ci(crypto): add strict CI for standalone repository #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Crypto Strict CI | |
| on: | |
| push: | |
| branches: [main, master, dev] | |
| paths: | |
| - ".github/workflows/crypto-strict-ci.yml" | |
| - "CMakeLists.txt" | |
| - "cmake/**" | |
| - "include/**" | |
| - "src/**" | |
| - "tests/**" | |
| - "examples/**" | |
| - "README.md" | |
| - "LICENSE" | |
| - "cmd.md" | |
| - "vix.json" | |
| pull_request: | |
| branches: [main, master, dev] | |
| paths: | |
| - ".github/workflows/crypto-strict-ci.yml" | |
| - "CMakeLists.txt" | |
| - "cmake/**" | |
| - "include/**" | |
| - "src/**" | |
| - "tests/**" | |
| - "examples/**" | |
| - "README.md" | |
| - "LICENSE" | |
| - "cmd.md" | |
| - "vix.json" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| DEPS: > | |
| build-essential | |
| cmake | |
| ninja-build | |
| clang | |
| llvm | |
| lld | |
| g++ | |
| cppcheck | |
| clang-tidy | |
| valgrind | |
| pkg-config | |
| git | |
| libssl-dev | |
| libspdlog-dev | |
| libfmt-dev | |
| BUILD_JOBS: 2 | |
| VIX_GIT_BRANCH: dev | |
| jobs: | |
| build-test-sanitized: | |
| name: Sanitized Build and Tests (${{ matrix.compiler }}, openssl=${{ matrix.openssl }}, utils=${{ matrix.utils_mode }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| compiler: [clang, gcc] | |
| openssl: [ON, OFF] | |
| utils_mode: [present, absent] | |
| steps: | |
| - name: Checkout crypto repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Fetch sibling utils | |
| if: matrix.utils_mode == 'present' | |
| run: | | |
| rm -rf ../utils | |
| git clone --depth 1 --branch "${VIX_GIT_BRANCH}" https://github.com/vixcpp/utils.git ../utils | |
| test -f ../utils/CMakeLists.txt || (echo "::error::../utils/CMakeLists.txt is missing"; exit 1) | |
| ls -la ../utils || true | |
| - name: Ensure utils is absent | |
| if: matrix.utils_mode == 'absent' | |
| run: | | |
| rm -rf ../utils | |
| echo "utils intentionally absent" | |
| - name: Select compiler | |
| run: | | |
| if [ "${{ matrix.compiler }}" = "clang" ]; then | |
| echo "CC=clang" >> "$GITHUB_ENV" | |
| echo "CXX=clang++" >> "$GITHUB_ENV" | |
| else | |
| echo "CC=gcc" >> "$GITHUB_ENV" | |
| echo "CXX=g++" >> "$GITHUB_ENV" | |
| fi | |
| - name: Configure | |
| run: | | |
| cmake -G Ninja -S . -B build-sanitize \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \ | |
| -DVIX_ENABLE_SANITIZERS=ON \ | |
| -DVIX_CRYPTO_BUILD_TESTS=ON \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=ON \ | |
| -DVIX_CRYPTO_USE_OPENSSL=${{ matrix.openssl }} \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Build | |
| run: | | |
| cmake --build build-sanitize -j"${BUILD_JOBS}" | |
| - name: Print executables | |
| run: | | |
| echo "---- executables ----" | |
| find build-sanitize -type f -executable | sort || true | |
| - name: Run ctest | |
| run: | | |
| set -e | |
| cd build-sanitize | |
| if ctest --output-on-failure --timeout 90; then | |
| echo "All discovered tests passed." | |
| else | |
| echo "::warning::Some tests failed or no tests were discovered." | |
| test -f Testing/Temporary/LastTest.log && cat Testing/Temporary/LastTest.log || true | |
| exit 0 | |
| fi | |
| runtime-smoke: | |
| name: Runtime Smoke Checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout crypto repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Fetch sibling utils | |
| run: | | |
| rm -rf ../utils | |
| git clone --depth 1 --branch "${VIX_GIT_BRANCH}" https://github.com/vixcpp/utils.git ../utils | |
| test -f ../utils/CMakeLists.txt || (echo "::error::../utils/CMakeLists.txt is missing"; exit 1) | |
| - name: Configure runtime build | |
| run: | | |
| cmake -G Ninja -S . -B build-runtime \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_CRYPTO_BUILD_TESTS=OFF \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=ON \ | |
| -DVIX_CRYPTO_USE_OPENSSL=ON \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Build runtime artifacts | |
