Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
jserv
added a commit
that referenced
this pull request
May 4, 2026
- check-format.sh: stale comment said v20 while the check was already
v22; align the comment with the enforced version.
- check-newline.sh: `file --mime-encoding "$f"` includes the path in
its output, so a text file whose name contained "binary" got skipped
by the `grep -qv binary` filter. Use `-b` (brief) and string-compare
against the encoding directly.
- check-security.sh: `grep -vE ... | grep -q ...` under `pipefail`
can silently drop real findings: when the matcher exits early, the
upstream filter receives SIGPIPE and the pipeline status flips to
non-zero. Switch to process substitution so the matcher's exit
status is the only thing the `if` sees.
Drop the `# ---- foo ----` comment separators from the workflow file.
Issues identified by cubic.dev (https://cubic.dev) on PR #1.
GitHub-hosted macOS arm64 runners run under a virtualization layer that
withholds Hypervisor.framework: hv_vm_create returns HV_UNSUPPORTED
(0xfae9400f), so test-hello / make check / test-multi-vcpu cannot run
there. Reduce the macos-15 job to 'make elfuse' plus an entitlement-
embedding check, and drop the cross-toolchains that only fed the now-
removed runtime tests. Runtime validation needs a self-hosted Apple
Silicon runner.
The macOS job runs as 3 parallel jobs (Build, clang-tidy, scan-build),
all independent of the Linux Lint job, so wall-clock CI time is bounded
by the longest single job rather than the sum of sequential steps.
- build-macos : 'make elfuse' + entitlement check + artifact upload
(binutils only, fastest job, primary green/red signal)
- tidy-macos : clang-tidy via 'make lint' (advisory; .clang-tidy has
WarningsAsErrors='' so findings are logged but do not
gate the job). Builds only the generated headers, not
the full binary, since clang-tidy doesn't need it.
- scan-macos : LLVM scan-build via the Make target, with the HTML
report uploaded as an artifact for triage.
Cache keys are now derived from the package-list env vars (LINT_PKGS,
BREW_PKGS) instead of hashFiles('main.yml'), so unrelated workflow
edits no longer invalidate the cache.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lint job on ubuntu-24.04 runs newline, clang-format-22 (from apt.llvm.org noble-22, key scoped via signed-by), banned-API/secrets, shellcheck, and cppcheck. Build/test job on macos-15 (Apple Silicon) installs binutils ahead of
make elfusebecause the shim build invokes objcopy, then pulls the bare-metal aarch64-elf-gcc and pinned messense/macos-cross-toolchains tap for the cross-compiled unit tests, and runs make check plus the multi-vCPU HVF validation.Summary by cubic
Set up GitHub Actions CI with a Linux lint suite and three parallel macOS Apple Silicon jobs for build,
clang-tidy, and LLVMscan-build. Adds caching, PR-run cancellation, and keeps all lint sub-checks running to surface all findings; small source and CI fixes included.New Features
ubuntu-24.04: newline check,clang-format-22, banned API/secret scan,shellcheckfor.ci/,cppcheck, and syscall dispatch table validation.make elfuse+ HVF entitlement + artifact),clang-tidyviamake lint(advisory), and LLVMscan-buildwith report upload; runtime tests are skipped on hosted runners.LINT_PKGS/BREW_PKGS.Bug Fixes
clang-format-22, fix newline check withfile -b --mime-encoding, and use process substitution in the security scan to avoid SIGPIPE underpipefail.scan-buildinstall check by usingtest -xandclang --versioninstead of piping--helptohead.strrchrby moving it after null checks inruntime_set_process_title, and add acppchecksuppression intermios_copy_cc_to_linuxfor a false positive.Written for commit 88de778. Summary will update on new commits.