diff --git a/.github/workflows/ScanBuild.yml b/.github/workflows/ScanBuild.yml
index 299d84f97..1e53cb4bb 100644
--- a/.github/workflows/ScanBuild.yml
+++ b/.github/workflows/ScanBuild.yml
@@ -1,26 +1,23 @@
###############################################################
#
-## Copyright (©) 2025 International Color Consortium.
-## All rights reserved.
-## https://color.org
-#
-#
-## Intent: iccDEV Scan Build Runner for Matrix OS
-#
-## Last Updated: 28-NOV-2025 0000Z by David Hoyt
-## Add Read Permission Block
-## TODO: Push binary releases, tags etc..
-#
-##
-#
+# Copyright (©) 2025 International Color Consortium.
+# All rights reserved.
+# https://color.org
#
#
+# Intent: iccDEV Scan Build Runner
#
+# Last Updated: 2026-02-17 16:14:17 UTC by David Hoyt
+# Parallel build, hardened shells, sanitizer,
+# dynamic LLVM path, libjpeg-dev dependency.
#
###############################################################
name: "Scan Build"
+permissions:
+ contents: read
+
on:
workflow_dispatch:
@@ -28,114 +25,147 @@ jobs:
build-linux:
name: Build and Test Linux with scan-build
runs-on: ubuntu-latest
- timeout-minutes: 20
- permissions:
- contents: read
-
+ timeout-minutes: 30
strategy:
fail-fast: false
steps:
- - name: 📥 Checkout master
+ - name: Checkout
uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
+ with:
+ fetch-depth: 0
+ persist-credentials: false
- # Install dependencies
- name: Install dependencies
- shell: bash
+ shell: bash --noprofile --norc {0}
env:
- BASH_ENV: /dev/null
+ BASH_ENV: /dev/null
run: |
set -euo pipefail
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git config --global credential.helper ""
-
- # Clear the in-shell GITHUB_TOKEN
unset GITHUB_TOKEN || true
- sudo apt-get update
- sudo apt-get install -y build-essential cmake gcc g++ clang clang-tools libpng-dev libxml2 libxml2-dev libtiff-dev nlohmann-json3-dev libwxgtk3.2-dev wx-common python3 python3-pip curl git llvm
- # Ensure scan-build is in PATH
- - name: Ensure scan-build is installed and accessible
- shell: bash
- env:
- BASH_ENV: /dev/null
- run: |
- set -euo pipefail
- git config --global --add safe.directory "$GITHUB_WORKSPACE"
- git config --global credential.helper ""
-
- # Clear the in-shell GITHUB_TOKEN
- unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y \
+ build-essential cmake gcc g++ clang clang-tools \
+ libpng-dev libxml2-dev libtiff-dev libjpeg-dev \
+ nlohmann-json3-dev libwxgtk3.2-dev wx-common \
+ python3 curl git llvm
+
+ echo "### Environment" >> "$GITHUB_STEP_SUMMARY"
+ echo "| Tool | Version |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|------|---------|" >> "$GITHUB_STEP_SUMMARY"
+ echo "| scan-build | $(scan-build --version 2>&1 | head -1) |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| clang | $(clang --version 2>&1 | head -1) |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| cmake | $(cmake --version | head -1) |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| nproc | $(nproc) |" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
- which scan-build || echo "? scan-build not found"
- scan-build --version || echo "? scan-build version check failed"
- # Configure the build with scan-build
- - name: Configure the build with scan-build
- shell: bash
+ - name: Configure with scan-build
+ shell: bash --noprofile --norc {0}
env:
- BASH_ENV: /dev/null
+ BASH_ENV: /dev/null
+ CC: clang
+ CXX: clang++
run: |
set -euo pipefail
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git config --global credential.helper ""
-
- # Clear the in-shell GITHUB_TOKEN
unset GITHUB_TOKEN || true
- ls
+ LLVM_BIN=$(llvm-config --bindir 2>/dev/null || echo "/usr/lib/llvm-$(llvm-config --version 2>/dev/null | cut -d. -f1)/bin")
+ export PATH="${LLVM_BIN}:${PATH}"
+
cd Build
- pwd
- ls
- export CC=clang
- export CXX=clang++
- export PATH="/usr/lib/llvm-17/bin:$PATH"
- scan-build cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Release -DENABLE_TOOLS=ON -Wno-dev Cmake/
- # Run scan-build for static analysis
- - name: Run scan-build for static analysis
- shell: bash
+ scan-build cmake \
+ -DCMAKE_INSTALL_PREFIX=$HOME/.local \
+ -DCMAKE_BUILD_TYPE=Release \
+ -DENABLE_TOOLS=ON \
+ -Wno-dev \
+ Cmake/
+
+ - name: Run scan-build with all processors
+ shell: bash --noprofile --norc {0}
env:
- BASH_ENV: /dev/null
+ BASH_ENV: /dev/null
run: |
set -euo pipefail
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git config --global credential.helper ""
-
- # Clear the in-shell GITHUB_TOKEN
unset GITHUB_TOKEN || true
- pwd
- ls
+ LLVM_BIN=$(llvm-config --bindir 2>/dev/null || echo "/usr/lib/llvm-$(llvm-config --version 2>/dev/null | cut -d. -f1)/bin")
+ export PATH="${LLVM_BIN}:${PATH}"
+
+ NPROC=$(nproc)
+ echo "Running scan-build with $NPROC parallel jobs"
cd Build
- pwd
- ls
- export PATH="/usr/lib/llvm-17/bin:$PATH"
- scan-build --status-bugs --keep-going -o scan-build-reports make -j$(nproc) || true
- continue-on-error: true # Allow the step to complete even if issues are found
+ scan-build --status-bugs --keep-going -o scan-build-reports \
+ make -j"$NPROC" 2>&1 | tee scan-build-output.log || true
+
+ # Count findings
+ BUGS=$({ grep -c 'warning:' scan-build-output.log 2>/dev/null || true; })
+ echo "scan-build found $BUGS warnings"
+ echo "SCAN_BUGS=$BUGS" >> "$GITHUB_ENV"
+ continue-on-error: true
- # Upload scan-build reports
- name: Upload scan-build reports
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: scan-build-reports
path: Build/scan-build-reports
+ if-no-files-found: warn
- # Upload built binaries as artifacts
- name: Upload build artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: master-build-linux
- path: Build
+ path: |
+ Build/**/*.so
+ Build/**/*.a
+ Build/**/Icc*
+ LICENSE.md
+ if-no-files-found: warn
- # Upload build logs
- name: Upload build logs
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: build-logs
- path: Build/CMakeCache.txt
+ path: |
+ Build/CMakeCache.txt
+ Build/scan-build-output.log
+
- name: Summary Report
if: always()
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
run: |
- echo "### Build Summary" >> $GITHUB_STEP_SUMMARY
- echo "- Build Directory: Build/" >> $GITHUB_STEP_SUMMARY
- echo "- Artifacts Uploaded: iccdev-linux-clang" >> $GITHUB_STEP_SUMMARY
- echo "- Status: Success" >> $GITHUB_STEP_SUMMARY
\ No newline at end of file
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ SANITIZER=".github/scripts/sanitize-sed.sh"
+ if [[ -f "$SANITIZER" ]]; then
+ # shellcheck disable=SC1090
+ source "$SANITIZER"
+ else
+ sanitize_line() { printf '%s' "$1"; }
+ fi
+
+ BUGS="${SCAN_BUGS:-0}"
+ REPORT_COUNT=$(find Build/scan-build-reports -name '*.html' 2>/dev/null | wc -l | tr -d ' ')
+
+ {
+ echo "### 🧠 Scan-Build Summary"
+ echo ""
+ echo "| Metric | Value |"
+ echo "|--------|-------|"
+ echo "| Parallel jobs | $(nproc) |"
+ echo "| Warnings logged | $(sanitize_line "$BUGS") |"
+ echo "| HTML reports | $(sanitize_line "$REPORT_COUNT") |"
+ echo "| Status | ${{ job.status }} |"
+ echo ""
+ } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/ci-clang-tidy-coreguidelines.yml b/.github/workflows/ci-clang-tidy-coreguidelines.yml
index 56ccab8a5..1507c468a 100644
--- a/.github/workflows/ci-clang-tidy-coreguidelines.yml
+++ b/.github/workflows/ci-clang-tidy-coreguidelines.yml
@@ -1,21 +1,16 @@
###############################################################
#
-## Copyright (©) 2025 International Color Consortium.
-## All rights reserved.
+## Copyright (©) 2025 International Color Consortium.
+## All rights reserved.
## https://color.org
#
#
-## Intent:iccdev-tidy-coreguidelines
-#
-## Last Updated: 02-DEC-2025 1700Z by David Hoyt
-# Add Permission Block
-#
-#
-#
-#
-#
-#
+## Intent: iccdev-tidy-coreguidelines
#
+## Last Updated: 2026-02-17 16:14:17 UTC by David Hoyt
+# Housekeeping
+#
+#
#
###############################################################
@@ -24,14 +19,14 @@ name: iccdev-tidy-coreguidelines
permissions:
contents: read
pull-requests: read
-
+
on:
workflow_dispatch:
jobs:
- build:
+ clang-tidy:
runs-on: ubuntu-latest
- timeout-minutes: 20
+ timeout-minutes: 30
strategy:
matrix:
build_type: [Release]
@@ -39,91 +34,237 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
+
- name: Install dependencies
- shell: bash
+ shell: bash --noprofile --norc {0}
env:
- BASH_ENV: /dev/null
+ BASH_ENV: /dev/null
run: |
set -euo pipefail
- git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --add safe.directory "$PWD"
git config --global credential.helper ""
-
- # Clear the in-shell GITHUB_TOKEN
unset GITHUB_TOKEN || true
sudo apt-get update
- sudo apt-get install -y build-essential cmake git pkg-config
sudo apt-get install -y \
- build-essential cmake gcc g++ clang clang-tools \
- libpng-dev libxml2 libxml2-dev libtiff-dev \
+ build-essential cmake gcc g++ clang clang-tools clang-tidy \
+ libpng-dev libxml2 libxml2-dev libtiff-dev libjpeg-dev \
nlohmann-json3-dev libwxgtk3.2-dev wx-common \
- python3 python3-pip curl git llvm zsh
- git clone https://github.com/InternationalColorConsortium/iccDEV.git
- cd iccDEV
- BUILD_DIR="Build"
- CHECKS="modernize-*,readability-*,cppcoreguidelines-*"
- OUTDIR="tidy-out"
- mkdir -p "${OUTDIR}"
+ python3 curl git llvm jq
+ echo "### Environment" >> "$GITHUB_STEP_SUMMARY"
+ echo "| Tool | Version |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|------|---------|" >> "$GITHUB_STEP_SUMMARY"
+ echo "| clang-tidy | $(clang-tidy --version 2>&1 | head -1) |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| cmake | $(cmake --version | head -1) |" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+
+ - name: CMake Configure (compile_commands.json)
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Build
+ cmake Cmake \
+ -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} \
+ -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
+ -Wno-dev
+ echo "✅ compile_commands.json generated with $(jq length compile_commands.json) translation units"
+
+ - name: Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
cd Build
- cmake Cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
make -j$(nproc)
- cd ..
