Update issue templates #58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security & Quality CI | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| DEPS: > | |
| build-essential cmake ninja-build | |
| clang llvm lld | |
| g++ valgrind cppcheck | |
| libboost-all-dev nlohmann-json3-dev libspdlog-dev libfmt-dev | |
| jobs: | |
| build-asan-ubsan: | |
| name: Build + Tests (ASan/UBSan) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| compiler: [clang, gcc] | |
| steps: | |
| - name: Checkout (with submodules) | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Forcer les URLs de sous-modules en HTTPS (pas SSH) | |
| run: | | |
| git config --global url."https://github.com/".insteadOf "git@github.com:" | |
| git submodule sync --recursive | |
| - name: Initialiser les sous-modules (profondeur minimale ok) | |
| run: | | |
| git submodule update --init --recursive --depth 1 | |
| echo "---- submodule status ----" | |
| git submodule status --recursive || true | |
| echo "---- modules presence (ls) ----" | |
| ls -la modules || true | |
| ls -la modules/json || true | |
| ls -la modules/utils || true | |
| ls -la modules/core || true | |
| - name: Vérifier la présence des sous-modules | |
| run: | | |
| test -f modules/json/CMakeLists.txt || (echo "::error::modules/json manquant"; exit 1) | |
| test -f modules/utils/CMakeLists.txt || (echo "::error::modules/utils manquant"; exit 1) | |
| test -f modules/core/CMakeLists.txt || (echo "::error::modules/core manquant"; exit 1) | |
| echo "✅ Tous les sous-modules sont présents." | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Select compiler | |
| run: | | |
| if [ "${{ matrix.compiler }}" = "clang" ]; then | |
| echo "CC=clang" >> $GITHUB_ENV | |
| echo "CXX=clang++" >> $GITHUB_ENV | |
| else | |
| echo "CC=gcc" >> $GITHUB_ENV | |
| echo "CXX=g++" >> $GITHUB_ENV | |
| fi | |
| - name: Configure (Debug, Sanitizers ON) | |
| run: | | |
| cmake -G Ninja -S . -B build-sanitize \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DVIX_ENABLE_SANITIZERS=ON \ | |
| -DVIX_BUILD_EXAMPLES=ON \ | |
| -DVIX_BUILD_TESTS=ON \ | |
| -DVIX_ENABLE_INSTALL=OFF | |
| - name: Build | |
| run: cmake --build build-sanitize -j | |
| - name: Run unit tests (ctest) | |
| working-directory: build-sanitize | |
| run: | | |
| set -e | |
| if ctest --output-on-failure; then | |
| echo "✅ Tests passed." | |
| else | |
| echo "::warning::Some tests failed OR no tests discovered." | |
| test -f Testing/Temporary/LastTest.log && cat Testing/Temporary/LastTest.log || true | |
| exit 0 | |
| fi | |
| - name: Run example smoke tests | |
| shell: bash | |
| run: | | |
| set -e | |
| EXE_DIR="build-sanitize" | |
| ls -1 "$EXE_DIR" | grep -E '(_example$|^main$|crud|validation)' || true | |
| static-analysis: | |
| name: Static Analysis (clang-tidy + cppcheck) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout (with submodules) | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Forcer les URLs de sous-modules en HTTPS (pas SSH) | |
| run: | | |
| git config --global url."https://github.com/".insteadOf "git@github.com:" | |
| git submodule sync --recursive | |
| - name: Initialiser les sous-modules (profondeur minimale ok) | |
| run: | | |
| git submodule update --init --recursive --depth 1 | |
| echo "---- submodule status ----" | |
| git submodule status --recursive || true | |
| echo "---- modules presence (ls) ----" | |
| ls -la modules || true | |
| ls -la modules/json || true | |
| ls -la modules/utils || true | |
| ls -la modules/core || true | |
| - name: Vérifier la présence des sous-modules | |
| run: | | |
| test -f modules/json/CMakeLists.txt || (echo "::error::modules/json manquant"; exit 1) | |
| test -f modules/utils/CMakeLists.txt || (echo "::error::modules/utils manquant"; exit 1) | |
| test -f modules/core/CMakeLists.txt || (echo "::error::modules/core manquant"; exit 1) | |
| echo "✅ Tous les sous-modules sont présents." | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Configure (export compile_commands.json) | |
| run: | | |
| cmake -G Ninja -S . -B build-analyze \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \ | |
| -DVIX_BUILD_EXAMPLES=ON \ | |
| -DVIX_BUILD_TESTS=OFF \ | |
| -DVIX_ENABLE_INSTALL=OFF | |
| - name: clang-tidy | |
| run: | | |
| set +e | |
| find modules examples -name '*.cpp' -print0 | xargs -0 -n1 -P2 clang-tidy -p build-analyze | |
| STATUS=$? | |
| if [ $STATUS -ne 0 ]; then | |
| echo "::warning::clang-tidy reported issues (status=$STATUS). Treating as non-fatal." | |
| else | |
| echo "✅ clang-tidy OK" | |
| fi | |
| exit 0 | |
