-0}" -ne 124 ]; then
279+
echo "::error::vix --help failed"
280+
exit 1
238281
fi
239282
240-
echo "==> vix --version"
241-
timeout 10s "$VIX_BIN" --version >/tmp/vix_version.log 2>&1
242-
STATUS=$?
283+
unset STATUS
284+
timeout 10s "$VIX_BIN" --version >/tmp/vix_version.log 2>&1 || STATUS=$?
243285
cat /tmp/vix_version.log || true
244-
if [ $STATUS -ne 0 ] && [ $STATUS -ne 124 ]; then
245-
echo "::warning::vix --version failed"
246-
FAIL=1
247-
fi
248-
249-
if [ $FAIL -ne 0 ]; then
250-
echo "::warning::Runtime smoke checks reported issues."
251-
else
252-
echo "Runtime smoke checks completed."
286+
if [ "${STATUS:-0}" -ne 0 ] && [ "${STATUS:-0}" -ne 124 ]; then
287+
echo "::error::vix --version failed"
288+
exit 1
253289
fi
254-
exit 0
255290
256291
static-analysis:
257292
name: Umbrella Static Analysis
@@ -274,7 +309,7 @@ jobs:
274309
cmake -G Ninja -S . -B build-analyze \
275310
-DCMAKE_BUILD_TYPE=Debug \
276311
-DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
277-
-DVIX_BUILD_TESTS=ON \
312+
-DVIX_BUILD_TESTS=OFF \
278313
-DVIX_BUILD_EXAMPLES=ON \
279314
-DVIX_ENABLE_SANITIZERS=OFF \
280315
-DVIX_ENABLE_WARNINGS=ON \
@@ -300,12 +335,6 @@ jobs:
300335
run: |
301336
set +e
302337
find modules tests examples -name '*.cpp' -print0 2>/dev/null | xargs -0 -r -n1 -P2 clang-tidy -p build-analyze
303-
STATUS=$?
304-
if [ $STATUS -ne 0 ]; then
305-
echo "::warning::clang-tidy reported issues."
306-
else
307-
echo "clang-tidy completed successfully."
308-
fi
309338
exit 0
310339
311340
- name: Run cppcheck on umbrella tree
@@ -318,12 +347,6 @@ jobs:
318347
--quiet \
319348
--suppress=missingIncludeSystem \
320349
modules/ tests/ examples/
321-
STATUS=$?
322-
if [ $STATUS -ne 0 ]; then
323-
echo "::warning::cppcheck reported issues."
324-
else
325-
echo "cppcheck completed successfully."
326-
fi
327350
exit 0
328351
329352
valgrind:
@@ -351,7 +374,8 @@ jobs:
351374
-DVIX_BUILD_EXAMPLES=OFF \
352375
-DVIX_ENABLE_SANITIZERS=OFF \
353376
-DVIX_ENABLE_WARNINGS=ON \
354-
-DVIX_ENABLE_INSTALL=ON \
377+
-DVIX_ENABLE_LTO=OFF \
378+
-DVIX_ENABLE_INSTALL=OFF \
355379
-DVIX_FORCE_FETCH_JSON=OFF \
356380
-DVIX_FETCH_DEPS=OFF \
357381
-DVIX_ENABLE_ASYNC=ON \
@@ -387,28 +411,17 @@ jobs:
387411
- name: Run valgrind on CLI
388412
shell: bash
389413
run: |
390-
set +e
391-
FAIL=0
392-
414+
set -e
393415
timeout 20s valgrind \
394416
--leak-check=full \
395417
--show-leak-kinds=all \
396418
--track-origins=yes \
397-
"$VIX_BIN" --help >/tmp/umbrella_valgrind.log 2>&1
398-
STATUS=$?
419+
"$VIX_BIN" --help >/tmp/umbrella_valgrind.log 2>&1 || STATUS=$?
399420
cat /tmp/umbrella_valgrind.log || true
400-
401-
if [ $STATUS -ne 0 ] && [ $STATUS -ne 124 ]; then
402-
echo "::warning::Valgrind reported issues for umbrella CLI"