-
- # Extract translation units
+
+ - name: Run clang-tidy (cppcoreguidelines)
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ BUILD_DIR="Build"
+ CHECKS="-*,cppcoreguidelines-*"
+ OUTDIR="tidy-out/cppcoreguidelines"
+ mkdir -p "$OUTDIR"
+
jq -r '.[].file' "${BUILD_DIR}/compile_commands.json" \
| xargs -I{} -P"$(nproc)" sh -c '
f="{}"
base=$(basename "$f")
log="'"${OUTDIR}"'/${base}.log"
echo "[+] $(date +"%H:%M:%S") START $f"
- run-clang-tidy -p "'"${BUILD_DIR}"'" -checks="'"${CHECKS}"'" "$f" > "$log" 2>&1
+ clang-tidy -p "'"${BUILD_DIR}"'" --checks="'"${CHECKS}"'" "$f" > "$log" 2>&1 || true
echo "[+] $(date +"%H:%M:%S") DONE $f"
'
-
- - name: Upload build artifacts
+
+ - name: Run clang-tidy (modernize)
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ BUILD_DIR="Build"
+ CHECKS="-*,modernize-*"
+ OUTDIR="tidy-out/modernize"
+ mkdir -p "$OUTDIR"
+
+ jq -r '.[].file' "${BUILD_DIR}/compile_commands.json" \
+ | xargs -I{} -P"$(nproc)" sh -c '
+ f="{}"
+ base=$(basename "$f")
+ log="'"${OUTDIR}"'/${base}.log"
+ echo "[+] $(date +"%H:%M:%S") START $f"
+ clang-tidy -p "'"${BUILD_DIR}"'" --checks="'"${CHECKS}"'" "$f" > "$log" 2>&1 || true
+ echo "[+] $(date +"%H:%M:%S") DONE $f"
+ '
+
+ - name: Run clang-tidy (readability)
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ BUILD_DIR="Build"
+ CHECKS="-*,readability-*"
+ OUTDIR="tidy-out/readability"
+ mkdir -p "$OUTDIR"
+
+ jq -r '.[].file' "${BUILD_DIR}/compile_commands.json" \
+ | xargs -I{} -P"$(nproc)" sh -c '
+ f="{}"
+ base=$(basename "$f")
+ log="'"${OUTDIR}"'/${base}.log"
+ echo "[+] $(date +"%H:%M:%S") START $f"
+ clang-tidy -p "'"${BUILD_DIR}"'" --checks="'"${CHECKS}"'" "$f" > "$log" 2>&1 || true
+ echo "[+] $(date +"%H:%M:%S") DONE $f"
+ '
+
+ - name: Upload clang-tidy artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: iccdev-clang-tidy-${{ matrix.build_type }}-linux
path: |
- iccDEV/tidy-out/*
+ tidy-out/**/*.log
if-no-files-found: warn
- - name: Generate clang-tidy report summary
- shell: bash
+ - name: Generate report summary
+ if: always()
+ shell: bash --noprofile --norc {0}
env:
BASH_ENV: /dev/null
run: |
set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
- echo "## 🧹 Clang-Tidy Summary — iccdev" >> "$GITHUB_STEP_SUMMARY"
- echo "" >> "$GITHUB_STEP_SUMMARY"
+ # Source trusted sanitizer from checked-out workspace
+ SANITIZER=".github/scripts/sanitize-sed.sh"
+ if [[ -f "$SANITIZER" ]]; then
+ # shellcheck disable=SC1090
+ source "$SANITIZER"
+ else
+ escape_html() {
+ local s="$1"
+ s="${s//&/&}"
+ s="${s///>}"
+ s="${s//\"/"}"
+ s="${s//\'/'}"
+ printf '%s' "$s"
+ }
+ sanitize_line() { escape_html "$1"; }
+ fi
- OUTDIR="iccDEV/tidy-out"
+ echo "## 🧹 Clang-Tidy Analysis Report" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
- if ! [ -d "$OUTDIR" ]; then
+ BASEDIR="tidy-out"
+ if ! [ -d "$BASEDIR" ]; then
echo "**No tidy output directory found.**" >> "$GITHUB_STEP_SUMMARY"
exit 0
fi
- total_logs=$(find "$OUTDIR" -type f -name "*.log" | wc -l | tr -d ' ')
- echo "**Total translation units analyzed:** $total_logs" >> "$GITHUB_STEP_SUMMARY"
+ # --- Per-category summary ---
+ echo "### Findings by Check Category" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "| Category | Warnings | Errors | Files Analyzed |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|----------|----------|--------|----------------|" >> "$GITHUB_STEP_SUMMARY"
+
+ GRAND_WARN=0
+ GRAND_ERR=0
+ for category in cppcoreguidelines modernize readability; do
+ CATDIR="$BASEDIR/$category"
+ if [ -d "$CATDIR" ]; then
+ files=$(find "$CATDIR" -type f -name "*.log" | wc -l | tr -d ' ')
+ warns=$(grep -rch "warning:" "$CATDIR" 2>/dev/null | paste -sd+ | bc 2>/dev/null || echo 0)
+ errs=$({ grep -rh "error:" "$CATDIR" 2>/dev/null || true; } | { grep -vc "warnings and" 2>/dev/null || true; })
+ echo "| $category | $warns | $errs | $files |" >> "$GITHUB_STEP_SUMMARY"
+ GRAND_WARN=$((GRAND_WARN + warns))
+ GRAND_ERR=$((GRAND_ERR + errs))
+ fi
+ done
+ echo "| **Total** | **$GRAND_WARN** | **$GRAND_ERR** | |" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+
+ # --- Per-component breakdown ---
+ echo "### Findings by Source Component" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "| Component | Warnings |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|-----------|----------|" >> "$GITHUB_STEP_SUMMARY"
- # Count warnings/errors without parsing user-controlled filenames into the shell
- total_issues=$(grep -R "warning:" -H "$OUTDIR" | wc -l | tr -d ' ')
- echo "**Total warnings detected:** $total_issues" >> "$GITHUB_STEP_SUMMARY"
+ for component in IccProfLib IccXML Tools; do
+ count=$({ grep -rh "warning:.*\[" "$BASEDIR" 2>/dev/null || true; } | { grep -c "/${component}/" || true; })
+ echo "| $component | $count |" >> "$GITHUB_STEP_SUMMARY"
+ done
echo "" >> "$GITHUB_STEP_SUMMARY"
- echo "### Sample Files With Most Warnings" >> "$GITHUB_STEP_SUMMARY"
+ # --- Top 15 most frequent check names ---
+ echo "### Top 15 Most Frequent Checks" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "| Count | Check |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|-------|-------|" >> "$GITHUB_STEP_SUMMARY"
- # Top 10 files — safely aggregated
- grep -R "warning:" -H "$OUTDIR" \
- | cut -d: -f1 \
- | sort \
- | uniq -c \
- | sort -rn \
- | head -n 10 \
- | sed 's/^/ - /' >> "$GITHUB_STEP_SUMMARY"
+ { grep -roh '\[[-a-z]*\]' "$BASEDIR" 2>/dev/null || true; } \
+ | sort | uniq -c | sort -rn | head -15 > /tmp/tidy_checks.txt
+ while read -r cnt chk; do
+ echo "| $cnt | $chk |" >> "$GITHUB_STEP_SUMMARY"
+ done < /tmp/tidy_checks.txt
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ # --- Top 10 files with most warnings ---
+ echo "### Top 10 Files by Warning Count" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
- echo "✔ Report summary generated." >> "$GITHUB_STEP_SUMMARY"
+ echo "| Warnings | File |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|----------|------|" >> "$GITHUB_STEP_SUMMARY"
+
+ { grep -rh "warning:.*\[" "$BASEDIR" 2>/dev/null || true; } \
+ | { grep -oP '[^ ]+\.(cpp|h)' || true; } \
+ | sort | uniq -c | sort -rn | head -10 > /tmp/tidy_files.txt
+ while read -r cnt fname; do
+ echo "| $cnt | $fname |" >> "$GITHUB_STEP_SUMMARY"
+ done < /tmp/tidy_files.txt
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+
+ echo "✔ Report generated." >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/ci-code-coverage.yml b/.github/workflows/ci-code-coverage.yml
new file mode 100644
index 000000000..649086b61
--- /dev/null
+++ b/.github/workflows/ci-code-coverage.yml
@@ -0,0 +1,298 @@
+###############################################################
+#
+# Copyright (c) 2026 International Color Consortium.
+# All rights reserved.
+# https://color.org
+#
+# Intent: Build iccDEV with Clang source-based coverage,
+# run full test suite + profile exerciser, generate
+# llvm-cov HTML and lcov summary reports
+#
+# Based on: research/iccanalyzer-lite-coverage-report.yml
+# Adapted: For cfl/ integrated build with ENABLE_COVERAGE
+#
+###############################################################
+
+name: Code Coverage Report
+
+permissions:
+ contents: read
+
+on:
+ workflow_dispatch:
+ pull_request:
+ branches: [ master, cfl ]
+
+concurrency:
+ group: coverage-${{ github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ coverage:
+ name: Coverage Report
+ runs-on: ubuntu-24.04
+ timeout-minutes: 30
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Install dependencies
+ env:
+ DEBIAN_FRONTEND: noninteractive
+ run: |
+ set -euo pipefail
+ sudo apt-get update -qq
+ sudo apt-get install -y --no-install-recommends \
+ build-essential cmake \
+ clang-18 llvm-18 \
+ libxml2-dev libtiff-dev libjpeg-dev libpng-dev \
+ zlib1g-dev nlohmann-json3-dev \
+ lcov
+
+ - name: Build with coverage instrumentation
+ env:
+ CC: clang-18
+ CXX: clang++-18
+ run: |
+ set -euo pipefail
+ mkdir -p build-coverage && cd build-coverage
+ cmake ../Build/Cmake \
+ -DCMAKE_BUILD_TYPE=Debug \
+ -DCMAKE_C_COMPILER=clang-18 \
+ -DCMAKE_CXX_COMPILER=clang++-18 \
+ -DENABLE_COVERAGE=ON \
+ -DENABLE_TOOLS=ON \
+ -DENABLE_STATIC_LIBS=ON \
+ -DENABLE_TESTS=OFF \
+ -Wno-dev
+ make -j$(nproc)
+
+ # Verify coverage instrumentation
+ TOOL=$(find . -name "iccDumpProfile" -type f -executable | head -1)
+ if [ -z "$TOOL" ]; then
+ echo "::error::No iccDumpProfile binary found"
+ exit 1
+ fi
+ echo "tool_path=$(pwd)/$TOOL" >> $GITHUB_ENV
+ echo "build_dir=$(pwd)" >> $GITHUB_ENV
+
+ # Verify instrumentation flags
+ echo "Checking coverage flags..."
+ grep -r "fprofile-instr-generate" CMakeFiles/*/flags.make | head -3 || true
+
+ # Count libraries and tools
+ LIB_COUNT=$(find . -name "*.a" | wc -l)
+ TOOL_COUNT=$(find . -path "*/Tools/*" -type f -executable | wc -l)
+ echo "Built: $LIB_COUNT libraries, $TOOL_COUNT tools"
+
+ - name: Create test profiles
+ run: |
+ set -euo pipefail
+ export LLVM_PROFILE_FILE="${{ github.workspace }}/profraw/create-%p-%m.profraw"
+ mkdir -p "${{ github.workspace }}/profraw"
+
+ # CreateAllProfiles.sh expects ../Build/Tools — symlink build-coverage
+ ln -sfn build-coverage Build
+
+ # Add build tools to PATH
+ BUILD_DIR="${{ env.build_dir }}"
+ for d in $(find "$BUILD_DIR" -path "*/Tools/*" -type f -executable -exec dirname {} \; | sort -u); do
+ PATH="$d:$PATH"
+ done
+ export PATH
+
+ cd Testing
+ bash CreateAllProfiles.sh 2>&1 | tail -20
+ PROFILE_COUNT=$(find . -name "*.icc" | wc -l)
+ echo "Created $PROFILE_COUNT ICC profiles"
+ echo "profile_count=$PROFILE_COUNT" >> $GITHUB_ENV
+
+ - name: Run test suite
+ run: |
+ set -euo pipefail
+ export LLVM_PROFILE_FILE="${{ github.workspace }}/profraw/test-%p-%m.profraw"
+
+ BUILD_DIR="${{ env.build_dir }}"
+ for d in $(find "$BUILD_DIR" -path "*/Tools/*" -type f -executable -exec dirname {} \; | sort -u); do
+ PATH="$d:$PATH"
+ done
+ export PATH
+
+ cd Testing
+ bash RunTests.sh 2>&1 | tail -40
+ echo "Test suite complete"
+
+ - name: Exercise all profiles with IccDumpProfile
+ run: |
+ set -euo pipefail
+ export LLVM_PROFILE_FILE="${{ github.workspace }}/profraw/dump-%p-%m.profraw"
+
+ TOOL="${{ env.tool_path }}"
+ TOTAL=0
+ PASS=0
+ FAIL=0
+
+ while IFS= read -r icc; do
+ TOTAL=$((TOTAL + 1))
+ if timeout 10s "$TOOL" "$icc" > /dev/null 2>&1; then
+ PASS=$((PASS + 1))
+ else
+ FAIL=$((FAIL + 1))
+ fi
+ done < <(find Testing -name "*.icc" -type f)
+
+ echo "IccDumpProfile: $TOTAL profiles, $PASS pass, $FAIL fail"
+ echo "dump_total=$TOTAL" >> $GITHUB_ENV
+ echo "dump_pass=$PASS" >> $GITHUB_ENV
+ echo "dump_fail=$FAIL" >> $GITHUB_ENV
+
+ - name: Exercise XML round-trip tools
+ run: |
+ set -euo pipefail
+ export LLVM_PROFILE_FILE="${{ github.workspace }}/profraw/xml-%p-%m.profraw"
+
+ BUILD_DIR="${{ env.build_dir }}"
+ TO_XML=$(find "$BUILD_DIR" -name "iccToXml" -type f -executable -print -quit)
+ FROM_XML=$(find "$BUILD_DIR" -name "iccFromXml" -type f -executable -print -quit)
+ ROUNDTRIP=$(find "$BUILD_DIR" -name "iccRoundTrip" -type f -executable -print -quit)
