rel: Finish v25.05

Author: vonericsen

.cirrus.yml

@@ -2,11 +2,12 @@
 task:
   name: FreeBSD
   env:
-    GITHUB_TOKEN: ENCRYPTED[!ee1c9f1da9e4736edb4f543b3d2431949b17e6a86877e95ca4323f677185f7fbaae52c6afeb8145f0735bad487291a27!]
+    GITHUB_TOKEN: ENCRYPTED[!9434dd6eb694444496d0049dd361ea798f7b4247c163cf9e90ba3367791f951b1209e803e52d1720a49a84ac48b2ed74!]
   freebsd_instance:
     matrix:
-      image_family: freebsd-14-1
-      image_family: freebsd-13-3
+      image_family: freebsd-14-2
+      image_family: freebsd-13-5
+      image_family: freebsd-13-4
   install_script: pkg install -y git meson
   submodules_script: git submodule update --init --recursive --progress
   release_script: |

.clang-format

@@ -0,0 +1,19 @@
+# Use the Microsoft coding style
+# This is the style our code already mostly followed-TJE
+BasedOnStyle: Microsoft
+
+# Additional Customizations
+PointerAlignment: Left
+AlignConsecutiveAssignments: true
+AlignConsecutiveDeclarations: true
+AlignTrailingComments: true
+AlignAfterOpenBracket: true
+BinPackParameters: false
+AllowAllParametersOfDeclarationOnNextLine: false
+AlignConsecutiveMacros: 'AcrossEmptyLines'
+BraceWrapping:
+  AfterControlStatement: true
+AllowShortBlocksOnASingleLine: Never
+AllowShortIfStatementsOnASingleLine: Never
+IndentPPDirectives: AfterHash
+BreakBeforeBraces: Allman

.clang-tidy

@@ -0,0 +1,38 @@
+Checks: 
+  '-*, 
+  modernize-*, 
+  cert-*, 
+  bugprone-*, 
+  -bugprone-easily-swappable-parameters, 
+  clang-analyzer-*, 
+  -clang-analyzer-deadcode.DeadStores, 
+  misc-*, 
+  -misc-no-recursion, 
+  -misc-unused-parameters, 
+  readability-non-const-parameter, 
+  readability-inconsistent-declaration-parameter-name, 
+  readability-redundant-control-flow, 
+  readability-duplicate-include, 
+  readability-avoid-const-params-in-decls, 
+  readability-function-cognitive-complexity'
+
+# Other available checks: 
+# clang-analyzer-*, performance-*, readability-*, misc-*
+
+# Disabled checks:
+# - bugprone-easily-swappable-parameters: 
+#   Warns a LOT. Sometimes on functions meant to look like standardized C11 annex k functions. 
+#   While overall useful, it's too noisy right now and may complicate API usability.
+# - clang-analyzer-deadcode.DeadStores: 
+#   Generates many warnings. Cleanup is needed, but focus on more pressing issues first.
+# - misc-no-recursion: 
+#   Recursion is useful in our code, so this check is not applicable.
+# - misc-unused-parameters: 
+#   Too many false positives.
+# - readability-*: 
+#   Currently generates too many warnings. Manually adding rules until we can address these issues later.
+
+WarningsAsErrors: ''
+HeaderFilterRegex: '.*'
+AnalyzeTemporaryDtors: false
+FormatStyle: 'file'

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: MPL-2.0
+version: 2
+updates:
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "weekly"

.github/workflows/flawfinder.yml

@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: flawfinder
+
+on:
+  push:
+    branches: [ "develop", "master", "release/*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop" ]
+  schedule:
+    - cron: '39 23 * * 1'
+
+jobs:
+  flawfinder:
+    name: Flawfinder
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: flawfinder_scan
+        uses: david-a-wheeler/flawfinder@c57197cd6061453f10a496f30a732bc1905918d1
+        with:
+          arguments: '--sarif ./'
+          output: 'flawfinder_results.sarif'
+
+      - name: Upload analysis results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{github.workspace}}/flawfinder_results.sarif

