SECURITY_CI #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security & Quality CI | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| # Ajuste si tu as d'autres dépendances système | |
| DEPS: > | |
| build-essential cmake ninja-build | |
| clang llvm lld | |
| g++ valgrind cppcheck | |
| libboost-all-dev nlohmann-json3-dev libspdlog-dev | |
| jobs: | |
| build-asan-ubsan: | |
| name: Build + Tests (ASan/UBSan) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| compiler: [clang, gcc] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Select compiler | |
| run: | | |
| if [ "${{ matrix.compiler }}" = "clang" ]; then | |
| echo "CC=clang" >> $GITHUB_ENV | |
| echo "CXX=clang++" >> $GITHUB_ENV | |
| else | |
| echo "CC=gcc" >> $GITHUB_ENV | |
| echo "CXX=g++" >> $GITHUB_ENV | |
| fi | |
| - name: Configure (Debug, Sanitizers ON) | |
| run: | | |
| cmake -G Ninja -S . -B build-sanitize \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DVIX_ENABLE_SANITIZERS=ON \ | |
| -DVIX_BUILD_EXAMPLES=ON | |
| - name: Build | |
| run: cmake --build build-sanitize -j | |
| - name: Run unit tests (ctest) | |
| working-directory: build-sanitize | |
| run: ctest --output-on-failure || (echo "::warning::No tests found or some tests failed"; exit 1) | |
| - name: Run example smoke tests | |
| shell: bash | |
| run: | | |
| # Lancement rapide des binaires exemples (sans rester en écoute) | |
| # On vérifie juste qu'ils démarrent et s'exécutent (ex: affichage usage/help) | |
| set -e | |
| EXE_DIR="build-sanitize" | |
| ls -1 "$EXE_DIR" | grep -E '(_example$|^main$|crud|validation)' || true | |
| static-analysis: | |
| name: Static Analysis (clang-tidy + cppcheck) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Configure (export compile_commands.json) | |
| run: | | |
| cmake -G Ninja -S . -B build-analyze \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \ | |
| -DVIX_BUILD_EXAMPLES=ON | |
| - name: clang-tidy | |
| run: | | |
| # Analyse des sources (modules + examples) | |
| find modules examples -name '*.cpp' -print0 | xargs -0 -n1 -P2 \ | |
| clang-tidy -p build-analyze || (echo "::warning::clang-tidy reported issues"; exit 1) | |
| - name: cppcheck | |
| run: | | |
| cppcheck --enable=all --std=c++20 --inconclusive --quiet modules/ examples/ || \ | |
| (echo "::warning::cppcheck reported issues"; exit 1) | |
| valgrind: | |
| name: Valgrind (Leak Check) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y $DEPS | |
| - name: Configure (Release, Sanitizers OFF) | |
| run: | | |
| cmake -G Ninja -S . -B build-rel \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DVIX_BUILD_EXAMPLES=ON | |
| - name: Build | |
| run: cmake --build build-rel -j | |
| - name: Run valgrind on examples (best-effort) | |
| shell: bash | |
| run: | | |
| set -e | |
| cd build-rel | |
| # Liste des exécutables sur lesquels valgrind est pertinent et court | |
| CANDIDATES=$(ls -1 | grep -E '^(main|get_example|post_example|put_example|delete_example|json_builders_routes|env_time_port)$' || true) | |
| if [ -z "$CANDIDATES" ]; then | |
| echo "No example binaries found for valgrind." | |
| exit 0 | |
| fi | |
| for exe in $CANDIDATES; do | |
| echo "==> Valgrind: $exe (5s timeout)" | |
| # On exécute avec timeout court pour éviter les jobs bloquants | |
| timeout 5s valgrind --leak-check=full --error-exitcode=1 ./$exe || \ | |
| (echo "::error::Valgrind reported leaks in $exe"; exit 1) | |
| done | |
| fuzz: | |
| name: Fuzz (optional) | |
| runs-on: ubuntu-latest | |
| if: ${{ always() }} # lance le job mais sort proprement si pas de cible | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Clang + LLVM (for libFuzzer) | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y clang llvm | |
| - name: Build fuzz target if present | |
| shell: bash | |
| run: | | |
| set -e | |
| if [ -f tests/fuzz_http.cpp ]; then | |
| echo "Fuzz target detected." | |
| clang++ -g -O1 -fsanitize=fuzzer,address,undefined \ | |
| -I modules -I include -std=c++20 \ | |
| -o fuzz_http tests/fuzz_http.cpp | |
| # Run briefly to smoke-test | |
| timeout 15s ./fuzz_http || true | |
| else | |
| echo "No fuzz target found (tests/fuzz_http.cpp). Skipping." | |
| fi | |
| summary: | |
| name: CI Summary | |
| needs: [build-asan-ubsan, static-analysis, valgrind, fuzz] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "Security & Quality CI completed." |