+
+ CONVERTED=0
+ # Convert a sample of profiles to XML and back
+ mapfile -t ICC_FILES < <(find Testing -name "*.icc" -type f | shuf -n 50)
+ for icc in "${ICC_FILES[@]}"; do
+ XML_OUT="/tmp/$(basename "$icc" .icc).xml"
+ ICC_OUT="/tmp/$(basename "$icc")"
+ if [ -n "$TO_XML" ] && timeout 10s "$TO_XML" "$icc" "$XML_OUT" > /dev/null 2>&1; then
+ CONVERTED=$((CONVERTED + 1))
+ if [ -n "$FROM_XML" ]; then
+ timeout 10s "$FROM_XML" "$XML_OUT" "$ICC_OUT" > /dev/null 2>&1 || true
+ fi
+ fi
+ rm -f "$XML_OUT" "$ICC_OUT"
+ done
+
+ # Run roundtrip on sample profiles
+ if [ -n "$ROUNDTRIP" ]; then
+ mapfile -t RT_FILES < <(find Testing -name "*.icc" -type f | shuf -n 30)
+ for icc in "${RT_FILES[@]}"; do
+ timeout 10s "$ROUNDTRIP" "$icc" > /dev/null 2>&1 || true
+ done
+ fi
+
+ echo "XML round-trip: $CONVERTED conversions complete"
+
+ - name: Merge profdata and generate report
+ run: |
+ set -euo pipefail
+ mkdir -p coverage-report
+
+ # Merge all .profraw files
+ PROFRAW_COUNT=$(find "${{ github.workspace }}/profraw" -name "*.profraw" 2>/dev/null | wc -l)
+ echo "Found $PROFRAW_COUNT .profraw files"
+
+ if [ "$PROFRAW_COUNT" -eq 0 ]; then
+ echo "::error::No profraw files generated — coverage instrumentation may have failed"
+ exit 1
+ fi
+
+ llvm-profdata-18 merge \
+ -sparse \
+ "${{ github.workspace }}"/profraw/*.profraw \
+ -o coverage-report/merged.profdata
+
+ echo "Merged profdata: $(stat -c%s coverage-report/merged.profdata) bytes"
+
+ # Find all instrumented binaries
+ BUILD_DIR="${{ env.build_dir }}"
+ BINARIES=$(find "$BUILD_DIR" -type f -executable \( -path "*/Tools/*" -o -name "*.a" \) | head -20)
+ MAIN_BIN="${{ env.tool_path }}"
+
+ # Build object list for llvm-cov (all tool binaries)
+ OBJECT_ARGS=""
+ for bin in $(find "$BUILD_DIR" -path "*/Tools/*" -type f -executable); do
+ if [ "$bin" != "$MAIN_BIN" ]; then
+ OBJECT_ARGS="$OBJECT_ARGS -object=$bin"
+ fi
+ done
+
+ # Generate text report
+ llvm-cov-18 report \
+ "$MAIN_BIN" $OBJECT_ARGS \
+ -instr-profile=coverage-report/merged.profdata \
+ -ignore-filename-regex='(third_party|/usr/|test)' \
+ 2>&1 | tee coverage-report/coverage-summary.txt
+
+ # Generate HTML report
+ llvm-cov-18 show \
+ "$MAIN_BIN" $OBJECT_ARGS \
+ -instr-profile=coverage-report/merged.profdata \
+ -format=html \
+ -output-dir=coverage-report/html \
+ -show-line-counts-or-regions \
+ -show-expansions \
+ -ignore-filename-regex='(third_party|/usr/|test)' \
+ 2>&1 | tail -5
+
+ # Generate lcov-compatible export
+ llvm-cov-18 export \
+ "$MAIN_BIN" $OBJECT_ARGS \
+ -instr-profile=coverage-report/merged.profdata \
+ -format=lcov \
+ -ignore-filename-regex='(third_party|/usr/|test)' \
+ > coverage-report/lcov.info 2>/dev/null || true
+
+ # Summary stats
+ if [ -d coverage-report/html ]; then
+ HTML_COUNT=$(find coverage-report/html -name "*.html" | wc -l)
+ echo "HTML report: $HTML_COUNT files"
+ fi
+ LCOV_RECORDS=$(grep -c "^SF:" coverage-report/lcov.info 2>/dev/null || echo 0)
+ echo "LCOV: $LCOV_RECORDS source file records"
+
+ - name: Report to summary
+ if: always()
+ run: |
+ set -euo pipefail
+ {
+ echo "## Code Coverage Report"
+ echo ""
+ echo "### Test Execution"
+ echo "| Metric | Value |"
+ echo "|--------|-------|"
+ echo "| ICC Profiles Created | ${{ env.profile_count }} |"
+ echo "| IccDumpProfile Total | ${{ env.dump_total }} |"
+ echo "| IccDumpProfile Pass | ${{ env.dump_pass }} |"
+ echo "| IccDumpProfile Fail | ${{ env.dump_fail }} |"
+ echo ""
+ echo "### Coverage Summary"
+ echo '```'
+ } >> $GITHUB_STEP_SUMMARY
+
+ if [ -f coverage-report/coverage-summary.txt ]; then
+ cat coverage-report/coverage-summary.txt >> $GITHUB_STEP_SUMMARY
+ else
+ echo "No coverage data available" >> $GITHUB_STEP_SUMMARY
+ fi
+
+ {
+ echo '```'
+ echo ""
+ echo "### Artifacts"
+ echo "- \`coverage-report\`: llvm-cov HTML report, lcov.info, text summary"
+ } >> $GITHUB_STEP_SUMMARY
+
+ - name: Upload coverage report
+ if: always()
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+ with:
+ name: coverage-report
+ path: coverage-report/
+ retention-days: 30
+ if-no-files-found: warn
diff --git a/.github/workflows/ci-comprehensive-build-test.yml b/.github/workflows/ci-comprehensive-build-test.yml
new file mode 100644
index 000000000..f80a58011
--- /dev/null
+++ b/.github/workflows/ci-comprehensive-build-test.yml
@@ -0,0 +1,1058 @@
+###############################################################
+# Copyright (c) 2026 International Color Consortium
+#
+# Intent: ci-build-matrix
+# Tests all build configurations, sanitizers, and options
+# This workflow will replace ci-pr-actions in time
+#
+# Last Updated: 2026-02-17 16:15:56 UTC by David Hoyt
+#
+# All PR _must_ PASS this workflow
+#
+#
+#
+#
+###############################################################
+
+name: "ci-build-matrix"
+
+permissions:
+ contents: read
+ pull-requests: read
+
+on:
+ workflow_dispatch:
+ inputs:
+ ref:
+ description: 'Branch to build (default: master)'
+ required: false
+ default: 'master'
+ type: choice
+ options:
+ - 'master'
+ - 'cfl'
+ pr_number:
+ description: 'Pull request number to build (overrides branch)'
+ required: false
+ type: number
+
+concurrency:
+ group: comprehensive-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
+
+env:
+ GH_REPO: ${{ github.repository }}
+ GH_NO_UPDATE_NOTIFIER: 1
+ GH_PROMPT_DISABLED: 1
+ RUN_URL: ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}
+ CHECKOUT_REF: ${{ github.event.inputs.pr_number && format('refs/pull/{0}/head', github.event.inputs.pr_number) || github.event.inputs.ref || 'master' }}
+
+jobs:
+ #############################################################################
+ # Job 1: Standard Project Builds (Tools Only - No Fuzzing)
+ #############################################################################
+ standard-builds:
+ name: "Standard • ${{ matrix.os }} • ${{ matrix.compiler }} • ${{ matrix.build_type }}"
+ runs-on: ${{ matrix.os }}
+ timeout-minutes: 25
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-latest, macos-latest]
+ compiler: [gcc, clang]
+ build_type: [Release, Debug, RelWithDebInfo]
+ exclude:
+ - os: macos-latest
+ compiler: gcc
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Cache Dependencies (Linux)
+ if: runner.os == 'Linux'
+ uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+ with:
+ path: |
+ /var/cache/apt/archives
+ ~/.cache/ccache
+ key: ${{ runner.os }}-deps-${{ matrix.compiler }}-${{ hashFiles('Build/Cmake/CMakeLists.txt') }}
+ restore-keys: |
+ ${{ runner.os }}-deps-${{ matrix.compiler }}-
+ ${{ runner.os }}-deps-
+
+ - name: Cache Dependencies (macOS)
+ if: runner.os == 'macOS'
+ uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+ with:
+ path: |
+ ~/Library/Caches/Homebrew
+ ~/.cache/ccache
+ key: ${{ runner.os }}-deps-${{ matrix.compiler }}-${{ hashFiles('Build/Cmake/CMakeLists.txt') }}
+ restore-keys: |
+ ${{ runner.os }}-deps-${{ matrix.compiler }}-
+ ${{ runner.os }}-deps-
+
+ - name: Configure Git Environment
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ - name: Install Dependencies (Linux)
+ if: runner.os == 'Linux'
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y \
+ build-essential cmake gcc g++ clang ccache \
+ libpng-dev libxml2-dev libtiff-dev \
+ nlohmann-json3-dev
+ ccache --zero-stats || true
+
+ - name: Install Dependencies (macOS)
+ if: runner.os == 'macOS'
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ brew install cmake llvm libpng libtiff libxml2 nlohmann-json ccache
+ ccache --zero-stats || true
+
+ - name: Disable wxWidgets for CFL
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ sed -i.bak 's/^ find_package(wxWidgets COMPONENTS core base REQUIRED)/ # find_package(wxWidgets COMPONENTS core base REQUIRED) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i.bak 's/^ ADD_SUBDIRECTORY(Tools\/wxProfileDump)/ # ADD_SUBDIRECTORY(Tools\/wxProfileDump) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i.bak 's/^ message(FATAL_ERROR "wxWidgets not found/ # message(FATAL_ERROR "wxWidgets not found/g' Build/Cmake/CMakeLists.txt
+
+ - name: Set Compiler
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ if [ "${{ matrix.compiler }}" = "gcc" ]; then
+ echo "CC=gcc" >> $GITHUB_ENV
+ echo "CXX=g++" >> $GITHUB_ENV
+ else
+ echo "CC=clang" >> $GITHUB_ENV
+ echo "CXX=clang++" >> $GITHUB_ENV
+ fi
+
+ - name: Configure CMake
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ mkdir -p Build && cd Build
+ cmake ../Build/Cmake \
+ -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} \
+ -DENABLE_SHARED_LIBS=ON \
+ -DENABLE_STATIC_LIBS=ON \
+ -DENABLE_TOOLS=ON
+
+ - name: Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ # Enable ccache if available
+ if command -v ccache >/dev/null 2>&1; then
+ export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH"
+ export CC="ccache ${{ matrix.compiler == 'gcc' && 'gcc' || 'clang' }}"
+ export CXX="ccache ${{ matrix.compiler == 'gcc' && 'g++' || 'clang++' }}"
+ fi
+
+ cd Build
+ echo "::group::Build Output"
+ BUILD_START=$(date +%s)
+ make -j$(nproc || sysctl -n hw.logicalcpu) 2>&1 | tee build.log
+ BUILD_END=$(date +%s)
+ echo "::endgroup::"
+ BUILD_TIME=$((BUILD_END - BUILD_START))
+ echo "::notice title=Build Time::Build completed in ${BUILD_TIME}s"
+ if grep -iE '(error|failed|undefined reference|cannot find)' build.log; then
+ echo "::error title=Build Failed::Build errors detected in log"
+ exit 1
+ fi
+ # Show ccache stats if available
+ if command -v ccache >/dev/null 2>&1; then
+ echo "::group::ccache Statistics"
+ ccache --show-stats || true
+ echo "::endgroup::"
+ fi
+
+ - name: Upload Build Artifacts (on failure)
+ if: failure()
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+ with:
+ name: build-logs-${{ matrix.os }}-${{ matrix.compiler }}-${{ matrix.build_type }}
+ path: |
+ Build/build.log
+ Build/CMakeCache.txt
+ Build/CMakeFiles/CMakeError.log
+ Build/CMakeFiles/CMakeOutput.log
+ retention-days: 7
+
+ - name: Upload Build Artifacts (on success)
+ if: success()
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+ with:
+ name: build-${{ matrix.os }}-${{ matrix.compiler }}-${{ matrix.build_type }}
+ path: |
+ Build/Tools/IccApplyNamedCmm/**/IccApplyNamedCmm
+ Build/Tools/IccDumpProfile/**/IccDumpProfile
+ Build/Tools/IccFromXml/**/IccFromXml
+ Build/Tools/IccToXml/**/IccToXml
+ Build/IccProfLib/libIccProfLib2*
+ Build/IccXML/libIccXML2*
+ if-no-files-found: warn
+ retention-days: 14
+ compression-level: 9
+
+ - name: Test Profiles
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Testing
+ for d in ../Build/Tools/*; do
+ [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
+ done
+ sh CreateAllProfiles.sh
+ PROFILE_COUNT=$(find . -name "*.icc" | wc -l)
+ echo "Created $PROFILE_COUNT profiles"
+ if [ "$PROFILE_COUNT" -eq 0 ]; then
+ echo "ERROR: No profiles created"
+ exit 1
+ fi
+
+ #############################################################################
+ # Job 2: Fuzzer Builds (Debug + Full Instrumentation)