.github/workflows/meson.yml

@@ -4,7 +4,7 @@ name: CI for meson build
 on:
   push:
     branches: [ develop, master, release/*, feature/*, hotfix/* ]
-    tags: [ v* ]
+    tags: [ v*, test-ci* ]
   pull_request:
     branches: [ develop ]
 
@@ -67,7 +67,7 @@ jobs:
             os: windows-latest,
             cc: "clang.exe",
             cxx: "clang++.exe",
-            meson_opts: "--native-file=./meson_crosscompile/Windows-Clang.txt",
+            meson_opts: "--native-file=./meson_crosscompile/Windows-Clang.txt -Db_pie=false",
             release_name: "win-x86_64-clang",
             release_extension: ".zip",
             archive_command: "7z a -tzip -mmt"
@@ -101,7 +101,8 @@ jobs:
             cross_compiler_arch: "x86_64",
             release_name: "linux-x86_64-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile i686",
@@ -113,7 +114,8 @@ jobs:
             cross_compiler_arch: "i686",
             release_name: "linux-i686-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile aarch64",
@@ -125,7 +127,8 @@ jobs:
             cross_compiler_arch: "aarch64",
             release_name: "linux-aarch64-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile armv7l",
@@ -137,7 +140,8 @@ jobs:
             cross_compiler_arch: "armv7l",
             release_name: "linux-armv7l-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile armv6",
@@ -149,7 +153,8 @@ jobs:
             cross_compiler_arch: "armv6",
             release_name: "linux-armv6-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile armv5l",
@@ -161,7 +166,8 @@ jobs:
             cross_compiler_arch: "armv5l",
             release_name: "linux-armv5l-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile powerpc64",
@@ -173,7 +179,8 @@ jobs:
             cross_compiler_arch: "powerpc64",
             release_name: "linux-powerpc64-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
         - {
             name: "MUSL Cross Compile powerpc64le",
@@ -185,7 +192,8 @@ jobs:
             cross_compiler_arch: "powerpc64le",
             release_name: "linux-powerpc64le-portable",
             release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
+            archive_command: "tar cvfJ",
+            image: "vonericsen/muslcc@sha256:04b60fc27f45b69896855da46f5be09fa9816b00e9948bf86cc82e56b8ce4468"
           }
     outputs: #where hashes need to be stored for slsa provenance
       #NOTE: Only doing this for builds with "publish_release: true"
@@ -214,16 +222,39 @@ jobs:
       with:
         arch: ${{ matrix.config.arch }}
 
-    - name: Setup for MUSL Cross Compilation
-      if: startsWith(matrix.config.name, 'MUSL Cross Compile')
-      run: |
-        sudo ./meson_crosscompile/install-muslcc.sh -a ${{ matrix.config.cross_compiler_arch }}
-
     - name: Get latest LLVM version
       if: startsWith(matrix.config.name, 'Windows Clang')
       run: |
         $headers = @{ Authorization = 'Bearer ${{ secrets.GITHUB_TOKEN }}' }
-        echo "LLVM_RELID=$((Invoke-WebRequest -Headers $headers 'https://api.github.com/repos/llvm/llvm-project/releases/latest').Content | ConvertFrom-Json | Select-Object -ExpandProperty id)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+        $latestRelease = Invoke-WebRequest -Headers $headers 'https://api.github.com/repos/llvm/llvm-project/releases/latest'
+        $releaseData = $latestRelease.Content | ConvertFrom-Json
+        $assets = $releaseData.assets | Where-Object { $_.name -like "*win64.exe" }
+        
+        if ($assets) {
+          $downloadUrl = $assets.browser_download_url
+          echo "LLVM_RELID=$($releaseData.id)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          echo "LLVM_DOWNLOAD_URL=$downloadUrl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+        } else {
+          Write-Host "No current Windows build available for the latest release. Searching for previous releases..."
+          $releases = Invoke-WebRequest -Headers $headers 'https://api.github.com/repos/llvm/llvm-project/releases'
+          $found = $false
+          
+          foreach ($release in $releases.Content | ConvertFrom-Json) {
+            $assets = $release.assets | Where-Object { $_.name -like "*win64.exe" }
+            if ($assets) {
+              $downloadUrl = $assets.browser_download_url
+              echo "LLVM_RELID=$($release.id)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+              echo "LLVM_DOWNLOAD_URL=$downloadUrl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+              $found = $true
+              break
+            }
+          }
+          
+          if (-not $found) {
+            Write-Host "No Windows build available for any recent releases."
+            exit 0
+          }
+        }
 
