From b0cca8e9f8971c1db9b20c6131dc10706e371767 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Tue, 11 Nov 2025 20:38:35 +0100 Subject: [PATCH 01/12] CI: Drop ubuntu-20.04 jobs Unfortunately, those older versions of gcc and clang are not in ubuntu-22.04 --- .github/workflows/ci.yml | 42 ---------------------------------------- 1 file changed, 42 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f3973a..fb3abf7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,20 +94,6 @@ jobs: - name: build check run: ci/run-build-and-tests.sh - gcc8-x86_64: - runs-on: ubuntu-20.04 - env: - CC: gcc-8 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - clang18-x86_64: runs-on: ubuntu-24.04 env: @@ -233,31 +219,3 @@ jobs: run: ci/install-dependencies.sh - name: build check run: ci/run-build-and-tests.sh - - clang9-x86_64: - runs-on: ubuntu-20.04 - env: - CC: clang-9 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang8-x86_64: - runs-on: ubuntu-20.04 - env: - CC: clang-8 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh From 3cf6cc59a8e0be6a8aad173903e1f40299c70292 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 02/12] CI: fix gcc9 job Since the default gcc version in ubuntu-latest image is not gcc9, explicitly set the compiler for gcc9 job to gcc9. Fixes: 52edebb2047d ("github: switch most of ubuntu-20.04 jobs to ubuntu-latest") --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fb3abf7..79fbe0b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,7 +83,7 @@ jobs: gcc9-x86_64: runs-on: ubuntu-latest env: - CC: gcc + CC: gcc-9 TARGET: x86_64 steps: - uses: actions/checkout@v6 From abe913fb53a4390a50b7d5731faa186a3c292cba Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 03/12] CI: remove clang10 job Since the default clang version in ubuntu-latest image is not clang10, and none of availabe ubuntu images provide clang10, remove the clang10 job. Fixes: 52edebb2047d ("github: switch most of ubuntu-20.04 jobs to ubuntu-latest") --- .github/workflows/ci.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 79fbe0b..5ca31cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -205,17 +205,3 @@ jobs: run: ci/install-dependencies.sh - name: build check run: ci/run-build-and-tests.sh - - clang10-x86_64: - runs-on: ubuntu-latest - env: - CC: clang - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh From e5bdc8dc495b5cf5fc593e8d9fe3d95b6090549b Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 04/12] CI: Switch ubuntu-24.04 jobs to ubuntu-latest for consistency Given that ubuntu-latest points to ubuntu-24.04 for quite a while, the configuration when those jobs that use newer compiler versions are pinned to ubuntu-24.04 while other jobs already use ubuntu-latest, just creates inconsistency. When ubuntu-latest switches from ubuntu-24.04 to ubuntu-26.04, those of ubuntu-latest jobs for which the build image wouldn't provide the compiler would have to be pinned to ubuntu-24.04. --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5ca31cb..a3ce995 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ jobs: run: git diff-index --check --cached 4b825dc642cb6eb9a060e54bf8d69288fbee4904 gcc14-x86_64: - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest env: CC: gcc-14 TARGET: x86_64 @@ -95,7 +95,7 @@ jobs: run: ci/run-build-and-tests.sh clang18-x86_64: - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest env: CC: clang-18 TARGET: x86_64 @@ -109,7 +109,7 @@ jobs: run: ci/run-build-and-tests.sh clang17-x86_64: - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest env: CC: clang-17 TARGET: x86_64 @@ -123,7 +123,7 @@ jobs: run: ci/run-build-and-tests.sh clang16-x86_64: - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest env: CC: clang-16 TARGET: x86_64 From c23400645391c3ba3061bd0d8b98d155e1b071af Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 05/12] CI: use matrix strategy to avoid code duplication --- .github/workflows/ci.yml | 209 +++++---------------------------------- 1 file changed, 23 insertions(+), 186 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3ce995..bc8446e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,192 +10,29 @@ jobs: - name: check run: git diff-index --check --cached 4b825dc642cb6eb9a060e54bf8d69288fbee4904 - gcc14-x86_64: - runs-on: ubuntu-latest - env: - CC: gcc-14 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - gcc13-x86_64: - runs-on: ubuntu-latest - env: - CC: gcc-13 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - gcc12-x86_64: - runs-on: ubuntu-latest - env: - CC: gcc-12 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - gcc11-x86_64: - runs-on: ubuntu-latest - env: - CC: gcc-11 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - gcc10-x86_64: - runs-on: ubuntu-latest - env: - CC: gcc-10 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - gcc9-x86_64: - runs-on: ubuntu-latest - env: - CC: gcc-9 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang18-x86_64: - runs-on: ubuntu-latest - env: - CC: clang-18 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang17-x86_64: - runs-on: ubuntu-latest - env: - CC: clang-17 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang16-x86_64: - runs-on: ubuntu-latest - env: - CC: clang-16 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang15-x86_64: - runs-on: ubuntu-latest - env: - CC: clang-15 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang14-x86_64: - runs-on: ubuntu-latest - env: - CC: clang-14 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang13-x86_64: - runs-on: ubuntu-22.04 - env: - CC: clang-13 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang12-x86_64: - runs-on: ubuntu-22.04 - env: - CC: clang-12 - TARGET: x86_64 - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: install dependencies - run: ci/install-dependencies.sh - - name: build check - run: ci/run-build-and-tests.sh - - clang11-x86_64: - runs-on: ubuntu-22.04 - env: - CC: clang-11 + build-check: + runs-on: ${{ matrix.runs-on }} + strategy: + fail-fast: false + matrix: + include: + - { cc: gcc-14, runs-on: ubuntu-latest } + - { cc: gcc-13, runs-on: ubuntu-latest } + - { cc: gcc-12, runs-on: ubuntu-latest } + - { cc: gcc-11, runs-on: ubuntu-latest } + - { cc: gcc-10, runs-on: ubuntu-latest } + - { cc: gcc-9, runs-on: ubuntu-latest } + - { cc: clang-18, runs-on: ubuntu-latest } + - { cc: clang-17, runs-on: ubuntu-latest } + - { cc: clang-16, runs-on: ubuntu-latest } + - { cc: clang-15, runs-on: ubuntu-latest } + - { cc: clang-14, runs-on: ubuntu-latest } + - { cc: clang-13, runs-on: ubuntu-22.04 } + - { cc: clang-12, runs-on: ubuntu-22.04 } + - { cc: clang-11, runs-on: ubuntu-22.04 } + name: Build ${{ matrix.cc }}-${{ matrix.runs-on }} + env: + CC: ${{ matrix.cc }} TARGET: x86_64 steps: - uses: actions/checkout@v6 From ab8c3b542aad75e01ffc153657a27c58e79dc2e9 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 06/12] CI: add clang-19 jobs to the build matrix --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc8446e..d20beba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,6 +22,7 @@ jobs: - { cc: gcc-11, runs-on: ubuntu-latest } - { cc: gcc-10, runs-on: ubuntu-latest } - { cc: gcc-9, runs-on: ubuntu-latest } + - { cc: clang-19, runs-on: ubuntu-latest } - { cc: clang-18, runs-on: ubuntu-latest } - { cc: clang-17, runs-on: ubuntu-latest } - { cc: clang-16, runs-on: ubuntu-latest } From 233ab0f54c8dc9330a11b1ba783aaebb3547a253 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 07/12] CI: disable persisting credentials for actions/checkout Set `persist-credentials: false` for actions/checkout. By default, using `actions/checkout` causes a credential to be persisted on disk. Subsequent steps may accidentally publicly persist the credential, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential on disk is non-ideal unless actually needed. Link: https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d20beba..d9e91b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: check run: git diff-index --check --cached 4b825dc642cb6eb9a060e54bf8d69288fbee4904 @@ -39,6 +41,7 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: install dependencies run: ci/install-dependencies.sh - name: build check From 6d3535614d7af4a4030e328278eaa921a87ddc6f Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 08/12] CI: remove excessive permissions Set `permissions: {}` at the workflow level to prevent unnecessarily granting overly broad default permissions to jobs. Link: https://docs.zizmor.sh/audits/#excessive-permissions --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d9e91b4..a0371b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,8 @@ name: CI on: [push, pull_request] +permissions: {} + jobs: whitespace-errors: runs-on: ubuntu-latest From 4b8d335d60b4d5494fc72829156e625252203a8c Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 09/12] CI: set concurrency limits When a new CI run is started, any in-progress CI runs for the same PR, branch, or tag are cancelled. Link: https://docs.zizmor.sh/audits/#concurrency-limits --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a0371b4..725440e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,10 @@ on: [push, pull_request] permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: whitespace-errors: runs-on: ubuntu-latest From c681d4a60a626aba3507e8955c5485ca9a691419 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 10/12] CI: add job names When "name:" is omitted, the workflow or action is rendered anonymously in the GitHub Actions UI, making it harder to understand which definition is running. Link: https://docs.zizmor.sh/audits/#anonymous-definition --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 725440e..f33a657 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,7 @@ concurrency: jobs: whitespace-errors: + name: Check for whitespace errors runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 From 7b7fba57e1010d1926964710016773631ec17662 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 11/12] CI: pin latest versions by their commit hash This is a recommended security practice because commit hashes are immutable, which prevents tag renaming attacks. Dependabot can detect newer versions even if the current version is pinned to a specific commit hash. For GitHub Actions, it is common practice to append a version tag name as a comment text to the commit hash, and Dependabot automatically updates this comment when it bumps the commit hash. Link: https://docs.zizmor.sh/audits/#unpinned-uses --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f33a657..07518ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: name: Check for whitespace errors runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: check @@ -45,7 +45,7 @@ jobs: CC: ${{ matrix.cc }} TARGET: x86_64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false From 0b9529a38dd917777a764a0567e39c0743deed5a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 15 Feb 2026 08:00:00 +0000 Subject: [PATCH 12/12] .github/dependabot.yml: set cooldown period By default, Dependabot does not perform any cooldown on dependency updates. In other words, a regularly scheduled Dependabot run may perform an update on a dependency that was just released moments before the run began. This presents both stability and supply-chain security risks. To mitigate these risks, explicitly set Dependabot cooldown period to 7 days. Link: https://docs.zizmor.sh/audits/#dependabot-cooldown --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bfe0902..f46cfb0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,4 +4,6 @@ updates: directory: / schedule: interval: monthly + cooldown: + default-days: 7 open-pull-requests-limit: 2