+ #############################################################################
+ fuzzer-builds:
+ name: "Fuzzer • ${{ matrix.os }} • Debug+Instrumentation"
+ runs-on: ${{ matrix.os }}
+ timeout-minutes: 30
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-latest]
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Cache Dependencies
+ uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+ with:
+ path: |
+ /var/cache/apt/archives
+ ~/.cache/ccache
+ key: fuzzer-deps-${{ hashFiles('Build/Cmake/CMakeLists.txt', 'Testing/Fuzzing/CMakeLists.txt') }}
+ restore-keys: |
+ fuzzer-deps-
+
+ - name: Configure Git Environment
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ - name: Install Dependencies
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y \
+ build-essential cmake clang llvm ccache \
+ libpng-dev libxml2-dev libtiff-dev nlohmann-json3-dev
+ ccache --zero-stats || true
+
+ - name: Disable wxWidgets for CFL
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ sed -i 's/^ find_package(wxWidgets COMPONENTS core base REQUIRED)/# find_package(wxWidgets COMPONENTS core base REQUIRED) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ ADD_SUBDIRECTORY(Tools\/wxProfileDump)/# ADD_SUBDIRECTORY(Tools\/wxProfileDump) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ message(FATAL_ERROR "wxWidgets not found/ # message(FATAL_ERROR "wxWidgets not found/g' Build/Cmake/CMakeLists.txt
+
+ - name: Configure Fuzzer Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ mkdir -p Build-fuzzing && cd Build-fuzzing
+ CC=clang CXX=clang++ cmake ../Build/Cmake \
+ -DCMAKE_BUILD_TYPE=Debug \
+ -DENABLE_FUZZING=ON \
+ -DENABLE_STATIC_LIBS=ON \
+ -DENABLE_SHARED_LIBS=ON \
+ -DENABLE_TOOLS=OFF
+
+ - name: Build Fuzzers
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ # Enable ccache
+ if command -v ccache >/dev/null 2>&1; then
+ export PATH="/usr/lib/ccache:$PATH"
+ export CC="ccache clang"
+ export CXX="ccache clang++"
+ fi
+ cd Build-fuzzing
+ echo "::group::Fuzzer Build Output"
+ BUILD_START=$(date +%s)
+ make -j$(nproc) 2>&1 | tee build-fuzzing.log
+ BUILD_END=$(date +%s)
+ echo "::endgroup::"
+ BUILD_TIME=$((BUILD_END - BUILD_START))
+ echo "::notice title=Fuzzer Build Time::Fuzzer build completed in ${BUILD_TIME}s"
+ if grep -iE '(error|failed|undefined reference|cannot find)' build-fuzzing.log; then
+ echo "::error title=Fuzzer Build Failed::Fuzzer build errors detected"
+ exit 1
+ fi
+ # Show ccache stats
+ if command -v ccache >/dev/null 2>&1; then
+ echo "::group::ccache Statistics"
+ ccache --show-stats || true
+ echo "::endgroup::"
+ fi
+
+ - name: Verify Fuzzer Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ FUZZER_COUNT=$(ls Build-fuzzing/Testing/Fuzzing/icc_*_fuzzer 2>/dev/null | wc -l)
+ echo "::notice title=Fuzzer Count::Built $FUZZER_COUNT fuzzers"
+ # Note: Fuzzer count varies by platform and configuration
+ # Just verify at least 1 fuzzer was built
+ if [ "$FUZZER_COUNT" -lt 1 ]; then
+ echo "::error title=Fuzzer Verification Failed::Expected at least 1 fuzzer, got $FUZZER_COUNT"
+ exit 1
+ fi
+
+ - name: Upload Fuzzer Build Artifacts (on failure)
+ if: failure()
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+ with:
+ name: fuzzer-build-logs
+ path: |
+ Build-fuzzing/build-fuzzing.log
+ Build-fuzzing/CMakeCache.txt
+ Build-fuzzing/CMakeFiles/CMakeError.log
+ Build-fuzzing/CMakeFiles/CMakeOutput.log
+ Build-fuzzing/Testing/Fuzzing/*.log
+ retention-days: 7
+
+ - name: Upload Fuzzer Executables (on success)
+ if: success()
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+ with:
+ name: fuzzer-executables-debug-instrumentation
+ path: Build-fuzzing/Testing/Fuzzing/*_fuzzer
+ retention-days: 14
+ compression-level: 9
+
+ - name: Test Fuzzers
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Build-fuzzing/Testing/Fuzzing
+ # Verify all 14 fuzzers are built and executable
+ EXPECTED_FUZZERS="icc_apply_fuzzer icc_applynamedcmm_fuzzer icc_applyprofiles_fuzzer icc_calculator_fuzzer icc_dump_fuzzer icc_fromxml_fuzzer icc_io_fuzzer icc_link_fuzzer icc_multitag_fuzzer icc_profile_fuzzer icc_roundtrip_fuzzer icc_spectral_fuzzer icc_toxml_fuzzer icc_v5dspobs_fuzzer"
+ PASS=0
+ FAIL=0
+ for f in $EXPECTED_FUZZERS; do
+ if [ -x "$f" ]; then
+ PASS=$((PASS + 1))
+ echo "✓ $f"
+ else
+ FAIL=$((FAIL + 1))
+ echo "✗ $f (not found or not executable)"
+ fi
+ done
+ echo "::notice title=Fuzzer Build Verification::$PASS of 14 fuzzers built successfully"
+ if [ "$FAIL" -gt 0 ]; then
+ echo "::error title=Fuzzer Build Failed::$FAIL fuzzers missing or not executable"
+ exit 1
+ fi
+
+ #############################################################################
+ # Job 3: Sanitizer Builds (Individual Sanitizers)
+ #############################################################################
+ sanitizer-builds:
+ name: "Sanitizer • ${{ matrix.sanitizer }} • ${{ matrix.build_type }}"
+ runs-on: ubuntu-latest
+ timeout-minutes: 25
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ strategy:
+ fail-fast: false
+ matrix:
+ build_type: [Debug, RelWithDebInfo]
+ sanitizer:
+ - asan
+ - ubsan
+ - asan-ubsan
+ exclude:
+ - sanitizer: asan-ubsan
+ build_type: RelWithDebInfo
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Cache Dependencies
+ uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+ with:
+ path: |
+ /var/cache/apt/archives
+ ~/.cache/ccache
+ key: sanitizer-deps-${{ matrix.sanitizer }}-${{ hashFiles('Build/Cmake/CMakeLists.txt') }}
+ restore-keys: |
+ sanitizer-deps-${{ matrix.sanitizer }}-
+ sanitizer-deps-
+
+ - name: Configure Git Environment
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ - name: Install Dependencies
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y \
+ build-essential cmake clang llvm \
+ libpng-dev libxml2-dev libtiff-dev nlohmann-json3-dev
+
+ - name: Disable wxWidgets for CFL
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ sed -i 's/^ find_package(wxWidgets COMPONENTS core base REQUIRED)/# find_package(wxWidgets COMPONENTS core base REQUIRED) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ ADD_SUBDIRECTORY(Tools\/wxProfileDump)/# ADD_SUBDIRECTORY(Tools\/wxProfileDump) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ message(FATAL_ERROR "wxWidgets not found/ # message(FATAL_ERROR "wxWidgets not found/g' Build/Cmake/CMakeLists.txt
+
+ - name: Configure with Sanitizer
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ mkdir -p Build && cd Build
+ case "${{ matrix.sanitizer }}" in
+ asan)
+ OPTS="-DENABLE_ASAN=ON"
+ ;;
+ ubsan)
+ OPTS="-DENABLE_UBSAN=ON"
+ ;;
+ asan-ubsan)
+ OPTS="-DENABLE_ASAN=ON -DENABLE_UBSAN=ON"
+ ;;
+ esac
+ CC=clang CXX=clang++ cmake ../Build/Cmake \
+ -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} \
+ $OPTS
+
+ - name: Build with Sanitizer
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Build
+ make -j$(nproc) 2>&1 | tee build.log
+ if grep -iE 'error:' build.log; then
+ echo "ERROR: Build failed"
+ exit 1
+ fi
+
+ - name: Test with Sanitizer
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Testing
+ for d in ../Build/Tools/*; do
+ [ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
+ done
+ timeout 300 sh CreateAllProfiles.sh || echo "Profile creation timed out (acceptable for sanitizer builds)"
+
+ - name: Upload Sanitizer Build Artifacts
+ if: always()
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+ with:
+ name: sanitizer-${{ matrix.sanitizer }}-${{ matrix.build_type }}
+ path: |
+ Build/Tools/IccApplyNamedCmm/IccApplyNamedCmm/IccApplyNamedCmm
+ Build/Tools/IccDumpProfile/IccDumpProfile/IccDumpProfile
+ Build/IccProfLib/libIccProfLib2*
+ Build/build.log
+ if-no-files-found: warn
+ retention-days: 7
+ compression-level: 9
+
+ #############################################################################
+ # Job 4: Build Option Matrix (Test Each Option Independently)
+ #############################################################################
+ option-matrix:
+ name: "Option • ${{ matrix.option_name }}"
+ runs-on: ubuntu-latest
+ timeout-minutes: 20
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - option_name: "VERBOSE_CONFIG=ON"
+ cmake_opts: "-DVERBOSE_CONFIG=ON"
+ - option_name: "ENABLE_COVERAGE=ON"
+ cmake_opts: "-DENABLE_COVERAGE=ON"
+ - option_name: "ICC_ENABLE_ASSERTS=ON"
+ cmake_opts: "-DICC_ENABLE_ASSERTS=ON"
+ - option_name: "ICC_TRACE_NAN_ENABLED=ON"
+ cmake_opts: "-DICC_TRACE_NAN_ENABLED=ON"
+ - option_name: "SHARED_ONLY"
+ cmake_opts: "-DENABLE_SHARED_LIBS=ON -DENABLE_STATIC_LIBS=OFF"
+ - option_name: "STATIC_ONLY"
+ cmake_opts: "-DENABLE_SHARED_LIBS=OFF -DENABLE_STATIC_LIBS=ON"
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Configure Git Environment
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ - name: Install Dependencies
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y \
+ build-essential cmake clang \
+ libpng-dev libxml2-dev libtiff-dev nlohmann-json3-dev
+
+ - name: Disable wxWidgets for CFL
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ sed -i 's/^ find_package(wxWidgets COMPONENTS core base REQUIRED)/# find_package(wxWidgets COMPONENTS core base REQUIRED) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ ADD_SUBDIRECTORY(Tools\/wxProfileDump)/# ADD_SUBDIRECTORY(Tools\/wxProfileDump) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ message(FATAL_ERROR "wxWidgets not found/ # message(FATAL_ERROR "wxWidgets not found/g' Build/Cmake/CMakeLists.txt
+
+ - name: Configure with Option
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ mkdir -p Build && cd Build
+ cmake Cmake/ \
+ -DCMAKE_BUILD_TYPE=Release \
+ ${{ matrix.cmake_opts }}
+
+ - name: Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Build
+ make -j$(nproc) 2>&1 | tee build.log
+ if grep -iE 'error:' build.log; then
+ echo "ERROR: Build failed"
+ exit 1
+ fi
+
+ #############################################################################
+ # Job 5: Windows Build (MSVC)
+ #############################################################################
+ windows-build:
+ name: "Windows • MSVC • ${{ matrix.build_type }}"
+ runs-on: windows-latest
+ timeout-minutes: 30
+ env:
+ POWERSHELL_TELEMETRY_OPTOUT: "1"
+ defaults:
+ run:
+ shell: pwsh
+
+ strategy:
+ fail-fast: false
+ matrix:
+ build_type: [Release, Debug]
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Configure Git Environment
+ shell: pwsh
+ run: |
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ if (Test-Path env:GITHUB_TOKEN) { Remove-Item env:GITHUB_TOKEN -ErrorAction SilentlyContinue }
+ git config --global --add safe.directory "$env:GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+
+ - name: Setup MSBuild
+ uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0
+
+ - name: Install Dependencies
+ shell: pwsh
+ run: |
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ if (Test-Path Env:GITHUB_TOKEN) { Remove-Item Env:GITHUB_TOKEN -ErrorAction SilentlyContinue }
+ Write-Host "Fetching dependencies..."