| - name: cppcheck | |
| run: | | |
| set +e | |
| cppcheck --enable=all --std=c++20 --inconclusive --quiet modules/ examples/ | |
| STATUS=$? | |
| if [ $STATUS -ne 0 ]; then | |
| echo "::warning::cppcheck reported issues (status=$STATUS). Treating as non-fatal." | |
| else | |
| echo "✅ cppcheck OK" | |
| fi | |
| exit 0 | |
| valgrind: | |
| name: Valgrind (Leak Check) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout (with submodules) | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Forcer les URLs de sous-modules en HTTPS (pas SSH) | |
| run: | | |
| git config --global url."https://github.com/".insteadOf "git@github.com:" | |
| git submodule sync --recursive | |
| - name: Initialiser les sous-modules (profondeur minimale ok) | |
| run: | | |
| git submodule update --init --recursive --depth 1 | |
| echo "---- submodule status ----" | |
| git submodule status --recursive || true | |
| echo "---- modules presence (ls) ----" | |
| ls -la modules || true | |
| ls -la modules/json || true | |
| ls -la modules/utils || true | |
| ls -la modules/core || true | |
| - name: Vérifier la présence des sous-modules | |
| run: | | |
| test -f modules/json/CMakeLists.txt || (echo "::error::modules/json manquant"; exit 1) | |
| test -f modules/utils/CMakeLists.txt || (echo "::error::modules/utils manquant"; exit 1) | |
| test -f modules/core/CMakeLists.txt || (echo "::error::modules/core manquant"; exit 1) | |
| echo "✅ Tous les sous-modules sont présents." | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Configure (Release, Sanitizers OFF) | |
| run: | | |
| cmake -G Ninja -S . -B build-rel \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DVIX_BUILD_EXAMPLES=ON \ | |
| -DVIX_BUILD_TESTS=OFF \ | |
| -DVIX_ENABLE_SANITIZERS=OFF \ | |
| -DVIX_ENABLE_INSTALL=OFF | |
| - name: Build | |
| run: cmake --build build-rel -j | |
| - name: Run valgrind on examples (best-effort) | |
| shell: bash | |
| run: | | |
| set -e | |
| cd build-rel | |
| CANDIDATES=$(ls -1 | grep -E '^(main|get_example|post_example|put_example|delete_example|json_builders_routes|env_time_port)$' || true) | |
| if [ -z "$CANDIDATES" ]; then | |
| echo "No example binaries found for valgrind." | |
| exit 0 | |
| fi | |
| FAIL=0 | |
| for exe in $CANDIDATES; do | |
| echo "==> Valgrind: $exe (5s timeout)" | |
| if ! timeout 5s valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes ./$exe; then | |
| echo "::warning::Valgrind reported issues in $exe" | |
| FAIL=1 | |
| fi | |
| done | |
| if [ $FAIL -ne 0 ]; then | |
| echo "::warning::Valgrind found potential leaks (non-fatal)." | |
| exit 0 | |
| fi | |
| echo "✅ Valgrind checks completed." | |
| fuzz: | |
| name: Fuzz (optional) | |
| runs-on: ubuntu-latest | |
| if: ${{ always() }} | |
| steps: | |
| - name: Checkout (with submodules) | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Forcer les URLs de sous-modules en HTTPS (pas SSH) | |
| run: | | |
| git config --global url."https://github.com/".insteadOf "git@github.com:" | |
| git submodule sync --recursive | |
| - name: Initialiser les sous-modules (profondeur minimale ok) | |
| run: | | |
| git submodule update --init --recursive --depth 1 | |
| echo "---- submodule status ----" | |
| git submodule status --recursive || true | |
| echo "---- modules presence (ls) ----" | |
| ls -la modules || true | |
| ls -la modules/json || true | |
| ls -la modules/utils || true | |
| ls -la modules/core || true | |
| - name: Vérifier la présence des sous-modules | |
| run: | | |
| test -f modules/json/CMakeLists.txt || (echo "::error::modules/json manquant"; exit 1) | |
| test -f modules/utils/CMakeLists.txt || (echo "::error::modules/utils manquant"; exit 1) | |
| test -f modules/core/CMakeLists.txt || (echo "::error::modules/core manquant"; exit 1) | |
| echo "✅ Tous les sous-modules sont présents." | |
| - name: Install Clang + LLVM (for libFuzzer) | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y clang llvm | |
| - name: Build fuzz target if present | |
| shell: bash | |
| run: | | |
| set -e | |
| if [ -f tests/fuzz_http.cpp ]; then | |
| echo "Fuzz target detected." | |
| clang++ -g -O1 -fsanitize=fuzzer,address,undefined \ | |
| -I modules -I include -std=c++20 \ | |
| -o fuzz_http tests/fuzz_http.cpp | |
| timeout 15s ./fuzz_http || true | |
| else | |
| echo "No fuzz target found (tests/fuzz_http.cpp). Skipping." | |
| fi | |
| summary: | |
| name: CI Summary | |
| needs: [build-asan-ubsan, static-analysis, valgrind, fuzz] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "Security & Quality CI completed." |