chore(deps): update dependency https://github.com/serious-scaffold/ss-cpp to v1.6.14

.copier-answers.yml

@@ -1,4 +1,4 @@
-_commit: v1.6.12
+_commit: v1.6.14
 _src_path: https://github.com/serious-scaffold/ss-cpp
 author_email: msclock@126.com
 author_name: l.feng

.devcontainer/devcontainer.json

@@ -2,7 +2,7 @@
 // https://github.com/devcontainers/images/tree/main/src/base-ubuntu
 {
   "name": "cppfront-practice",
-  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
   "capAdd": [
     // Enable ptrace-based debugging for C++
     "SYS_PTRACE"

.github/workflows/cd.yml

@@ -19,7 +19,7 @@ env:
 jobs:
   pages:
     name: Deploy to GitHub Pages
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ github.ref_name == github.event.repository.default_branch || (github.event_name == 'release' && github.event.action == 'published') }}
     permissions:
       contents: write

.github/workflows/ci.yml

@@ -18,7 +18,7 @@ concurrency:
 
 jobs:
   pre-commit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -34,7 +34,7 @@ jobs:
 
 
   check-on-linux:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
     strategy:
@@ -119,7 +119,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        triplet: [x64-osx]
+        triplet: [arm64-osx]
         compiler: [gcc@13, llvm@17]
         std: [23]
         build_type: [Debug, RelWithDebInfo]
@@ -335,7 +335,7 @@ jobs:
         run: cmake --build --preset=default --target ccov-all
 
   check-sanitizers:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
     strategy:
@@ -385,7 +385,7 @@ jobs:
         run: ctest --preset=default
 
   check-valgrind:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
     strategy:
@@ -453,7 +453,7 @@ jobs:
           path: out/valgrind-results.tar.gz
 
   clang-tidy:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
 
@@ -502,7 +502,7 @@ jobs:
 
 
   cppcheck:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
 
@@ -551,7 +551,7 @@ jobs:
 
 
   check-docs:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
 
@@ -597,7 +597,7 @@ jobs:
 
 
   codecov:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: [pre-commit]
     timeout-minutes: 15
 
@@ -667,7 +667,7 @@ jobs:
       - clang-tidy
       - cppcheck
       - codecov
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 2
     permissions:
       pull-requests: write
@@ -679,5 +679,5 @@ jobs:
           jobs: ${{ toJSON(needs) }}
 
       - name: Approve pr if all jobs succeeded
-        if: contains(github.event.pull_request.labels.*.name, 'auto-approval')
+        if: contains(github.event.pull_request.labels.*.name, 'auto-approval') && contains(github.actor, '[bot]')
         uses: hmarr/auto-approve-action@v4

.github/workflows/codeql.yml

@@ -30,7 +30,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     permissions:
       actions: read

.github/workflows/renovate.yml

@@ -2,7 +2,8 @@ name: Renovate
 
 on:
   schedule:
-    - cron: '*/15 0-3 * * 1'
+    # Match renovate schedule:earlyMondays and schedule:automergeMonthly
+    - cron: '*/15 0-3 * * *'
   workflow_dispatch:
 
 jobs:
@@ -20,7 +21,7 @@ jobs:
         RENOVATE_REPOSITORY_CACHE: enabled
       image: ghcr.io/renovatebot/renovate:39.42.4@sha256:c5d718e312cdacc0746e37f13c215ff498be28c51e50efd24c070ae29f5b636a
       options: --user root
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - run: env | sort
 

.github/workflows/semantic-release.yml

@@ -13,7 +13,7 @@ on:
 jobs:
   semantic-release:
     name: Semantic Release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: github.event.workflow_run.conclusion == 'success' && github.repository == 'msclock/cppfront-practice'
     permissions:
       contents: write

.pre-commit-config.yaml

@@ -82,7 +82,7 @@ repos:
 
   # Clang format the codebase automatically
   - repo: https://github.com/pre-commit/mirrors-clang-format
-    rev: v18.1.8
+    rev: v19.1.4
     hooks:
       - id: clang-format
         types_or: [c++, c, cuda]

.renovaterc.json

@@ -11,19 +11,25 @@
   "platformAutomerge": true,
   "packageRules": [
     {
+      "automerge": true,
+      "addLabels": [
+        "auto-approval"
+      ],
+      "extends": [
+        "schedule:earlyMondays",
+        "schedule:automergeMonthly"
+      ],
       "matchUpdateTypes": [
         "minor",
         "patch",
         "pin",
         "digest"
-      ],
-      "automerge": true
+      ]
     },
     {
       "description": "Group renovate docker tag and pre-commit-hooks tag",
       "groupName": "renovate group",
       "addLabels": [
-        "auto-approval",
         "renovate"
       ],
       "matchDatasources": [
@@ -51,12 +57,12 @@
       ]
     },
     {
-      "description": "Update vcpkg.json builtin-baseline with git hash",
+      "description": "Update microsoft vcpkg baseline",
       "customType": "regex",
       "currentValueTemplate": "master",
       "datasourceTemplate": "git-refs",
       "depNameTemplate": "https://github.com/microsoft/vcpkg",
-      "depTypeTemplate": "vcpkg-builtin-baseline",
+      "depTypeTemplate": "vcpkg-baseline",
       "fileMatch": [
         "^vcpkg\\.json$"
       ],
@@ -65,11 +71,11 @@
       ]
     },
     {
-      "description": "Update registration baseline with git hash",
+      "description": "Update custom registry baseline",
       "customType": "regex",
       "currentValueTemplate": "master",
       "datasourceTemplate": "git-refs",
-      "depTypeTemplate": "registration-baseline",
+      "depTypeTemplate": "vcpkg-baseline",
       "fileMatch": [
         "^vcpkg\\.json$"
       ],