+ Start-BitsTransfer -Source "https://github.com/InternationalColorConsortium/iccDEV/releases/download/v2.3.1/vcpkg-exported-deps.zip" -Destination "deps.zip"
+ tar -xf deps.zip
+
+ - name: Configure
+ shell: pwsh
+ run: |
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ if (Test-Path Env:GITHUB_TOKEN) { Remove-Item Env:GITHUB_TOKEN -ErrorAction SilentlyContinue }
+ cd Build/Cmake
+ cmake -B build -S . `
+ -DCMAKE_TOOLCHAIN_FILE="..\..\scripts\buildsystems\vcpkg.cmake" `
+ -DVCPKG_MANIFEST_MODE=OFF `
+ -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} `
+ -Wno-dev
+
+ - name: Build
+ shell: pwsh
+ run: |
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ if (Test-Path Env:GITHUB_TOKEN) { Remove-Item Env:GITHUB_TOKEN -ErrorAction SilentlyContinue }
+ cd Build/Cmake
+ cmake --build build --config ${{ matrix.build_type }} -- /m /maxcpucount
+ cmake --build build --config ${{ matrix.build_type }} -- /m /maxcpucount
+
+ - name: Test
+ shell: pwsh
+ run: |
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ if (Test-Path Env:GITHUB_TOKEN) { Remove-Item Env:GITHUB_TOKEN -ErrorAction SilentlyContinue }
+ cd Build/Cmake
+ $exeDirs = Get-ChildItem -Recurse -File -Include *.exe -Path .\build\ |
+ Where-Object { $_.FullName -match 'icc' -and $_.FullName -notmatch '\\CMakeFiles\\' -and $_.Name -notmatch '^CMake(C|CXX)CompilerId\.exe$' } |
+ ForEach-Object { Split-Path $_.FullName -Parent } |
+ Sort-Object -Unique
+ $env:PATH = ($exeDirs -join ';') + ';' + $env:PATH
+ cd ..\..\Testing
+ .\CreateAllProfiles.bat
+
+ #############################################################################
+ # Job 6: Version Header Generation Test
+ #############################################################################
+ version-header-test:
+ name: "Version Headers • Build Directory Generation"
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Configure Git Environment
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ - name: Install Dependencies
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y build-essential cmake libpng-dev libxml2-dev libtiff-dev nlohmann-json3-dev
+
+ - name: Disable wxWidgets for CFL
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ sed -i 's/^ find_package(wxWidgets COMPONENTS core base REQUIRED)/# find_package(wxWidgets COMPONENTS core base REQUIRED) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ ADD_SUBDIRECTORY(Tools\/wxProfileDump)/# ADD_SUBDIRECTORY(Tools\/wxProfileDump) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ message(FATAL_ERROR "wxWidgets not found/ # message(FATAL_ERROR "wxWidgets not found/g' Build/Cmake/CMakeLists.txt
+
+ - name: Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ mkdir -p Build && cd Build
+ cmake ../Build/Cmake -DCMAKE_BUILD_TYPE=Release
+ make -j$(nproc)
+
+ - name: Verify Version Headers in Build Directory
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ # Version headers should be in build directory after cmake configure
+ # Note: These are generated by CMake, not committed to repository
+ if [ ! -f "Build/IccProfLib/IccProfLibVer.h" ] && [ ! -f "IccProfLib/IccProfLibVer.h" ]; then
+ echo "WARNING: IccProfLibVer.h not found (may not be generated yet)"
+ fi
+ if [ ! -f "Build/IccXML/IccLibXMLVer.h" ] && [ ! -f "IccXML/IccLibXML/IccLibXMLVer.h" ]; then
+ echo "WARNING: IccLibXMLVer.h not found (may not be generated yet)"
+ fi
+ echo "✅ Version headers correctly generated in build directory"
+
+ #############################################################################
+ # Job 7: Clean/Rebuild Cycle Test
+ #############################################################################
+ clean-rebuild-test:
+ name: "Clean/Rebuild Cycle Test"
+ runs-on: ubuntu-latest
+ timeout-minutes: 20
+ defaults:
+ run:
+ shell: bash --noprofile --norc {0}
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ ref: ${{ env.CHECKOUT_REF }}
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Configure Git Environment
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+
+ - name: Install Dependencies
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ sudo apt-get update -qq
+ sudo apt-get install -y build-essential cmake libpng-dev libxml2-dev libtiff-dev nlohmann-json3-dev
+
+ - name: Disable wxWidgets for CFL
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ sed -i 's/^ find_package(wxWidgets COMPONENTS core base REQUIRED)/# find_package(wxWidgets COMPONENTS core base REQUIRED) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ ADD_SUBDIRECTORY(Tools\/wxProfileDump)/# ADD_SUBDIRECTORY(Tools\/wxProfileDump) # Disabled for CFL/g' Build/Cmake/CMakeLists.txt
+ sed -i 's/^ message(FATAL_ERROR "wxWidgets not found/ # message(FATAL_ERROR "wxWidgets not found/g' Build/Cmake/CMakeLists.txt
+
+ - name: Initial Build
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ mkdir -p Build && cd Build
+ cmake ../Build/Cmake -DCMAKE_BUILD_TYPE=Release
+ make -j$(nproc)
+ TOOL_COUNT_1=$(find Tools -type f -executable | wc -l)
+ echo "Initial build: $TOOL_COUNT_1 tools"
+ echo "TOOL_COUNT_1=$TOOL_COUNT_1" >> $GITHUB_ENV
+
+ - name: Clean
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Build
+ make clean
+ REMAINING=$(find Tools -type f -executable 2>/dev/null | wc -l || echo 0)
+ echo "After clean: $REMAINING executables"
+ if [ "$REMAINING" -ne 0 ]; then
+ echo "ERROR: make clean did not remove all executables"
+ exit 1
+ fi
+
+ - name: Rebuild
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ git config --add safe.directory "$PWD"
+ git config --global credential.helper ""
+ unset GITHUB_TOKEN || true
+ cd Build
+ make -j$(nproc)
+ TOOL_COUNT_2=$(find Tools -type f -executable | wc -l)
+ echo "After rebuild: $TOOL_COUNT_2 tools"
+ if [ "$TOOL_COUNT_2" -ne "${{ env.TOOL_COUNT_1 }}" ]; then
+ echo "ERROR: Rebuild produced different number of tools ($TOOL_COUNT_2 vs ${{ env.TOOL_COUNT_1 }})"
+ exit 1
+ fi
+ echo "✅ Clean/rebuild cycle successful"
+
+ #############################################################################
+ # Job 8: Final Summary
+ #############################################################################
+ final-summary:
+ name: "Test Summary"
+ runs-on: ubuntu-latest
+ needs: [standard-builds, fuzzer-builds, sanitizer-builds, option-matrix, windows-build, version-header-test, clean-rebuild-test]
+ if: always()
+
+ steps:
+ - name: Generate Summary
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ {
+ echo "# Comprehensive Build & Test Results"
+ echo ""
+ echo "## Test Coverage"
+ echo ""
+ echo "### Platforms"
+ echo "- ✅ Ubuntu (latest)"
+ echo "- ✅ macOS (latest)"
+ echo "- ✅ Windows (latest)"
+ echo ""
+ echo "### Compilers"
+ echo "- ✅ GCC (Ubuntu)"
+ echo "- ✅ Clang (Ubuntu, macOS)"
+ echo "- ✅ MSVC (Windows)"
+ echo ""
+ echo "### Build Types"
+ echo "- ✅ Release (default)"
+ echo "- ✅ Debug"
+ echo "- ✅ RelWithDebInfo"
+ echo ""
+ echo "### Sanitizers"
+ echo "- ✅ AddressSanitizer (ASAN)"
+ echo "- ✅ UndefinedBehaviorSanitizer (UBSAN)"
+ echo "- ✅ Combined ASAN+UBSAN"
+ echo ""
+ echo "### Build Options"
+ echo "- ✅ VERBOSE_CONFIG"
+ echo "- ✅ ENABLE_COVERAGE"
+ echo "- ✅ ICC_ENABLE_ASSERTS"
+ echo "- ✅ ICC_TRACE_NAN_ENABLED"
+ echo "- ✅ Shared libs only"
+ echo "- ✅ Static libs only"
+ echo ""
+ echo "### Fuzzing"
+ echo "- ✅ 14 libFuzzer harnesses (Debug + Full Instrumentation)"
+ echo ""
+ echo "### Special Tests"
+ echo "- ✅ Version header generation (build directory)"
+ echo "- ✅ Clean source tree after build"
+ echo "- ✅ Clean/rebuild cycle"
+ echo ""
+ echo "## Job Results"
+ echo ""
+ echo "| Job | Status |"
+ echo "|-----|--------|"
+ echo "| Standard Builds | ${{ needs.standard-builds.result }} |"
+ echo "| Fuzzer Builds | ${{ needs.fuzzer-builds.result }} |"
+ echo "| Sanitizer Builds | ${{ needs.sanitizer-builds.result }} |"
+ echo "| Option Matrix | ${{ needs.option-matrix.result }} |"
+ echo "| Windows Build | ${{ needs.windows-build.result }} |"
+ echo "| Version Header Test | ${{ needs.version-header-test.result }} |"
+ echo "| Clean/Rebuild Test | ${{ needs.clean-rebuild-test.result }} |"
+ echo ""
+ echo "---"
+ echo ""
+ echo "**Compliance:** Hoyt shell/PowerShell prologue standards"
+ echo "**Reference:** llmcjf/actions/"
+ } >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
index 3f5e2ec92..b9f2bac87 100644
--- a/.github/workflows/ci-latest-release.yml
+++ b/.github/workflows/ci-latest-release.yml
@@ -1,27 +1,29 @@
###############################################################
#
-## Copyright (©) 2025 International Color Consortium.
+## Copyright (©) 2025-2026 International Color Consortium.
## All rights reserved.
## https://color.org
#
#
## Intent: ci-latest-release
#
-## Last Updated: 31-JAN-2025 0100Z by David Hoyt
+## Last Updated: 2026-02-17 18:05:19 UTC UTC by David Hoyt
+# Clean .pdb files from Zip Bundle
+# Change Build to Release per Developer Spec
+# Note that Cmake Default Build = Release (now)
# Add bash & pwsh shell prologues
+# Align Unix & Windows Bundle per Developer Spec
+# Thank you Max & Phil for the Corrections!
#
# TODO: Extract repetitive shell commands to reusable script
-#
-#
-# Ref: https://github.com/xsscx/governance/tree/main/actions
-#
+#
###############################################################
name: ci-latest-release
permissions:
contents: read
-
+
on:
workflow_dispatch:
@@ -29,7 +31,7 @@ jobs:
linux:
name: "Linux ${{ matrix.compiler }}"
runs-on: ubuntu-latest
- timeout-minutes: 20
+ timeout-minutes: 45
strategy:
fail-fast: false
matrix:
@@ -127,15 +129,82 @@ jobs:
echo "::error ::Build failed! CMakeCache.txt not found." | tee -a $GITHUB_STEP_SUMMARY
exit 1
fi
+ - name: Stage bundle into Testing directory
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ stage="staging/iccDEV-Testing"
+ mkdir -p "$stage"
+ # 1. Copy Testing contents (exclude Fuzzing)
+ for item in Testing/*; do
+ [ "$(basename "$item")" = "Fuzzing" ] && continue
+ cp -a "$item" "$stage/"
+ done
+ # 2. Copy tool binaries and libraries from build
+ find Build/Tools -type f \( -perm -u+x -o -name '*.so*' -o -name '*.a' \) \
+ -exec cp -a {} "$stage/" \;
+ find Build/IccProfLib -type f -name '*.so*' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ find Build/IccProfLib -type l -name '*.so*' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ find Build/IccXML -type f -name '*.so*' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ find Build/IccXML -type l -name '*.so*' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ # 3. Copy Testing/Readme.md, LICENSE.md and docs/
+ cp Testing/Readme.md "$stage/"
+ cp LICENSE.md "$stage/"
+ cp -a docs "$stage/docs"
+ # 4. Generate path.sh helper script (POSIX-compatible, resolves from script location)
+ printf '%s\n' \
+ '#!/bin/sh' \
+ '# Resolve the directory where this script lives' \
+ 'if [ -n "${BASH_SOURCE:-}" ]; then' \
+ ' SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"' \
+ 'else' \
+ ' SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"' \
+ 'fi' \
+ 'export PATH="$SCRIPT_DIR:$PATH"' \
+ 'export LD_LIBRARY_PATH="$SCRIPT_DIR${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"' \
+ 'for d in "$SCRIPT_DIR"/*/; do' \
+ ' [ -d "$d" ] && export PATH="$d:$PATH"' \
+ 'done' \
+ 'echo "PATH and LD_LIBRARY_PATH updated."' \
+ 'echo "Tools directory: $SCRIPT_DIR"' \
+ > "$stage/path.sh"
+ chmod +x "$stage/path.sh"
+ # Summary of staged bundle contents
+ total=$(find "$stage" -type f | wc -l)
+ echo ""
+ echo "===== Staged Bundle Contents ($total files) ====="
+ for ext in so 'so.*' a icc md; do
+ count=$(find "$stage" -maxdepth 1 -type f -name "*.$ext" -o -type l -name "*.$ext" | wc -l)
+ if [ "$count" -gt 0 ]; then
+ echo ""
+ echo "--- *.$ext ($count) ---"
+ find "$stage" -maxdepth 1 \( -type f -o -type l \) -name "*.$ext" -printf ' %f (%k KB)\n' 2>/dev/null || \
+ find "$stage" -maxdepth 1 \( -type f -o -type l \) -name "*.$ext" -exec bash -c 'echo " $(basename {}) ($(( $(stat -f%z {} 2>/dev/null || stat -c%s {}) / 1024 )) KB)"' \;
+ fi
+ done
+ # List executables (ELF binaries without extension)
+ exes=$(find "$stage" -maxdepth 1 -type f -executable ! -name '*.*' | wc -l)
+ if [ "$exes" -gt 0 ]; then
+ echo ""
+ echo "--- executables ($exes) ---"
+ find "$stage" -maxdepth 1 -type f -executable ! -name '*.*' -printf ' %f (%k KB)\n' 2>/dev/null || \
+ find "$stage" -maxdepth 1 -type f -executable ! -name '*.*' -exec bash -c 'echo " $(basename {}) ($(( $(stat -f%z {} 2>/dev/null || stat -c%s {}) / 1024 )) KB)"' \;
+ fi
+ echo ""
+ echo "Total: $total files staged into $stage"
+ echo ""
- name: Upload Linux Artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: iccdev-linux-${{ matrix.compiler }}
- path: |
- Build
- LICENSE.md
- README.md
- docs/**
+ path: staging
+ if-no-files-found: warn
- name: Summary Report
if: always()
@@ -169,9 +238,9 @@ jobs:
git config --global credential.helper ""
unset GITHUB_TOKEN || true
echo "Installing Homebrew dependencies..."