403-
FAIL=1
404-
fi
405-
406-
if [ $FAIL -ne 0 ]; then
407-
echo "::warning::Valgrind detected potential issues."
408-
else
409-
echo "Valgrind checks completed."
421+
if [ "${STATUS:-0}" -ne 0 ] && [ "${STATUS:-0}" -ne 124 ]; then
422+
echo "::error::Valgrind reported issues for umbrella CLI"
423+
exit 1
410424
fi
411-
exit 0
412425
413426
standalone-package-check:
414427
name: Umbrella Package Export Check
@@ -434,6 +447,7 @@ jobs:
434447
-DVIX_BUILD_EXAMPLES=OFF \
435448
-DVIX_ENABLE_SANITIZERS=OFF \
436449
-DVIX_ENABLE_WARNINGS=ON \
450+
-DVIX_ENABLE_LTO=OFF \
437451
-DVIX_ENABLE_INSTALL=ON \
438452
-DVIX_FORCE_FETCH_JSON=OFF \
439453
-DVIX_FETCH_DEPS=OFF \
@@ -447,6 +461,7 @@ jobs:
447461
-DVIX_ENABLE_P2P_HTTP=ON \
448462
-DVIX_ENABLE_DB=ON \
449463
-DVIX_DB_USE_MYSQL=ON \
464+
-DVIX_DB_USE_SQLITE=OFF \
450465
-DVIX_ENABLE_ORM=ON \
451466
-DVIX_ENABLE_MIDDLEWARE=ON \
452467
-DVIX_ENABLE_CLI=ON \
@@ -468,16 +483,8 @@ jobs:
468483
469484
test -f .ci-install/lib/cmake/Vix/VixConfig.cmake || (echo "::error::VixConfig.cmake missing"; exit 1)
470485
test -f .ci-install/lib/cmake/Vix/VixConfigVersion.cmake || (echo "::error::VixConfigVersion.cmake missing"; exit 1)
471-
test -f .ci-install/include/vix/core/App.hpp || true
472486
test -f .ci-install/include/vix/json/Simple.hpp || (echo "::error::json headers missing"; exit 1)
473487
test -f .ci-install/include/vix/utils/Logger.hpp || (echo "::error::utils headers missing"; exit 1)
474-
test -f .ci-install/include/vix/webrpc/webrpc.hpp || true
475-
476-
if [ -f .ci-install/bin/vix ]; then
477-
echo "CLI binary installed."
478-
else
479-
echo "::warning::No installed CLI binary found in install tree."
480-
fi
481488
482489
- name: Consumer package check
483490
run: |
@@ -576,25 +583,23 @@ jobs:
576583
cmake --build build-full -j"${BUILD_JOBS}"
577584
578585
summary:
579-
name: Umbrella Strict CI Summary
586+
name: SECURITY_CI Summary
580587
needs:
581-
[
582-
build-test,
583-
runtime-smoke,
584-
static-analysis,
585-
valgrind,
586-
standalone-package-check,
587-
config-coverage,
588-
]
588+
- build-test
589+
- sanitizers
590+
- runtime-smoke
591+
- static-analysis
592+
- valgrind
593+
- standalone-package-check
594+
- config-coverage
589595
runs-on: ubuntu-latest
590596

591597
steps:
592598
- name: Print summary
593599
run: |
594-
echo "Umbrella strict CI completed."
595-
echo "This workflow validates:"
596-
echo "- umbrella build with clang and gcc"
597-
echo "- tests and examples"
600+
echo "SECURITY_CI completed."
601+
echo "- standard build and tests"
602+
echo "- dedicated sanitizer build without install/export"
598603
echo "- CLI runtime smoke"
599604
echo "- static analysis"
600605
echo "- valgrind"

0 commit comments

Comments
 (0)