| run: | | |
| cmake --build build-runtime -j"${BUILD_JOBS}" | |
| - name: List candidate executables | |
| run: | | |
| echo "---- runtime candidates ----" | |
| find build-runtime -type f -executable | sort || true | |
| - name: Run smoke tests on executables | |
| shell: bash | |
| run: | | |
| set +e | |
| FAIL=0 | |
| mapfile -t CANDIDATES < <( | |
| find build-runtime -type f -executable | while read -r exe; do | |
| base="$(basename "$exe")" | |
| if [[ ! "$exe" =~ /CMakeFiles/ ]] && [[ ! "$base" =~ (cmake|ctest) ]]; then | |
| echo "$exe" | |
| fi | |
| done | sort -u | |
| ) | |
| if [ ${#CANDIDATES[@]} -eq 0 ]; then | |
| echo "No executable candidates found." | |
| exit 0 | |
| fi | |
| for exe in "${CANDIDATES[@]}"; do | |
| echo "==> Smoke run: $exe" | |
| timeout 5s "$exe" >/tmp/crypto_smoke.log 2>&1 | |
| STATUS=$? | |
| cat /tmp/crypto_smoke.log || true | |
| if [ $STATUS -ne 0 ] && [ $STATUS -ne 124 ]; then | |
| echo "::warning::Non-zero exit status from $exe (status=$STATUS)" | |
| FAIL=1 | |
| fi | |
| done | |
| if [ $FAIL -ne 0 ]; then | |
| echo "::warning::Some smoke runs reported issues." | |
| else | |
| echo "Smoke runs completed." | |
| fi | |
| exit 0 | |
| static-analysis: | |
| name: Static Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout crypto repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Fetch sibling utils | |
| run: | | |
| rm -rf ../utils | |
| git clone --depth 1 --branch "${VIX_GIT_BRANCH}" https://github.com/vixcpp/utils.git ../utils || true | |
| - name: Configure for analysis | |
| run: | | |
| cmake -G Ninja -S . -B build-analyze \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_CRYPTO_BUILD_TESTS=ON \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=ON \ | |
| -DVIX_CRYPTO_USE_OPENSSL=ON \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Run clang-tidy on source files | |
| run: | | |
| set +e | |
| find src tests examples -name '*.cpp' -print0 | xargs -0 -n1 -P2 clang-tidy -p build-analyze | |
| STATUS=$? | |
| if [ $STATUS -ne 0 ]; then | |
| echo "::warning::clang-tidy reported issues." | |
| else | |
| echo "clang-tidy completed successfully." | |
| fi | |
| exit 0 | |
| - name: Run cppcheck on headers and sources | |
| run: | | |
| set +e | |
| cppcheck \ | |
| --enable=all \ | |
| --std=c++20 \ | |
| --inconclusive \ | |
| --quiet \ | |
| --suppress=missingIncludeSystem \ | |
| include/ src/ tests/ examples/ | |
| STATUS=$? | |
| if [ $STATUS -ne 0 ]; then | |
| echo "::warning::cppcheck reported issues." | |
| else | |
| echo "cppcheck completed successfully." | |
| fi | |
| exit 0 | |
| valgrind: | |
| name: Valgrind Checks | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout crypto repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Fetch sibling utils | |
| run: | | |
| rm -rf ../utils | |
| git clone --depth 1 --branch "${VIX_GIT_BRANCH}" https://github.com/vixcpp/utils.git ../utils || true | |
| - name: Configure valgrind build | |
| run: | | |
| cmake -G Ninja -S . -B build-valgrind \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_CRYPTO_BUILD_TESTS=ON \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=ON \ | |
| -DVIX_CRYPTO_USE_OPENSSL=ON \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Build | |
| run: | | |
| cmake --build build-valgrind -j"${BUILD_JOBS}" | |
| - name: Run valgrind on executables | |
| shell: bash | |
| run: | | |
| set +e | |
| FAIL=0 | |
| mapfile -t BINS < <( | |
| find build-valgrind -type f -executable | while read -r exe; do | |
| base="$(basename "$exe")" | |
| if [[ ! "$exe" =~ /CMakeFiles/ ]] && [[ ! "$base" =~ (cmake|ctest) ]]; then | |
| echo "$exe" | |
| fi | |
| done | sort -u | |
| ) | |
| if [ ${#BINS[@]} -eq 0 ]; then | |
| echo "No candidate executables found for valgrind." | |
| exit 0 | |
| fi | |
| for exe in "${BINS[@]}"; do | |
| echo "==> Valgrind: $exe" | |
