Skip to content

[WIP] Fix code quality issues, security vulnerabilities, and modernize GitHub Actions automation #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
C2Cspecialists merged 7 commits into from
Sep 11, 2025
Merged

[WIP] Fix code quality issues, security vulnerabilities, and modernize GitHub Actions automation #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1087a21
Initial plan
Copilot Sep 10, 2025
2dbdae1
Changes before error encountered
Copilot Sep 10, 2025
27227ce
Update cross-aarch64.txt.template
C2Cspecialists Sep 10, 2025
0948533
Update android/app/src/main/java/com/spiralgang/filesystemds/ui/theme…
C2Cspecialists Sep 10, 2025
804e400
Fix YAML linting errors in workflow files
Copilot Sep 10, 2025
9f175bb
Fix shell script security issues and modernize GitHub Actions
Copilot Sep 11, 2025
e6312c0
Remove legacy systemd documentation and replace with FileSystemds-spe…
Copilot Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
391 changes: 391 additions & 0 deletions .github/workflows/advanced-ci-matrix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,391 @@
---
name: Advanced CI Matrix Build

on:
push:
branches: [main, 'copilot/**', 'feature/**', 'dev/**']
pull_request:
branches: [main]
schedule:
# Run nightly builds at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
build_targets:
description: 'Build targets (all, android, desktop, embedded)'
required: true
default: 'all'
type: choice
options:
- all
- android
- desktop
- embedded
run_tests:
description: 'Run full test suite'
required: false
default: true
type: boolean

env:
CARGO_TERM_COLOR: always
DEBIAN_FRONTEND: noninteractive

jobs:
detect-changes:
runs-on: ubuntu-latest
outputs:
core-changed: ${{ steps.changes.outputs.core }}
android-changed: ${{ steps.changes.outputs.android }}
scripts-changed: ${{ steps.changes.outputs.scripts }}
docs-changed: ${{ steps.changes.outputs.docs }}
workflows-changed: ${{ steps.changes.outputs.workflows }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: changes
with:
filters: |
core:
- 'src/**'
- 'meson.build'
- 'meson_options.txt'
- 'units/**'
android:
- 'android/**'
- 'scripts/android_**'
scripts:
- 'scripts/**'
docs:
- 'docs/**'
- '*.md'
workflows:
- '.github/**'

matrix-build:
needs: detect-changes
if: >
needs.detect-changes.outputs.core-changed == 'true' ||
github.event_name == 'schedule' ||
github.event_name == 'workflow_dispatch'
runs-on: ${{ matrix.os }}
timeout-minutes: 60

strategy:
fail-fast: false
matrix:
include:
# Desktop Linux builds
- os: ubuntu-22.04
arch: x86_64
target: desktop
cc: gcc
build_type: release
- os: ubuntu-22.04
arch: x86_64
target: desktop
cc: clang
build_type: debug

# ARM64/aarch64 builds
- os: ubuntu-22.04
arch: aarch64
target: embedded
cc: gcc
build_type: release
- os: ubuntu-22.04
arch: aarch64
target: android
cc: clang
build_type: release
# macOS builds for cross-platform validation
- os: macos-14
arch: arm64
target: embedded
cc: clang
build_type: release

env:
CC: ${{ matrix.cc }}
ARCH: ${{ matrix.arch }}
BUILD_TYPE: ${{ matrix.build_type }}
TARGET: ${{ matrix.target }}

steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Build Environment
run: |
case "${{ matrix.os }}" in
ubuntu-*)
sudo apt update
sudo apt install -y \
gperf pkg-config ninja-build \
libblkid-dev libudev-dev libmount-dev \
libkmod-dev libcap-dev libdbus-1-dev \
libacl1-dev libpam0g-dev libaudit-dev \
libgcrypt20-dev libssl-dev libcryptsetup-dev \
libgnutls28-dev libpwquality-dev \
python3-pip python3-jinja2 python3-lxml

# Install aarch64 cross-compilation tools if needed
if [ "${{ matrix.arch }}" = "aarch64" ]; then
sudo apt install -y gcc-aarch64-linux-gnu
export CC=aarch64-linux-gnu-gcc
fi
;;
macos-*)
brew install meson ninja pkg-config gperf
;;
esac

- name: Setup Python Dependencies
run: |
pip3 install -r .github/workflows/requirements.txt

- name: Configure Cross-Compilation
if: matrix.arch == 'aarch64'
run: |
cat > cross-aarch64.txt << EOF
[binaries]
c = 'aarch64-linux-gnu-gcc'
cpp = 'aarch64-linux-gnu-g++'
ar = 'aarch64-linux-gnu-ar'
strip = 'aarch64-linux-gnu-strip'
pkgconfig = 'pkg-config'

[host_machine]
system = 'linux'
cpu_family = 'aarch64'
cpu = 'aarch64'
endian = 'little'
EOF