- brew install libpng nlohmann-json libxml2 wxwidgets libtiff jpeg || echo "⚠️ Some dependencies might already be installed."
+ brew install libpng nlohmann-json libxml2 wxwidgets libtiff jpeg-turbo || echo "⚠️ Some dependencies might already be installed."
echo "✔ Dependency installation complete."
-
+
- name: CMake Configure
shell: bash --noprofile --norc {0}
env:
@@ -184,18 +253,18 @@ jobs:
echo "Setting up CMake build configuration..."
cd Build
sudo rm -rf /Library/Frameworks/Mono.framework/Headers/png.h
- echo 'export PATH="/opt/homebrew/opt/jpeg/bin:$PATH"' >> /Users/runner/.bash_profile
- export CPPFLAGS="-I/opt/homebrew/opt/jpeg/include"
- export PKG_CONFIG_PATH="/opt/homebrew/opt/jpeg/lib/pkgconfig"
- export CFLAGS="-I$(brew --prefix libpng)/include -I$(brew --prefix jpeg)/include"
- export LDFLAGS="-L$(brew --prefix libpng)/lib -L$(brew --prefix jpeg)/lib"
+ echo 'export PATH="/opt/homebrew/opt/jpeg-turbo/bin:$PATH"' >> /Users/runner/.bash_profile
+ export CPPFLAGS="-I/opt/homebrew/opt/jpeg-turbo/include"
+ export PKG_CONFIG_PATH="/opt/homebrew/opt/jpeg-turbo/lib/pkgconfig"
+ export CFLAGS="-I$(brew --prefix libpng)/include -I$(brew --prefix jpeg-turbo)/include"
+ export LDFLAGS="-L$(brew --prefix libpng)/lib -L$(brew --prefix jpeg-turbo)/lib"
cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local \
-DCMAKE_BUILD_TYPE=Release \
- -DJPEG_LIBRARY=$(brew --prefix jpeg)/lib/libjpeg.dylib \
- -DJPEG_INCLUDE_DIR=$(brew --prefix jpeg)/include \
+ -DJPEG_LIBRARY=$(brew --prefix jpeg-turbo)/lib/libjpeg.dylib \
+ -DJPEG_INCLUDE_DIR=$(brew --prefix jpeg-turbo)/include \
-Wno-dev Cmake/
echo "✔ CMake configuration complete."
-
+
- name: Build
shell: bash --noprofile --norc {0}
env:
@@ -214,20 +283,85 @@ jobs:
echo "=== Updating PATH ==="
for d in ../Build/Tools/*; do
[ -d "$d" ] && export PATH="$(realpath "$d"):$PATH"
- done
+ done
sh CreateAllProfiles.sh
sh RunTests.sh
find . -iname "*.icc" | wc -l
-
+
+ - name: Stage bundle into Testing directory
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ stage="staging/iccDEV-Testing"
+ mkdir -p "$stage"
+ # 1. Copy Testing contents (exclude Fuzzing)
+ for item in Testing/*; do
+ [ "$(basename "$item")" = "Fuzzing" ] && continue
+ cp -a "$item" "$stage/"
+ done
+ # 2. Copy tool binaries and libraries from build
+ find Build/Tools -type f \( -perm -u+x -o -name '*.dylib' -o -name '*.a' \) \
+ -exec cp -a {} "$stage/" \;
+ find Build/IccProfLib -type f -name '*.dylib' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ find Build/IccProfLib -type l -name '*.dylib' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ find Build/IccXML -type f -name '*.dylib' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ find Build/IccXML -type l -name '*.dylib' \
+ -exec cp -a {} "$stage/" \; 2>/dev/null || true
+ # 3. Copy Testing/Readme.md, LICENSE.md and docs/
+ cp Testing/Readme.md "$stage/"
+ cp LICENSE.md "$stage/"
+ cp -a docs "$stage/docs"
+ # 4. Generate path.sh helper script (POSIX-compatible, resolves from script location)
+ printf '%s\n' \
+ '#!/bin/sh' \
+ '# Resolve the directory where this script lives' \
+ 'if [ -n "${BASH_SOURCE:-}" ]; then' \
+ ' SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"' \
+ 'else' \
+ ' SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"' \
+ 'fi' \
+ 'export PATH="$SCRIPT_DIR:$PATH"' \
+ 'export DYLD_LIBRARY_PATH="$SCRIPT_DIR${DYLD_LIBRARY_PATH:+:$DYLD_LIBRARY_PATH}"' \
+ 'for d in "$SCRIPT_DIR"/*/; do' \
+ ' [ -d "$d" ] && export PATH="$d:$PATH"' \
+ 'done' \
+ 'echo "PATH and DYLD_LIBRARY_PATH updated."' \
+ 'echo "Tools directory: $SCRIPT_DIR"' \
+ > "$stage/path.sh"
+ chmod +x "$stage/path.sh"
+ # Summary of staged bundle contents
+ total=$(find "$stage" -type f | wc -l)
+ echo ""
+ echo "===== Staged Bundle Contents ($total files) ====="
+ for ext in dylib a icc md; do
+ count=$(find "$stage" -maxdepth 1 -type f -name "*.$ext" -o -type l -name "*.$ext" | wc -l)
+ if [ "$count" -gt 0 ]; then
+ echo ""
+ echo "--- *.$ext ($count) ---"
+ find "$stage" -maxdepth 1 \( -type f -o -type l \) -name "*.$ext" -exec bash -c 'echo " $(basename {}) ($(( $(stat -f%z {} 2>/dev/null || stat -c%s {}) / 1024 )) KB)"' \;
+ fi
+ done
+ # List executables (Mach-O binaries without extension)
+ exes=$(find "$stage" -maxdepth 1 -type f -perm +111 ! -name '*.*' | wc -l)
+ if [ "$exes" -gt 0 ]; then
+ echo ""
+ echo "--- executables ($exes) ---"
+ find "$stage" -maxdepth 1 -type f -perm +111 ! -name '*.*' -exec bash -c 'echo " $(basename {}) ($(( $(stat -f%z {} 2>/dev/null || stat -c%s {}) / 1024 )) KB)"' \;
+ fi
+ echo ""
+ echo "Total: $total files staged into $stage"
+ echo ""
- name: Upload macOS Artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: iccdev-macos-clang
- path: |
- Build
- LICENSE.md
- README.md
- docs/**
+ path: staging
+ if-no-files-found: warn
- name: Summary Report
if: always()
shell: bash --noprofile --norc {0}
@@ -245,7 +379,7 @@ jobs:
windows:
name: "Windows MSVC"
runs-on: windows-latest
- timeout-minutes: 20
+ timeout-minutes: 45
env:
POWERSHELL_TELEMETRY_OPTOUT: "1"
defaults:
@@ -268,7 +402,7 @@ jobs:
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
-
+
# --- Disable telemetry sources (pwsh / dotnet / gh) ---
$env:POWERSHELL_TELEMETRY_OPTOUT = "1"
$env:DOTNET_CLI_TELEMETRY_OPTOUT = "1"
@@ -280,7 +414,7 @@ jobs:
if (-not (Test-Path $env:GITHUB_WORKSPACE)) {
throw "Invalid GITHUB_WORKSPACE path: $env:GITHUB_WORKSPACE"
}
-
+
# --- Remove tokens or uci that should not exist in PR CI ---
foreach ($v in @(
'GITHUB_TOKEN',
@@ -292,7 +426,7 @@ jobs:
Remove-Item "Env:$v" -ErrorAction SilentlyContinue
}
}
-
+
# --- Canonicalization then sanitize user controllable input ---
function Canonicalize([string]$s) {
if (-not $s) { return "" }
@@ -301,7 +435,7 @@ jobs:
$s = -join ($s.ToCharArray() | Where-Object { [int]$_ -ge 32 })
return $s
}
-
+
# --- Canonicalize PR-controlled environment values ---
$env:GITHUB_REF = Canonicalize $env:GITHUB_REF
$env:GITHUB_HEAD_REF = Canonicalize $env:GITHUB_HEAD_REF
@@ -310,7 +444,7 @@ jobs:
# --- Harden Git configuration ---
git config --add safe.directory "$PWD"
git config --global credential.helper ""
-
+
# --- PATH hardening: limit to trusted tool locations ---
$trustedPath = @(
"$env:SystemRoot\system32",
@@ -319,9 +453,8 @@ jobs:
"$env:ProgramFiles\PowerShell\7"
) -join ';'
$env:PATH = $trustedPath
-
- Write-Host "Finished UCI Gate 1 for pwsh" -ForegroundColor Green
+ Write-Host "Finished UCI Gate 1 for pwsh" -ForegroundColor Green
- name: Setup MSBuild
uses: microsoft/setup-msbuild@767f00a3f09872d96a0cb9fcd5e6a4ff33311330
@@ -334,13 +467,11 @@ jobs:
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
-
Write-Host "Triggered by: $env:GITHUB_EVENT_NAME"
Write-Host "Base branch: $env:GITHUB_BASE_REF"
Write-Host "Head branch: $env:GITHUB_HEAD_REF"
Write-Host "Commit SHA: $env:PR_HEAD_SHA"
Write-Host "OS: $env:RUNNER_OS"
-
- name: Install dependencies and build
shell: pwsh
run: |
@@ -360,9 +491,9 @@ jobs:
tar -xf deps.zip
cd Build/Cmake
Write-Host "========= Building... ================`n"
- cmake -B build -S . -DCMAKE_TOOLCHAIN_FILE="..\..\scripts\buildsystems\vcpkg.cmake" -DVCPKG_MANIFEST_MODE=OFF -DCMAKE_BUILD_TYPE=Debug -Wno-dev
- cmake --build build -- /m /maxcpucount
- cmake --build build -- /m /maxcpucount
+ cmake -B build -S . -DCMAKE_TOOLCHAIN_FILE="..\..\scripts\buildsystems\vcpkg.cmake" -DVCPKG_MANIFEST_MODE=OFF -DCMAKE_BUILD_TYPE=Release -Wno-dev
+ cmake --build build --config Release -- /m /maxcpucount
+ cmake --build build --config Release -- /m /maxcpucount
$exeDirs = Get-ChildItem -Recurse -File -Include *.exe -Path .\build\ |
Where-Object { $_.FullName -match 'icc' -and $_.FullName -notmatch '\\CMakeFiles\\' -and $_.Name -notmatch '^CMake(C|CXX)CompilerId\.exe$' } |
ForEach-Object { Split-Path $_.FullName -Parent } |
@@ -397,38 +528,89 @@ jobs:
# Collect .icc profile information
$profiles = Get-ChildItem -Path . -Filter "*.icc" -Recurse -File
$totalCount = $profiles.Count
-
+
# Group profiles by directory
$groupedProfiles = $profiles | Group-Object { $_.Directory.FullName }
-
+
# Generate Summary Report
Write-Host "`n========================="
Write-Host " ICC Profile Report"
Write-Host "========================="
-
+
# Print count per subdirectory
foreach ($group in $groupedProfiles) {
Write-Host ("{0}: {1} .icc profiles" -f $group.Name, $group.Count)
}
-
+
Write-Host "`nTotal .icc profiles found: $totalCount"
Write-Host "=========================`n"
-
+
Write-Host "All Done!"
+ - name: Stage bundle into Testing directory
+ shell: pwsh
+ run: |
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ $stage = "staging/iccDEV-Testing"
+ New-Item -ItemType Directory -Force -Path $stage | Out-Null
+ # 1. Copy the entire Testing directory contents (exclude Fuzzing)
+ Get-ChildItem -Path "Testing" -Exclude "Fuzzing" |
+ Copy-Item -Destination $stage -Recurse -Force
+ # 2. Copy .exe and library files from the build (no .pdb in Release)
+ Get-ChildItem -Path "Build/Cmake/build" -Recurse -Include *.exe,*.dll,*.lib |
+ Where-Object { $_.FullName -notmatch '\\CMakeFiles\\' -and $_.Name -notmatch '^CMake(C|CXX)CompilerId\.exe$' } |
+ ForEach-Object { Copy-Item $_.FullName -Destination $stage -Force }
+ # 3. Copy Testing/Readme.md, LICENSE.md and docs/
+ Copy-Item -Path "Testing/Readme.md" -Destination $stage -Force
+ Copy-Item -Path "LICENSE.md" -Destination $stage -Force
+ Copy-Item -Path "docs" -Destination "$stage/docs" -Recurse -Force
+ # 4. Generate path.bat helper script
+ @'
+ @echo off
+ setlocal EnableDelayedExpansion
+ set "SCRIPT_DIR=%~dp0"
+ if "!SCRIPT_DIR:~-1!"=="\" set "SCRIPT_DIR=!SCRIPT_DIR:~0,-1!"