cmake/ConfigureCoverage.cmake

@@ -14,7 +14,6 @@ include_guard(GLOBAL)
 # cmake-format: off
 set(CODE_COVERAGE OFF CACHE BOOL "Enables code coverage.")
 set(CODE_COVERAGE_GCOVR_REPORT_FORMAT xml CACHE STRING "Sets the gcovr report format.")
-set(CODE_COVERAGE_LCOV_EXTRA_FLAGS "--ignore-errors=gcov" CACHE STRING "Extra flags to pass to lcov")
 
 include(cmake-modules/test/Coverage)
 
@@ -26,7 +25,7 @@ endif()
 
 # Exclude system directories from code coverage
 if(NOT CMAKE_HOST_SYSTEM_NAME MATCHES "Windows")
-  list(APPEND _excludes "/usr" "/opt")
+  list(APPEND _excludes "/usr")
 endif()
 
 add_code_coverage_all_targets(

cmake/ConfigureWarningsAndHardening.cmake

@@ -73,4 +73,48 @@ include(cmake-modules/build/CompilerFlags)
 # Hardening
 # ##############################################################################
 
+# Comment `-Wl,-z,nodlopen` for dlopen call
+if(NOT MSVC)
+  set(USE_HARDENING_FLAGS
+      -D_GLIBCXX_ASSERTIONS # Enable assertions
+      -U_FORTIFY_SOURCE # Disable stack protector
+      -D_FORTIFY_SOURCE=3 # Enable stack protector
+      -fstack-protector-strong # Enable stack protector
+      -fcf-protection # Control Flow Guard
+      -fstack-clash-protection # Control Flow Guard
+      -Wimplicit-fallthrough # Enabled in compiler flags by default
+      -fstrict-flex-arrays=3 # Enable strict array bounds
+      -Wformat # Enabled in compiler flags by default
+      -Wformat=2 # Enabled in compiler flags by default
+      # -Wl,-z,nodlopen # Restrict dlopen(3) calls to shared objects
+      -Wl,-z,noexecstack # Enable data execution prevention by marking stack
+      # memory as non-executable
+      -Wl,-z,relro # Mark relocation table entries resolved at load-time as
+      # read-only
+      -Wl,-z,now # Mark relocation table entries resolved at load-time as
+      # read-only. It impacts startup performance
+      "-fsanitize=undefined -fsanitize-minimal-runtime" # Enable minimal runtime
+      # undefined behavior sanitizer
+      -fno-delete-null-pointer-checks
+      -fno-strict-overflow
+      -fno-strict-aliasing
+      -ftrivial-auto-var-init=zero
+      -Wtrampolines # Enable trampolines(gcc only)
+      -mbranch-protection=standard # Enable indirect branches(aarch64 only)
+      CACHE STRING "Additional hardening compilation flags for GCC/Clang")
+
+  set(USE_HARDENING_LINKS
+      -fstack-protector-strong # Enable stack protector
+      "-fsanitize=undefined -fsanitize-minimal-runtime" # Enable minimal runtime
+      # undefined behavior sanitizer -Wl,-z,nodlopen # Restrict dlopen(3) calls
+      # to shared objects
+      -Wl,-z,noexecstack # Enable data execution prevention by marking stack
+      # memory as non-executable
+      -Wl,-z,relro # Mark relocation table entries resolved at load-time as
+      # read-only
+      -Wl,-z,now # Mark relocation table entries resolved at load-time as
+      # read-only. It impacts startup performance
+      CACHE STRING "Additional hardening linking flags for GCC/Clang")
+endif()
+
 include(cmake-modules/build/Hardening)

cmake/vcpkg/bootstrap/vcpkg_configure.cmake

@@ -52,6 +52,30 @@ macro(detect_vcpkg)
   endif()
 endmacro()
 