- name: Setup Build Configuration
run: |
MESON_ARGS="-Dmode=release"

case "${{ matrix.target }}" in
android)
MESON_ARGS="$MESON_ARGS -Dandroid=true -Dportable=true"
;;
embedded)
MESON_ARGS="$MESON_ARGS -Dportable=true -Dsplit-bin=true"
;;
desktop)
MESON_ARGS="$MESON_ARGS -Ddesktop=true"
;;
esac

if [ "${{ matrix.build_type }}" = "debug" ]; then
MESON_ARGS="$MESON_ARGS -Dmode=developer"
MESON_ARGS="$MESON_ARGS -Db_sanitize=address,undefined"
fi

echo "MESON_ARGS=$MESON_ARGS" >> $GITHUB_ENV

- name: Configure Build
run: |
CROSS_FILE=""
if [ "${{ matrix.arch }}" = "aarch64" ]; then
CROSS_FILE="--cross-file cross-aarch64.txt"
fi

meson setup build $CROSS_FILE $MESON_ARGS

- name: Build
run: |
meson compile -C build -j $(nproc)

- name: Run Tests
if: >
github.event.inputs.run_tests != 'false' &&
matrix.arch == 'x86_64'
run: |
meson test -C build --print-errorlogs

- name: Package Build Artifacts
run: |
mkdir -p artifacts/${{ matrix.target }}-${{ matrix.arch }}

# Copy binaries and libraries
find build -name "*.so*" -o -name "systemd*" -type f -executable | \
while read file; do
cp "$file" artifacts/${{ matrix.target }}-${{ matrix.arch }}/
done

# Create manifest
cat > artifacts/${{ matrix.target }}-${{ matrix.arch }}/build-manifest.json << EOF
{
"target": "${{ matrix.target }}",
"arch": "${{ matrix.arch }}",
"build_type": "${{ matrix.build_type }}",
"compiler": "${{ matrix.cc }}",
"commit": "${{ github.sha }}",
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"os": "${{ matrix.os }}"
}
EOF

- name: Upload Build Artifacts
uses: actions/upload-artifact@v4
with:
name: build-${{ matrix.target }}-${{ matrix.arch }}-${{ matrix.cc }}
path: artifacts/
retention-days: 30

android-build:
needs: detect-changes
if: >
needs.detect-changes.outputs.android-changed == 'true' ||
github.event.inputs.build_targets == 'android' ||
github.event.inputs.build_targets == 'all'
runs-on: ubuntu-latest
timeout-minutes: 45

strategy:
matrix:
api-level: [24, 28, 31, 34]
abi: [arm64-v8a, armeabi-v7a]

steps:
- name: Checkout Repository
uses: actions/checkout@v4

- name: Setup JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'

- name: Setup Android SDK
uses: android-actions/setup-android@v3
with:
api-level: ${{ matrix.api-level }}

- name: Create Android Project
run: |
# Create Android project structure if it doesn't exist
mkdir -p android/app/src/main/java/com/spiralgang/filesystemds
mkdir -p android/app/src/main/res/{layout,values}

# Run the Android APK agent setup
if [ -f scripts/android_apk_agent.sh ]; then
chmod +x scripts/android_apk_agent.sh
scripts/android_apk_agent.sh setup-project
fi

- name: Cache Gradle Dependencies
uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
android/.gradle
key: >
${{ runner.os }}-gradle-${{
hashFiles('android/**/*.gradle*')
}}

- name: Build APK
run: |
cd android
if [ ! -f gradlew ]; then
gradle wrapper
chmod +x gradlew
fi
./gradlew assembleDebug

- name: Upload APK
uses: actions/upload-artifact@v4
with:
name: apk-api${{ matrix.api-level }}-${{ matrix.abi }}
path: android/app/build/outputs/apk/debug/*.apk

security-scan:
runs-on: ubuntu-latest
needs: detect-changes
if: >
needs.detect-changes.outputs.core-changed == 'true' ||
needs.detect-changes.outputs.scripts-changed == 'true'

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Run Trivy Security Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'

- name: Run Semgrep Security Scan
uses: semgrep/semgrep-action@v1
with:
config: auto

performance-test:
runs-on: ubuntu-latest
needs: matrix-build
if: >
github.event_name == 'schedule' ||
github.event.inputs.run_tests == 'true'

steps:
- uses: actions/checkout@v4

- name: Download Build Artifacts
uses: actions/download-artifact@v4
with:
pattern: build-*
merge-multiple: true

- name: Run Performance Benchmarks
run: |
# Run basic performance tests
if [ -f scripts/test_suite.sh ]; then
chmod +x scripts/test_suite.sh
timeout 300 scripts/test_suite.sh performance || \
echo "Performance tests completed with warnings"
fi

- name: Upload Performance Results
uses: actions/upload-artifact@v4
with:
name: performance-results
path: |
**/performance-*.log
**/benchmark-*.json

notification:
runs-on: ubuntu-latest
needs: [matrix-build, android-build, security-scan]
if: always()

steps:
- name: Build Status Summary
run: |
echo "## πŸ—οΈ Build Summary" >> $GITHUB_STEP_SUMMARY
echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Matrix Build | ${{ needs.matrix-build.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Android Build | ${{ needs.android-build.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Security Scan | ${{ needs.security-scan.result }} |" >> $GITHUB_STEP_SUMMARY

if [ "${{ needs.matrix-build.result }}" = "success" ] && \
[ "${{ needs.android-build.result }}" = "success" ]; then
echo "βœ… All builds completed successfully!" >> $GITHUB_STEP_SUMMARY
else
echo "❌ Some builds failed. Check individual job logs." >> $GITHUB_STEP_SUMMARY
fi
Loading
Loading