This document describes the modernized CI/CD pipeline for QtLucide, designed with security, performance, and reliability in mind.
Our CI/CD pipeline consists of several workflows that ensure code quality, security, and reliable releases:
- CI Workflow (
ci.yml) - Main continuous integration - Release Workflow (
release.yml) - Automated releases with modern practices - XMake Workflow (
xmake.yml) - Alternative build system testing - Security Workflow (
security.yml) - Comprehensive security scanning - Performance Workflow (
performance.yml) - Performance benchmarking and memory leak detection
Triggers: Push to main branches, pull requests, manual dispatch
Features:
- ✅ Modern Qt Versions: Tests with Qt 6.7.3 and 6.8.0
- ✅ Multi-Platform: Ubuntu 22.04, Windows 2022, macOS 13/14
- ✅ Security Hardening: Step Security Harden Runner
- ✅ Advanced Caching: Qt installation and build artifacts
- ✅ Code Coverage: LCOV coverage reporting with Codecov integration
- ✅ Code Quality: clang-format, cppcheck, clang-tidy
- ✅ Container Builds: Docker multi-arch builds with SBOM generation
- ✅ Parallel Builds: Optimized build performance
Matrix Strategy:
- Ubuntu 22.04 + Qt 6.8.0 + Release + Coverage
- Ubuntu 22.04 + Qt 6.7.3 + Debug
- Windows 2022 + Qt 6.8.0/6.7.3 + Release/Debug
- macOS 14/13 + Qt 6.8.0/6.7.3 + Release/DebugTriggers: Git tags (v*), manual dispatch
Modern Features:
- ✅ Modern Release Action: Uses
softprops/action-gh-release@v2 - ✅ Automated Changelog: Extracts from CHANGELOG.md
- ✅ Multi-Platform Builds: Linux, Windows, macOS
- ✅ Security: SBOM generation, build provenance attestation
- ✅ Code Signing: Windows code signing support (when certificates available)
- ✅ Checksums: SHA256 checksums for all artifacts
- ✅ Container Publishing: Multi-arch container images to GHCR
- ✅ Pre-release Detection: Automatic pre-release detection for alpha/beta/rc tags
Triggers: Push, pull requests, weekly schedule, manual dispatch
Security Tools:
- 🔒 CodeQL Analysis: GitHub's semantic code analysis
- 🔒 Dependency Review: Automated dependency vulnerability scanning
- 🔒 Trivy Scanner: Comprehensive vulnerability scanning
- 🔒 Semgrep: Static analysis security scanner
- 🔒 OSV Scanner: Open Source Vulnerability scanner
- 🔒 TruffleHog: Secret detection
- 🔒 SBOM Generation: Software Bill of Materials
- 🔒 OSSF Scorecard: Security posture assessment
Triggers: Push to main, pull requests, weekly schedule, manual dispatch
Performance Features:
- 📊 Google Benchmark: Comprehensive performance benchmarking
- 📊 Memory Profiling: Valgrind massif memory profiling
- 📊 Memory Leak Detection: Valgrind memcheck
- 📊 Performance Reports: HTML reports deployed to GitHub Pages
- 📊 PR Comments: Automatic performance results in pull requests
Triggers: Push, pull requests, manual dispatch
XMake Features:
- 🔨 Alternative Build System: Tests XMake alongside CMake
- 🔨 Build Comparison: Compares CMake vs XMake outputs
- 🔨 Installation Testing: Verifies package installation
- 🔨 Multi-Platform: Ubuntu, Windows, macOS support
- SBOM Generation: Software Bill of Materials for all builds
- Build Provenance: Cryptographic attestation of build integrity
- Dependency Scanning: Automated vulnerability detection
- Secret Detection: Prevents credential leaks
- Harden Runner: Network egress monitoring and restriction
- Minimal Permissions: Principle of least privilege for all workflows
- Security Scanning: Multiple security tools for comprehensive coverage
- Automated Benchmarks: Performance regression detection
- Memory Profiling: Memory usage analysis
- Leak Detection: Memory leak prevention
- Performance Reports: Visual performance tracking
- Parallel Builds: Optimized build times
- Smart Caching: Reduced CI execution time
- Artifact Management: Efficient artifact handling
- GitHub Actions: Weekly updates for workflow dependencies
- Python Dependencies: Weekly updates for build tools
- Docker Dependencies: Weekly updates for container images
- Grouped Updates: Batched minor/patch updates
- Multi-Platform Packages: Linux (tar.gz), Windows (zip), macOS (tar.gz)
- Container Images: Multi-arch Docker images (amd64, arm64)
- Debug Information: Build logs and debug artifacts on failure
- Retention Policies: Optimized storage with appropriate retention
- Checksums: SHA256 verification for all releases
- SBOM: Software Bill of Materials for transparency
- Signatures: Build provenance attestation
- Documentation: Automated changelog integration
- Formatting: clang-format enforcement
- Static Analysis: cppcheck and clang-tidy
- Security Analysis: Multiple security scanners
- Coverage: Code coverage reporting and tracking
- Unit Tests: Comprehensive test suite
- Integration Tests: Cross-platform compatibility
- Performance Tests: Regression prevention
- Memory Tests: Leak detection and profiling
CMAKE_BUILD_PARALLEL_LEVEL: 4 # Parallel build jobs
CTEST_PARALLEL_LEVEL: 4 # Parallel test execution
XMAKE_PARALLEL_JOBS: 4 # XMake parallel jobsGITHUB_TOKEN: Automatically providedCODECOV_TOKEN: For coverage reporting (optional)WINDOWS_CERTIFICATE: For Windows code signing (optional)WINDOWS_CERTIFICATE_PASSWORD: For Windows code signing (optional)
- Performance Reports: Automated performance tracking
- Documentation: API documentation deployment
- Coverage Reports: Code coverage visualization
- PR Comments: Automated performance and security feedback
- Security Alerts: Vulnerability notifications
- Build Status: Comprehensive build reporting
- Security First: Comprehensive security scanning and hardening
- Performance Monitoring: Continuous performance tracking
- Supply Chain Security: SBOM and provenance attestation
- Modern Tooling: Latest versions of all tools and actions
- Efficient Caching: Optimized build times
- Multi-Platform Support: Comprehensive platform coverage
- Automated Quality: Enforced code quality standards
- Transparent Reporting: Comprehensive reporting and feedback
- Updated Qt Versions: 6.5.0/6.6.0 → 6.7.3/6.8.0
- Modern Actions: Deprecated actions replaced with current versions
- Enhanced Security: Added comprehensive security scanning
- Performance Tracking: Added benchmarking and profiling
- Better Caching: Improved build performance
- Container Support: Added Docker builds and publishing
- Supply Chain Security: SBOM and attestation support
- Minimum Qt version now 6.7.3
- Some older OS versions no longer supported
- Additional security requirements for releases
This modernized CI/CD pipeline provides enterprise-grade security, performance monitoring, and reliability while maintaining compatibility with the existing QtLucide codebase.