+# Add VCPKG_INSTALL_REPORT_FAILURE option to report vcpkg failure in detail
+function(_vcpkg_install_report_failure)
+  if(DEFINED ENV{CI} AND NOT "$ENV{CI}" STREQUAL "")
+    set(VCPKG_INSTALL_REPORT_FAILURE
+        ON
+        CACHE INTERNAL "Enable vcpkg install failure report in detail")
+  endif()
+  file(READ "$CACHE{_VCPKG_TOOLCHAIN_FILE}" _vcpkg_toolchain_content)
+  if(VCPKG_INSTALL_REPORT_FAILURE
+     AND NOT "${_vcpkg_toolchain_content}" MATCHES
+         [[VCPKG INSTALL REPORT FAILURE IN DETAIL]])
+    string(
+      REPLACE
+        [[message(STATUS "Running vcpkg install - failed")]]
+        [[message(STATUS "Running vcpkg install - failed")
+            file(READ "${CMAKE_CURRENT_BINARY_DIR}/vcpkg_installed/vcpkg/issue_body.md" issue_body_content)
+            message(STATUS "")
+            set(Z_NATIVE_VCPKG_MANIFEST_INSTALL_LOGFILE "${Z_NATIVE_VCPKG_MANIFEST_INSTALL_LOGFILE}\nVCPKG INSTALL REPORT FAILURE IN DETAIL: ${CMAKE_CURRENT_BINARY_DIR}/vcpkg_installed/vcpkg/issue_body.md\n${issue_body_content}\n")]]
+        _vcpkg_toolchain_content
+        "${_vcpkg_toolchain_content}")
+    file(WRITE "$CACHE{_VCPKG_TOOLCHAIN_FILE}" "${_vcpkg_toolchain_content}")
+  endif()
+endfunction()
+
 # bootstrap and configure vcpkg
 macro(vcpkg_configure)
   detect_vcpkg()
@@ -68,6 +92,9 @@ macro(vcpkg_configure)
   endif()
 
   _vcpkg_chainload_toolchain()
+
+  _vcpkg_install_report_failure()
+
   message(STATUS "vcpkg_toolchain_file:$CACHE{_VCPKG_TOOLCHAIN_FILE}")
   include("$CACHE{_VCPKG_TOOLCHAIN_FILE}")
 endmacro()

cmake/vcpkg/bootstrap/vcpkg_load_triplet.cmake

@@ -46,7 +46,7 @@ function(_vcpkg_detect_host_triplet)
       if(_detect_osx_arch_count EQUAL "0")
         message(
           WARNING
-            "Unable to determine target architecture. "
+            "Unable to determine target architecture from ${CMAKE_OSX_ARCHITECTURES}. "
             "Consider providing a value for the CMAKE_OSX_ARCHITECTURES cache variable. "
             "Continuing without vcpkg.")
         set(VCPKG_TOOLCHAIN ON)
@@ -57,7 +57,8 @@ function(_vcpkg_detect_host_triplet)
       if(_detect_osx_arch_count GREATER "1")
         message(
           WARNING
-            "Detected more than one target architecture. Using the first one.")
+            "Detected more than one target architecture from ${CMAKE_OSX_ARCHITECTURES}. Using the first one."
+        )
       endif()
       list(GET CMAKE_OSX_ARCHITECTURES "0" _detect_osx_target_arch)
       if(_detect_osx_target_arch STREQUAL "arm64")
@@ -75,7 +76,7 @@ function(_vcpkg_detect_host_triplet)
       else()
         message(
           WARNING
-            "Unable to determine target architecture, continuing without vcpkg."
+            "Unable to determine target architecture from ${CMAKE_OSX_ARCHITECTURES}, continuing without vcpkg."
         )
         set(VCPKG_TOOLCHAIN ON)
         cmake_policy(POP)
@@ -96,6 +97,8 @@ function(_vcpkg_detect_host_triplet)
         OR CMAKE_HOST_SYSTEM_PROCESSOR STREQUAL "AMD64"
         OR CMAKE_HOST_SYSTEM_PROCESSOR STREQUAL "amd64")
         set(_detect_target_triplet_arch x64)
+      elseif(CMAKE_HOST_SYSTEM_PROCESSOR MATCHES "^i.86$")
+        set(_detect_target_triplet_arch x86)
       elseif(CMAKE_HOST_SYSTEM_PROCESSOR STREQUAL "s390x")
         set(_detect_target_triplet_arch s390x)
       elseif(CMAKE_HOST_SYSTEM_PROCESSOR STREQUAL "ppc64le")
@@ -115,7 +118,7 @@ function(_vcpkg_detect_host_triplet)
       else()
         message(
           WARNING
-            "Unable to determine target architecture, continuing without vcpkg."
+            "Unable to determine target architecture from ${CMAKE_HOST_SYSTEM_PROCESSOR}, continuing without vcpkg."
         )
         set(VCPKG_TOOLCHAIN ON)
         cmake_policy(POP)
@@ -166,6 +169,12 @@ function(_vcpkg_detect_host_triplet)
 
   if(NOT _detect_target_triplet_arch STREQUAL ""
      AND NOT _detect_target_triplet_plat STREQUAL "")
+    set(VCPKG_DETECT_TRIPLET_ARCH
+        ${_detect_target_triplet_arch}
+        PARENT_SCOPE)
+    set(VCPKG_DETECT_TRIPLET_PLAT
+        ${_detect_target_triplet_plat}
+        PARENT_SCOPE)
     set(VCPKG_HOST_TRIPLET
         "${_detect_target_triplet_arch}-${_detect_target_triplet_plat}"
         PARENT_SCOPE)