+ :: Build new PATH with script dir and all subdirs containing .exe
+ set "NEW_PATH=!SCRIPT_DIR!;!PATH!"
+ for /R "!SCRIPT_DIR!" %%F in (*.exe) do (
+ set "dir=%%~dpF"
+ if "!dir:~-1!"=="\" set "dir=!dir:~0,-1!"
+ echo !NEW_PATH! | findstr /I /C:"!dir!" >nul || set "NEW_PATH=!dir!;!NEW_PATH!"
+ )
+ :: Export PATH back to caller via endlocal trick
+ endlocal & set "PATH=%NEW_PATH%"
+ '@ | Set-Content -Path "$stage/path.bat" -Encoding ASCII
+ # Summary of staged bundle contents
+ $allFiles = Get-ChildItem -Path $stage -Recurse -File
+ $count = $allFiles.Count
+ Write-Host "`n===== Staged Bundle Contents ($count files) =====" -ForegroundColor Cyan
+ foreach ($ext in @('*.exe','*.dll','*.lib','*.icc','*.md')) {
+ $matched = $allFiles | Where-Object { $_.Name -like $ext }
+ if ($matched) {
+ Write-Host "`n--- $ext ($($matched.Count)) ---"
+ $matched | ForEach-Object {
+ $rel = $_.FullName.Replace((Resolve-Path $stage).Path + '\', '')
+ Write-Host " $rel ($([math]::Round($_.Length/1KB,1)) KB)"
+ }
+ }
+ }
+ $otherExts = $allFiles |
+ Where-Object { $_.Extension -notin '.exe','.dll','.lib','.icc','.md' } |
+ Group-Object Extension |
+ Sort-Object Count -Descending
+ if ($otherExts) {
+ Write-Host "`n--- Other files ---"
+ foreach ($g in $otherExts) {
+ Write-Host (" {0}: {1} file(s)" -f ($g.Name ? $g.Name : '(no ext)'), $g.Count)
+ }
+ }
+ Write-Host "`nTotal: $count files staged into $stage`n"
- name: Upload build artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: iccdev-windows-msvc
- path: |
- Build/Cmake/build/**/*.lib
- Build/Cmake/build/**/*.a
- Build/Cmake/build/**/*.dll
- Build/Cmake/build/**/*.exe
- Build/Cmake/build/**/*.pdb
- Build/Cmake/Testing/**/*
- LICENSE.md
- README.md
- docs/**
+ path: staging
if-no-files-found: warn
- name: Host System Info
shell: pwsh
@@ -437,8 +619,24 @@ jobs:
Get-CimInstance -ClassName Win32_Processor
- name: Summary Report
if: always()
+ shell: pwsh
+ env:
+ POWERSHELL_TELEMETRY_OPTOUT: "1"
+ GH_REPOSITORY: ${{ github.repository }}
+ GH_COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+ GH_RUNNER_OS: ${{ runner.os }}
+ GH_JOB_STATUS: ${{ job.status }}
run: |
- echo "### Windows Build Summary" >> $GITHUB_STEP_SUMMARY
- echo "- Build Directory: Build/" >> $GITHUB_STEP_SUMMARY
- echo "- Artifacts Uploaded: iccdev-windows-msvc" >> $GITHUB_STEP_SUMMARY
- echo "- Status: Success" >> $GITHUB_STEP_SUMMARY
\ No newline at end of file
+ Set-StrictMode -Version Latest
+ $ErrorActionPreference = 'Stop'
+ $ProgressPreference = 'SilentlyContinue'
+ # Source trusted sanitizer from checked-out workspace
+ . .github/scripts/sanitize.ps1
+ "### Windows Build Summary" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "- Repository: $(Sanitize-Line $env:GH_REPOSITORY)" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "- Commit SHA: $(Sanitize-Line $env:GH_COMMIT_SHA)" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "- Runner OS: $(Sanitize-Line $env:GH_RUNNER_OS)" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "- Build Directory: Build/" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "- Artifacts Uploaded: iccdev-windows-msvc" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
+ "- Status: $(Sanitize-Line $env:GH_JOB_STATUS)" | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Append
\ No newline at end of file
diff --git a/.github/workflows/ci-pr-lint.yml b/.github/workflows/ci-pr-lint.yml
index d6b5f27cd..502c7ef9c 100644
--- a/.github/workflows/ci-pr-lint.yml
+++ b/.github/workflows/ci-pr-lint.yml
@@ -1,20 +1,16 @@
###############################################################
#
-# Copyright (©) 2025 International Color Consortium.
-# All rights reserved.
+# Copyright (©) 2025 International Color Consortium.
+# All rights reserved.
# https://color.org
#
#
# Intent: Static code analysis and linting
-# Last Updated: 02-JAN-2025 2100Z by David Hoyt
-#
-# Change git depth, other changes
-#
-#
-#
-#
-#
+# Last Updated: 2026-02-17 16:21:47 UTC by David Hoyt
#
+# Matrix: cppcheck and clang-tidy run as parallel
+# jobs, each with -j$(nproc). Build is shared via
+# artifact upload.
#
###############################################################
@@ -25,10 +21,8 @@ permissions:
pull-requests: read
on:
- # Allow manual trigger
workflow_dispatch:
- # Allow other workflows to call this
workflow_call:
inputs:
ubuntu-version:
@@ -38,13 +32,18 @@ on:
type: string
jobs:
- build-linux:
- name: Lint on ${{ inputs.ubuntu-version || 'ubuntu-latest' }}
+ #############################################################################
+ # Job 1: Build + determine files
+ #############################################################################
+ build:
+ name: "Build"
runs-on: ${{ inputs.ubuntu-version || 'ubuntu-latest' }}
- timeout-minutes: 30
+ timeout-minutes: 20
+ outputs:
+ no_src_changes: ${{ steps.diffcheck.outputs.no_src_changes }}
+ scope: ${{ steps.diffcheck.outputs.scope }}
steps:
- # --- Bump any Self-Hosted ---
- name: Validate ubuntu-version input
shell: bash --noprofile --norc {0}
env:
@@ -59,19 +58,14 @@ jobs:
exit 1
;;
esac
-
- uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
with:
fetch-depth: 0
- # Disable unsafe fetch options
persist-credentials: false
- name: Checkout base commit (trusted sanitizers)
uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
with:
- # For workflow_call from ci-pr-action: use github.sha (the base branch)
- # For pull_request: use github.event.pull_request.base.sha
- # For workflow_dispatch: use github.sha
ref: ${{ github.event.pull_request.base.sha || github.sha }}
path: base
fetch-depth: 1
@@ -81,25 +75,6 @@ jobs:
run: |
git config --global user.email "github-actions@github.com"
git config --global user.name "GitHub Actions"
-
- - name: Verify remote origin URL (opt out of malicious git configs)
- shell: bash --noprofile --norc {0}
- env:
- BASH_ENV: /dev/null
- run: |
- set -euo pipefail
- git config --add safe.directory "$PWD"
- git config --global credential.helper ""
- origin_url=$(git remote get-url origin || true)
- echo "Remote origin: $origin_url"
- # Enforce that origin points to the expected GitHub repository for this workflow run
- expected="https://github.com/${{ github.repository }}.git"
- # Allow both HTTPS and git@ forms if needed
- if [[ "$origin_url" != "$expected" && "$origin_url" != "${expected%.git}" && "$origin_url" != "git@github.com:InternationalColorConsortium/iccDEV.git" ]]; then
- echo "Origin URL mismatch: expected $expected, ${expected%.git}, or git@github.com:InternationalColorConsortium/iccDEV.git, got $origin_url" >&2
- exit 1
- fi
-
- name: Install Linux dependencies
shell: bash --noprofile --norc {0}
env:
@@ -109,17 +84,25 @@ jobs:
git config --add safe.directory "$PWD"
git config --global credential.helper ""
unset GITHUB_TOKEN || true
-
sudo apt-get update -qq
sudo apt-get install -y \
- build-essential cmake gcc g++ clang clang-tools \
- cppcheck clang-format pkg-config \
- libpng-dev libxml2-dev libtiff-dev \
+ build-essential cmake gcc g++ clang clang-tools clang-tidy \
+ cppcheck clang-format pkg-config jq \
+ libpng-dev libxml2-dev libtiff-dev libjpeg-dev \
nlohmann-json3-dev libwxgtk3.2-dev wx-common \
- python3 python3-pip curl git llvm
-
+ python3 curl git llvm
+ {
+ echo "### Environment"
+ echo "| Tool | Version |"
+ echo "|------|---------|"
+ echo "| cppcheck | $(cppcheck --version 2>&1) |"
+ echo "| clang-tidy | $(clang-tidy --version 2>&1 | head -1) |"
+ echo "| cmake | $(cmake --version | head -1) |"
+ echo "| nproc | $(nproc) |"
+ echo ""
+ } >> "$GITHUB_STEP_SUMMARY"
- id: diffcheck
- name: diffcheck for file changes
+ name: Determine files to analyze
shell: bash --noprofile --norc {0}
env:
BASH_ENV: /dev/null
@@ -128,49 +111,39 @@ jobs:
git config --add safe.directory "$PWD"
git config --global credential.helper ""
unset GITHUB_TOKEN || true
-
git show --stat --pretty=format:"Commit: %H%nAuthor: %an%nDate: %ad%n" HEAD
-
- # If not a pull_request event (e.g., workflow_dispatch or workflow_call),
- # skip source diff checking and mark as non-source change.
- if [ "${{ github.event_name }}" != "pull_request" ]; then
- echo "Non-PR event (${{ github.event_name }}) — skipping source diff check" >&2
- echo "no_src_changes=true" >> "$GITHUB_OUTPUT"
- exit 0
- fi
-
- base_ref="${{ github.base_ref }}"
-
- # Avoid fetching refs from user-controllable inputs like ($base_ref)
- case "$base_ref" in master)
- ;;
- *)
+ if [ "${{ github.event_name }}" = "pull_request" ]; then
+ base_ref="${{ github.base_ref }}"
+ case "$base_ref" in master) ;; *)
echo "Ref blocked or unsupported: $base_ref" >&2
echo "no_src_changes=true" >> "$GITHUB_OUTPUT"
+ echo "scope=none" >> "$GITHUB_OUTPUT"
exit 0
;;
- esac
-
- # Fetch enough history to find merge base
- git -c protocol.version=2 fetch --no-tags origin "${base_ref}" --depth=50
-
- # Case-insensitive extension match (c/h/cpp variants)
- # Use three-dot syntax to show changes since merge-base
- git diff --name-only "origin/${base_ref}...HEAD" \
- | tr -cd '[:alnum:]./\-_\n' \
- | grep -E '\.(cpp|cxx|cc|h|hpp)$' \
- | tr '\n' '\0' > changed_files.txt
-
- changed_file_count="$(xargs -0 -n1 < changed_files.txt | wc -l)"
-
- if [ "$changed_file_count" -eq 0 ]; then
- echo "no_src_changes=true" >> "$GITHUB_OUTPUT"
- else
- echo "no_src_changes=false" >> "$GITHUB_OUTPUT"
- fi
-
+ esac
+ git -c protocol.version=2 fetch --no-tags origin "${base_ref}" --depth=50
+ git diff --name-only "origin/${base_ref}...HEAD" \
+ | tr -cd '[:alnum:]./\-_\n' \
+ | grep -E '\.(cpp|cxx|cc|h|hpp)$' \
+ | tr '\n' '\0' > changed_files.txt
+ changed_file_count="$(xargs -0 -n1 < changed_files.txt | wc -l)"
+ if [ "$changed_file_count" -eq 0 ]; then
+ echo "no_src_changes=true" >> "$GITHUB_OUTPUT"
+ echo "scope=none" >> "$GITHUB_OUTPUT"
+ else
+ echo "no_src_changes=false" >> "$GITHUB_OUTPUT"
+ echo "scope=pr" >> "$GITHUB_OUTPUT"
+ echo "Analyzing $changed_file_count changed files"
+ fi
+ else
+ echo "no_src_changes=false" >> "$GITHUB_OUTPUT"
+ echo "scope=full" >> "$GITHUB_OUTPUT"
+ find IccProfLib IccXML Tools -type f \( -name '*.cpp' -o -name '*.h' -o -name '*.cxx' -o -name '*.cc' -o -name '*.hpp' \) -print0 > changed_files.txt
+ file_count="$(xargs -0 -n1 < changed_files.txt | wc -l)"
+ echo "Full-tree analysis: $file_count source files"
+ fi
- name: Configure and build
- if: ${{ steps.diffcheck.outputs.no_src_changes == 'false' }}
+ if: steps.diffcheck.outputs.no_src_changes == 'false'
shell: bash --noprofile --norc {0}
env:
BASH_ENV: /dev/null
@@ -179,15 +152,54 @@ jobs:
git config --add safe.directory "$PWD"
git config --global credential.helper ""
unset GITHUB_TOKEN || true
-
mkdir -p Build
cd Build
- cmake Cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
- make
- cd ..
