From 395b8d9f8610ae9e91f8a734bb91a6f9df15b7f3 Mon Sep 17 00:00:00 2001 From: yawkat Date: Mon, 2 Mar 2026 17:54:54 +0100 Subject: [PATCH 1/3] Make Linux native flags architecture-safe in CI --- .github/workflows/build-all-and-publish.yml | 14 ++++++++++---- pom.xml | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-all-and-publish.yml b/.github/workflows/build-all-and-publish.yml index 59a69bf..195436f 100644 --- a/.github/workflows/build-all-and-publish.yml +++ b/.github/workflows/build-all-and-publish.yml @@ -17,7 +17,8 @@ jobs: name: Linux natives (${{ matrix.arch }}) runs-on: ubuntu-latest env: - NATIVE_BASE_CFLAGS: -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection + NATIVE_BASE_CFLAGS: -O2 -fno-omit-frame-pointer -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security + NATIVE_X86_EXTRA_CFLAGS: -mno-omit-leaf-frame-pointer -fcf-protection NATIVE_XXHASH_EXTRA_CFLAGS: -fno-tree-vectorize strategy: fail-fast: false @@ -26,26 +27,31 @@ jobs: - arch: amd64 cc: gcc arch_cflags: "" + arch_x86_cflags: "${{ env.NATIVE_X86_EXTRA_CFLAGS }}" ldflags: "" apt: "" - arch: i386 cc: gcc arch_cflags: "-m32" - ldflags: "" + arch_x86_cflags: "${{ env.NATIVE_X86_EXTRA_CFLAGS }}" + ldflags: "-m32" apt: "gcc-multilib libc6-dev-i386" - arch: aarch64 cc: aarch64-linux-gnu-gcc arch_cflags: "" + arch_x86_cflags: "" ldflags: "" apt: "gcc-aarch64-linux-gnu" - arch: ppc64le cc: powerpc64le-linux-gnu-gcc arch_cflags: "" + arch_x86_cflags: "" ldflags: "" apt: "gcc-powerpc64le-linux-gnu" - arch: s390x cc: s390x-linux-gnu-gcc arch_cflags: "" + arch_x86_cflags: "" ldflags: "" apt: "gcc-s390x-linux-gnu" @@ -79,8 +85,8 @@ jobs: ./mvnw -B -V -DskipTests \ -Darch.id=${{ matrix.arch }} \ -Dnative.cc=${{ matrix.cc }} \ - "-Dnative.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_cflags }}" \ - "-Dnative.xxhash.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_cflags }} ${{ env.NATIVE_XXHASH_EXTRA_CFLAGS }}" \ + "-Dnative.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_x86_cflags }} ${{ matrix.arch_cflags }}" \ + "-Dnative.xxhash.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_x86_cflags }} ${{ matrix.arch_cflags }} ${{ env.NATIVE_XXHASH_EXTRA_CFLAGS }}" \ "-Dnative.ldflags=${{ matrix.ldflags }}" \ package diff --git a/pom.xml b/pom.xml index 466dd71..8738871 100644 --- a/pom.xml +++ b/pom.xml @@ -389,7 +389,7 @@ - -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection + -O2 -fno-omit-frame-pointer -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security ${native.cflags} -fno-tree-vectorize From d0493b049e7af6f3b180898aeef97f1f7623c74f Mon Sep 17 00:00:00 2001 From: yawkat Date: Mon, 2 Mar 2026 18:04:20 +0100 Subject: [PATCH 2/3] Fix workflow matrix expressions for manual dispatch --- .github/workflows/build-all-and-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-all-and-publish.yml b/.github/workflows/build-all-and-publish.yml index 195436f..d00dbf4 100644 --- a/.github/workflows/build-all-and-publish.yml +++ b/.github/workflows/build-all-and-publish.yml @@ -27,13 +27,13 @@ jobs: - arch: amd64 cc: gcc arch_cflags: "" - arch_x86_cflags: "${{ env.NATIVE_X86_EXTRA_CFLAGS }}" + arch_x86_cflags: "-mno-omit-leaf-frame-pointer -fcf-protection" ldflags: "" apt: "" - arch: i386 cc: gcc arch_cflags: "-m32" - arch_x86_cflags: "${{ env.NATIVE_X86_EXTRA_CFLAGS }}" + arch_x86_cflags: "-mno-omit-leaf-frame-pointer -fcf-protection" ldflags: "-m32" apt: "gcc-multilib libc6-dev-i386" - arch: aarch64 From 007861d20f92cdca434b1d5ef07f0b4596782145 Mon Sep 17 00:00:00 2001 From: yawkat Date: Mon, 2 Mar 2026 18:14:14 +0100 Subject: [PATCH 3/3] Merge x86 flags into arch-specific workflow cflags --- .github/workflows/build-all-and-publish.yml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-all-and-publish.yml b/.github/workflows/build-all-and-publish.yml index d00dbf4..ccd5618 100644 --- a/.github/workflows/build-all-and-publish.yml +++ b/.github/workflows/build-all-and-publish.yml @@ -18,7 +18,6 @@ jobs: runs-on: ubuntu-latest env: NATIVE_BASE_CFLAGS: -O2 -fno-omit-frame-pointer -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security - NATIVE_X86_EXTRA_CFLAGS: -mno-omit-leaf-frame-pointer -fcf-protection NATIVE_XXHASH_EXTRA_CFLAGS: -fno-tree-vectorize strategy: fail-fast: false @@ -26,32 +25,27 @@ jobs: include: - arch: amd64 cc: gcc - arch_cflags: "" - arch_x86_cflags: "-mno-omit-leaf-frame-pointer -fcf-protection" + arch_cflags: "-mno-omit-leaf-frame-pointer -fcf-protection" ldflags: "" apt: "" - arch: i386 cc: gcc - arch_cflags: "-m32" - arch_x86_cflags: "-mno-omit-leaf-frame-pointer -fcf-protection" + arch_cflags: "-mno-omit-leaf-frame-pointer -fcf-protection -m32" ldflags: "-m32" apt: "gcc-multilib libc6-dev-i386" - arch: aarch64 cc: aarch64-linux-gnu-gcc arch_cflags: "" - arch_x86_cflags: "" ldflags: "" apt: "gcc-aarch64-linux-gnu" - arch: ppc64le cc: powerpc64le-linux-gnu-gcc arch_cflags: "" - arch_x86_cflags: "" ldflags: "" apt: "gcc-powerpc64le-linux-gnu" - arch: s390x cc: s390x-linux-gnu-gcc arch_cflags: "" - arch_x86_cflags: "" ldflags: "" apt: "gcc-s390x-linux-gnu" @@ -82,11 +76,11 @@ jobs: - name: Build (mvn package) run: | - ./mvnw -B -V -DskipTests \ + ./mvnw -B -V -DskipTests \ -Darch.id=${{ matrix.arch }} \ -Dnative.cc=${{ matrix.cc }} \ - "-Dnative.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_x86_cflags }} ${{ matrix.arch_cflags }}" \ - "-Dnative.xxhash.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_x86_cflags }} ${{ matrix.arch_cflags }} ${{ env.NATIVE_XXHASH_EXTRA_CFLAGS }}" \ + "-Dnative.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_cflags }}" \ + "-Dnative.xxhash.cflags=${{ env.NATIVE_BASE_CFLAGS }} ${{ matrix.arch_cflags }} ${{ env.NATIVE_XXHASH_EXTRA_CFLAGS }}" \ "-Dnative.ldflags=${{ matrix.ldflags }}" \ package