diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml new file mode 100644 index 0000000..7ab4a1d --- /dev/null +++ b/.github/workflows/sanitizers.yml @@ -0,0 +1,97 @@ +# ******************************************************************************* +# Copyright (c) 2026 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* + +name: Sanitizers (Reusable) + +on: + workflow_call: + inputs: + sanitizer_configs: + description: 'Comma-separated list of sanitizer configs (e.g., asan_ubsan_lsan,tsan)' + required: false + default: 'asan_ubsan_lsan,tsan' + type: string + test_targets: + description: 'Bazel test targets' + required: false + default: '//tests/...' + type: string + bazelisk_version: + description: 'Bazelisk version' + required: false + default: '1.26.0' + type: string + runner_label: + description: 'Runner label fallback' + required: false + default: 'ubuntu-latest' + type: string + +permissions: + contents: read + +jobs: + prepare-matrix: + name: Prepare Matrix + runs-on: ubuntu-latest + outputs: + configs: ${{ steps.parse.outputs.configs }} + steps: + - name: Parse configs + id: parse + run: | + CONFIGS='${{ inputs.sanitizer_configs }}' + CONFIGS=$(echo "$CONFIGS" | tr -d ' ' | tr ',' '\n' | jq -R . | jq -s .) + echo "configs=$CONFIGS" >> $GITHUB_OUTPUT + + sanitizer-tests: + name: ${{ matrix.sanitizer_config }} + runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || inputs.runner_label }} + needs: prepare-matrix + strategy: + fail-fast: false + matrix: + sanitizer_config: ${{ fromJson(needs.prepare-matrix.outputs.configs) }} + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 + with: + ref: ${{ github.head_ref || github.event.pull_request.head.ref || github.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + + - name: Setup Bazel + uses: bazel-contrib/setup-bazel@0.18.0 + with: + bazelisk-version: ${{ inputs.bazelisk_version }} + disk-cache: ${{ github.workflow }} + repository-cache: true + bazelisk-cache: true + cache-save: ${{ github.event_name == 'push' }} + + - name: Run tests + run: | + bazel test \ + --config=${{ matrix.sanitizer_config }} \ + ${{ inputs.test_targets }} \ + --test_output=errors \ + --verbose_failures + + - name: Upload logs + if: failure() + uses: actions/upload-artifact@v6 + with: + name: testlogs-${{ matrix.sanitizer_config }}-${{ github.run_id }} + path: bazel-testlogs/**/test.log + if-no-files-found: warn + retention-days: 7 + diff --git a/README.md b/README.md index 23debfd..6ea2bc2 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ These workflows integrate with **Bazel** and provide a consistent way to run **d | **Formatting Check** | Verifies code formatting using Bazel-based tools | | **Copyright Check** | Ensures all source files have the required copyright headers | | **Required Approvals** | Enforces stricter CODEOWNERS rules for multi-team approvals | +| **Sanitizers** | Runs Google Sanitizers (ASan, TSan, UBSan, LSan) for C++ modules | | **QNX Build (Gated)** | Builds QNX Bazel targets with environment-gated secrets for forks | | **Documentation Verification** | Verifies documentation builds correctly and uploads results | | **CodeQL Scan** | Performs security and quality analysis using GitHub CodeQL | @@ -318,8 +319,37 @@ jobs: --- +### **11️⃣ Sanitizers Workflow** -### **11. QNX Build (Gated) Workflow** +**Usage Example** +```yaml +name: Sanitizers CI + +on: + pull_request: + push: + branches: + - main + +jobs: + sanitizers: + uses: eclipse-score/cicd-workflows/.github/workflows/sanitizers.yml@main + with: + sanitizer_configs: 'asan_ubsan_lsan,tsan' # optional + test_targets: '//tests/...' # optional +``` + +This workflow: +✅ Runs sanitizers (ASan, TSan, UBSan, LSan) +✅ Executes tests in parallel +✅ Uploads logs on failure + +> ℹ️ **Note:** Module must define configs in `quality/sanitizer/sanitizer.bazelrc` and import via `.bazelrc` + +--- + + +### **12. QNX Build (Gated) Workflow** Use this workflow when you need QNX secrets for forked PRs and want a manual approval gate via an environment. @@ -355,7 +385,7 @@ jobs: --- -### **12. Documentation Verification Workflow** +### **13. Documentation Verification Workflow** This workflow verifies that documentation builds correctly and can be used to validate documentation changes in pull requests. @@ -386,7 +416,7 @@ jobs: --- -### **13. CodeQL Security Scan Workflow** +### **14. CodeQL Security Scan Workflow** This workflow performs security and quality analysis using GitHub's CodeQL with MISRA C++ coding standards. @@ -422,7 +452,7 @@ jobs: --- -### **14. SCORE PR Checks Workflow** +### **15. SCORE PR Checks Workflow** This workflow enforces SCORE-specific standards, particularly Bazel module naming conventions. @@ -455,7 +485,7 @@ jobs: --- -### **15. Template Sync Workflow** +### **16. Template Sync Workflow** This workflow automatically synchronizes your repository with the latest changes from `eclipse-score/module_template`.