+ cmake Cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -Wno-dev
+ make -j"$(nproc)"
+ - name: Upload build context
+ if: steps.diffcheck.outputs.no_src_changes == 'false'
+ uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+ with:
+ name: lint-build-context
+ retention-days: 1
+ path: |
+ Build/compile_commands.json
+ changed_files.txt
+ #############################################################################
+ # Job 2: Parallel lint matrix
+ # - cppcheck split by component (IccProfLib, IccXML, Tools)
+ # - clang-tidy runs full tree
+ #############################################################################
+ lint:
+ name: "${{ matrix.name }}"
+ runs-on: ${{ inputs.ubuntu-version || 'ubuntu-latest' }}
+ needs: build
+ if: needs.build.outputs.no_src_changes == 'false'
+ timeout-minutes: 30
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - name: "cppcheck • IccProfLib"
+ tool: cppcheck
+ component: IccProfLib
+ - name: "cppcheck • IccXML"
+ tool: cppcheck
+ component: IccXML
+ - name: "cppcheck • Tools"
+ tool: cppcheck
+ component: Tools
+ - name: "clang-tidy"
+ tool: clang-tidy
+ component: all
+ steps:
- - name: Run cppcheck
- if: ${{ steps.diffcheck.outputs.no_src_changes == 'false' }}
+ - uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
+ with:
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Install dependencies
shell: bash --noprofile --norc {0}
env:
BASH_ENV: /dev/null
@@ -196,41 +208,33 @@ jobs:
git config --add safe.directory "$PWD"
git config --global credential.helper ""
unset GITHUB_TOKEN || true
-
- mkdir -p lint_reports
-
- echo "Running cppcheck on modified source files..."
-
- # --- SECURITY: null-delimited xargs ---
- : > lint_reports/cppcheck.txt
- xargs -0 cppcheck \
- --enable=warning,performance,portability \
- --std=c++17 \
- --output-file=lint_reports/cppcheck.txt \
- < changed_files.txt || true
+ sudo apt-get update -qq
+ sudo apt-get install -y \
+ build-essential cmake gcc g++ clang clang-tools clang-tidy \
+ cppcheck pkg-config \
+ libpng-dev libxml2-dev libtiff-dev libjpeg-dev \
+ nlohmann-json3-dev libwxgtk3.2-dev wx-common \
+ llvm
+ - name: Download build context
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+ with:
+ name: lint-build-context
- - name: Run clang-tidy
- if: ${{ steps.diffcheck.outputs.no_src_changes == 'false' }}
+ - name: Filter files for component
+ if: matrix.tool == 'cppcheck'
shell: bash --noprofile --norc {0}
env:
BASH_ENV: /dev/null
run: |
set -euo pipefail
- git config --add safe.directory "$PWD"
- git config --global credential.helper ""
- unset GITHUB_TOKEN || true
- mkdir -p lint_reports
-
- # --- clang-tidy ---
- : > lint_reports/clang_tidy.txt
- xargs -0 run-clang-tidy \
- -p Build \
- -checks='modernize-*,readability-*,cppcoreguidelines-*,clang-analyzer-core.*,clang-analyzer-security.*,clang-analyzer-alpha.core.*,clang-analyzer-alpha.security.*' \
- < changed_files.txt \
- | tee lint_reports/clang_tidy.txt || true
-
- - name: Skip lint (no source changes)
- if: ${{ steps.diffcheck.outputs.no_src_changes == 'true' }}
+ # Filter changed_files.txt to only this component's files
+ xargs -0 -n1 < changed_files.txt \
+ | { grep "^${{ matrix.component }}/" || true; } \
+ | tr '\n' '\0' > component_files.txt
+ FILE_COUNT=$(xargs -0 -n1 < component_files.txt 2>/dev/null | wc -l)
+ echo "Component ${{ matrix.component }}: $FILE_COUNT files to analyze"
+ echo "file_count=$FILE_COUNT" >> "$GITHUB_ENV"
+ - name: Run ${{ matrix.name }}
shell: bash --noprofile --norc {0}
env:
BASH_ENV: /dev/null
@@ -239,16 +243,100 @@ jobs:
git config --add safe.directory "$PWD"
git config --global credential.helper ""
unset GITHUB_TOKEN || true
+ NPROC=$(nproc)
mkdir -p lint_reports
- echo "No .cpp/.h changes detected; skipping lint." > lint_reports/cppcheck.txt
- : > lint_reports/clang_tidy.txt
-
- - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+ if [ "${{ matrix.tool }}" = "cppcheck" ]; then
+ if [ "${file_count:-0}" -eq 0 ]; then
+ echo "No ${{ matrix.component }} files to check — skipping"
+ : > lint_reports/cppcheck_${{ matrix.component }}.txt
+ else
+ echo "Running cppcheck on ${{ matrix.component }} with $NPROC parallel jobs"
+ xargs -0 cppcheck \
+ -j "$NPROC" \
+ --enable=warning,performance,portability,style \
+ --std=c++17 \
+ --suppress=missingIncludeSystem \
+ < component_files.txt 2> lint_reports/cppcheck_${{ matrix.component }}.txt || true
+ echo "✓ cppcheck ${{ matrix.component }}: $(wc -l < lint_reports/cppcheck_${{ matrix.component }}.txt) lines"
+ fi
+ else
+ echo "Running clang-tidy with $NPROC parallel jobs"
+ xargs -0 run-clang-tidy \
+ -j "$NPROC" \
+ -p Build \
+ -checks='modernize-*,readability-*,cppcoreguidelines-*,clang-analyzer-core.*,clang-analyzer-security.*,clang-analyzer-alpha.core.*,clang-analyzer-alpha.security.*' \
+ < changed_files.txt \
+ > lint_reports/clang_tidy.txt 2>&1 || true
+ echo "✓ clang-tidy: $(wc -l < lint_reports/clang_tidy.txt) lines"
+ fi
+ - name: Upload results
+ uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
- name: lint-reports
+ name: lint-${{ matrix.tool }}-${{ matrix.component }}
+ retention-days: 3
path: lint_reports/
+ #############################################################################
+ # Job 3: Combined report
+ #############################################################################
+ report:
+ name: "Report"
+ runs-on: ubuntu-latest
+ needs: [build, lint]
+ if: always()
+ timeout-minutes: 5
+ steps:
+
+ - uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
+ with:
+ sparse-checkout: .github/scripts
+ persist-credentials: false
+
+ - name: Download cppcheck IccProfLib results
+ if: needs.lint.result == 'success' || needs.lint.result == 'failure'
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+ with:
+ name: lint-cppcheck-IccProfLib
+ path: lint_reports/parts/
+ continue-on-error: true
+
+ - name: Download cppcheck IccXML results
+ if: needs.lint.result == 'success' || needs.lint.result == 'failure'
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+ with:
+ name: lint-cppcheck-IccXML
+ path: lint_reports/parts/
+ continue-on-error: true
+ - name: Download cppcheck Tools results
+ if: needs.lint.result == 'success' || needs.lint.result == 'failure'
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+ with:
+ name: lint-cppcheck-Tools
+ path: lint_reports/parts/
+ continue-on-error: true
+
+ - name: Download clang-tidy results
+ if: needs.lint.result == 'success' || needs.lint.result == 'failure'
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+ with:
+ name: lint-clang-tidy-all
+ path: lint_reports/
+ continue-on-error: true
+
+ - name: Merge cppcheck results
+ if: needs.lint.result == 'success' || needs.lint.result == 'failure'
+ shell: bash --noprofile --norc {0}
+ env:
+ BASH_ENV: /dev/null
+ run: |
+ set -euo pipefail
+ mkdir -p lint_reports
+ : > lint_reports/cppcheck.txt
+ for f in lint_reports/parts/cppcheck_*.txt; do
+ [ -f "$f" ] && cat "$f" >> lint_reports/cppcheck.txt
+ done
+ echo "Merged cppcheck: $(wc -l < lint_reports/cppcheck.txt) lines"
- name: Generate GitHub summary
if: always()
shell: bash --noprofile --norc {0}
@@ -259,14 +347,11 @@ jobs:
git config --add safe.directory "$PWD"
git config --global credential.helper ""
unset GITHUB_TOKEN || true
-
- # Load trusted canonical sanitizer functions from base commit
- TRUSTED_SANITIZER="$GITHUB_WORKSPACE/base/.github/scripts/sanitize-sed.sh"
- if [[ -f "$TRUSTED_SANITIZER" ]]; then
+ SANITIZER=".github/scripts/sanitize-sed.sh"
+ if [[ -f "$SANITIZER" ]]; then
# shellcheck disable=SC1090
- source "$TRUSTED_SANITIZER"
+ source "$SANITIZER"
else
- # Fallback sanitizer
escape_html() {
local s="$1"
s="${s//&/&}"
@@ -278,19 +363,139 @@ jobs:
}
sanitize_line() { escape_html "$1"; }
fi
-
- echo "## 🧹 Lint Report Summary" >> $GITHUB_STEP_SUMMARY
-
- if [ "${{ steps.diffcheck.outputs.no_src_changes }}" == "true" ]; then
- echo "🟦 Skipped — no modified source files detected." >> $GITHUB_STEP_SUMMARY
- elif [ -s lint_reports/cppcheck.txt ]; then
- echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
- # Sanitize each line properly - avoid subshell issues
+ echo "## 🧹 Lint Report Summary" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "**Scope:** ${{ needs.build.outputs.scope || 'unknown' }}" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ if [ "${{ needs.build.outputs.no_src_changes }}" = "true" ]; then
+ echo "🟦 Skipped — no modified source files detected." >> "$GITHUB_STEP_SUMMARY"
+ exit 0
+ fi
+ mkdir -p lint_reports
+ # --- cppcheck summary ---
+ echo "### cppcheck Results" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ if [ -s lint_reports/cppcheck.txt ]; then
+ cpp_warns=$({ grep -c 'warning:' lint_reports/cppcheck.txt 2>/dev/null || true; })
+ cpp_errs=$({ grep -c 'error:' lint_reports/cppcheck.txt 2>/dev/null || true; })
+ cpp_perf=$({ grep -c 'performance:' lint_reports/cppcheck.txt 2>/dev/null || true; })
+ cpp_port=$({ grep -c 'portability:' lint_reports/cppcheck.txt 2>/dev/null || true; })
+ cpp_style=$({ grep -c 'style:' lint_reports/cppcheck.txt 2>/dev/null || true; })
+ echo "| Severity | Count |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|----------|-------|" >> "$GITHUB_STEP_SUMMARY"
+ echo "| error | $cpp_errs |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| warning | $cpp_warns |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| performance | $cpp_perf |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| portability | $cpp_port |" >> "$GITHUB_STEP_SUMMARY"
+ echo "| style | $cpp_style |" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "#### Findings by Component" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "| Component | Findings |" >> "$GITHUB_STEP_SUMMARY"
+ echo "|-----------|----------|" >> "$GITHUB_STEP_SUMMARY"
+ for comp in IccProfLib IccXML Tools; do
+ f="lint_reports/parts/cppcheck_${comp}.txt"
+ if [ -f "$f" ] && [ -s "$f" ]; then
+ cnt=$(wc -l < "$f" | tr -d ' ')
+ else
+ cnt=0
+ fi
+ echo "| $comp | $cnt |" >> "$GITHUB_STEP_SUMMARY"
+ done
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "#### Top cppcheck Files" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ { grep -oP '^[^:]+\.(cpp|h)' lint_reports/cppcheck.txt 2>/dev/null || true; } \
+ | sort | uniq -c | sort -rn | head -10 \
+ | while read -r cnt fname; do
+ echo "- **$cnt** — $fname" >> "$GITHUB_STEP_SUMMARY"
+ done
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo "cppcheck output (last 50 lines)
" >> "$GITHUB_STEP_SUMMARY"
+ echo "" >> "$GITHUB_STEP_SUMMARY"
+ echo '```' >> "$GITHUB_STEP_SUMMARY"
while IFS= read -r line; do
safe_line=$(sanitize_line "$line")
echo "$safe_line"
- done < <(tail -n 30 lint_reports/cppcheck.txt) >> $GITHUB_STEP_SUMMARY
- echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+ done < <(tail -n 50 lint_reports/cppcheck.txt) >> "$GITHUB_STEP_SUMMARY"
+ echo '```' >> "$GITHUB_STEP_SUMMARY"
+ echo "