     - name: Restore LLVM from cache
       if: startsWith(matrix.config.name, 'Windows Clang')
@@ -251,7 +282,15 @@ jobs:
         echo "DESTDIR=${DESTDIR}" >> $GITHUB_ENV
       shell: bash
 
-    - name: Configuring and compiling with meson
+    - name: Install Meson and Ninja and Build (MUSL container)
+      if: matrix.config.image != ''
+      run: |
+        meson setup build -Dprefix=/ -Dmandir=/man -Dbindir=/ ${{ matrix.config.meson_opts }} --buildtype=release
+        meson install -C build
+
+
+    - name: Install Meson and Ninja and Build (Github runners)
+      if: matrix.config.image == ''
       env:
         CC: ${{ matrix.config.cc }}
         CXX: ${{ matrix.config.cxx }}
@@ -260,14 +299,6 @@ jobs:
         meson setup build -Dprefix=/ -Dmandir=/man -Dbindir=/ ${{ matrix.config.meson_opts }} --buildtype=release
         meson install -C build
 
-    - name: Packing release
-      env:
-        ARCHIVE_EXT: ${{ matrix.config.release_extension }}
-      run: |
-        cd build
-        ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR
-      shell: bash
-
     # add `GOBIN` to the `PATH` otherwise nfpm in next step can't be found
     - uses: actions/setup-go@v5
       if: ${{ matrix.config.create_package }}
@@ -290,6 +321,41 @@ jobs:
         nfpm package -f ../../nfpm.yaml -p rpm -t ..
       shell: bash
 
+    - name: Set ownership of executables to root:root
+      if: ${{ matrix.config.os != 'windows-latest' }}
+      run: |
+        if [[ -z "${{ matrix.config.image }}" ]]; then
+          sudo chown -R root:root build
+        else
+          chown -R root:root build
+        fi
+
+    - name: Packing release
+      env:
+        ARCHIVE_EXT: ${{ matrix.config.release_extension }}
+      run: |
+        cd build
+        if [[ "${{ matrix.config.os }}" != "windows-latest" ]]; then
+          if [[ -z "${{ matrix.config.image }}" ]]; then
+            sudo ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR
+          else
+            ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR
+          fi
+        else
+          ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR
+        fi
+      shell: bash
+
+    - name: Set ownership of tar archive to root:root
+      if: ${{ matrix.config.os != 'windows-latest' }}
+      run: |
+        if [[ -z "${{ matrix.config.image }}" ]]; then
+          sudo chown root:root build/"${DESTDIR}${ARCHIVE_EXT}"
+        else
+          chown root:root build/"${DESTDIR}${ARCHIVE_EXT}"
+        fi
+      
+
     - name: Generate Hashes
       if: ${{ matrix.config.publish_release }}
       shell: bash
@@ -314,7 +380,7 @@ jobs:
           build/*.rpm
 
     - name: Publish release
-      if: ${{ startsWith(github.ref, 'refs/tags/v') && matrix.config.publish_release }}
+      if: ${{ (startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/tags/test-ci')) && matrix.config.publish_release }}
       uses: softprops/action-gh-release@v2
       with:
         files: |
@@ -344,7 +410,7 @@ jobs:
       actions: read # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}"
       upload-assets: true # Optional: Upload to a new release