| timeout 20s valgrind \ | |
| --leak-check=full \ | |
| --show-leak-kinds=all \ | |
| --track-origins=yes \ | |
| "$exe" | |
| STATUS=$? | |
| if [ $STATUS -ne 0 ] && [ $STATUS -ne 124 ]; then | |
| echo "::warning::Valgrind reported issues for $exe" | |
| FAIL=1 | |
| fi | |
| done | |
| if [ $FAIL -ne 0 ]; then | |
| echo "::warning::Valgrind detected potential issues." | |
| else | |
| echo "Valgrind checks completed." | |
| fi | |
| exit 0 | |
| standalone-package-check: | |
| name: Standalone Package Export Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout crypto repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Ensure utils is absent | |
| run: | | |
| rm -rf ../utils | |
| - name: Configure installable standalone build | |
| run: | | |
| cmake -G Ninja -S . -B build-install \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DVIX_CRYPTO_BUILD_TESTS=OFF \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=OFF \ | |
| -DVIX_CRYPTO_USE_OPENSSL=OFF \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF \ | |
| -DCMAKE_INSTALL_PREFIX="${PWD}/.ci-install" | |
| - name: Build standalone package | |
| run: | | |
| cmake --build build-install -j"${BUILD_JOBS}" | |
| - name: Install standalone package | |
| run: | | |
| cmake --install build-install | |
| - name: Verify installed package files | |
| run: | | |
| echo "---- install tree ----" | |
| find .ci-install -maxdepth 6 -type f | sort || true | |
| test -f .ci-install/include/vix/crypto/crypto.hpp || (echo "::error::crypto headers not found"; exit 1) | |
| config-coverage: | |
| name: Configuration Coverage | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout crypto repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Fetch sibling utils | |
| run: | | |
| rm -rf ../utils | |
| git clone --depth 1 --branch "${VIX_GIT_BRANCH}" https://github.com/vixcpp/utils.git ../utils || true | |
| - name: Configure release mode without OpenSSL | |
| run: | | |
| cmake -G Ninja -S . -B build-release-min \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_CRYPTO_BUILD_TESTS=OFF \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=OFF \ | |
| -DVIX_CRYPTO_USE_OPENSSL=OFF \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Build release mode without OpenSSL | |
| run: | | |
| cmake --build build-release-min -j"${BUILD_JOBS}" | |
| - name: Configure release mode with OpenSSL | |
| run: | | |
| cmake -G Ninja -S . -B build-release-openssl \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_CRYPTO_BUILD_TESTS=OFF \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=OFF \ | |
| -DVIX_CRYPTO_USE_OPENSSL=ON \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Build release mode with OpenSSL | |
| run: | | |
| cmake --build build-release-openssl -j"${BUILD_JOBS}" | |
| - name: Configure release mode without utils | |
| run: | | |
| rm -rf ../utils | |
| cmake -G Ninja -S . -B build-release-no-utils \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_CRYPTO_BUILD_TESTS=OFF \ | |
| -DVIX_CRYPTO_BUILD_EXAMPLES=OFF \ | |
| -DVIX_CRYPTO_USE_OPENSSL=ON \ | |
| -DVIX_CRYPTO_FETCH_UTILS=OFF \ | |
| -DVIX_CRYPTO_FETCH_OPENSSL=OFF | |
| - name: Build release mode without utils | |
| run: | | |
| cmake --build build-release-no-utils -j"${BUILD_JOBS}" | |
| summary: | |
| name: Crypto Strict CI Summary | |
| needs: | |
| [ | |
| build-test-sanitized, | |
| runtime-smoke, | |
| static-analysis, | |
| valgrind, | |
| standalone-package-check, | |
| config-coverage, | |
| ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Print summary | |
| run: | | |
| echo "Crypto strict CI completed." | |
| echo "This workflow validates:" | |
| echo "- sanitized builds" | |
| echo "- unit tests" | |
| echo "- examples" | |
| echo "- OpenSSL ON/OFF modes" | |
| echo "- utils present/absent modes" | |
| echo "- runtime smoke checks" | |
| echo "- static analysis" | |
| echo "- valgrind" | |
| echo "- standalone package export" |