ci: introduce production-ready CI pipeline and remove legacy workflow

.clang-format

@@ -0,0 +1,4 @@
+BasedOnStyle: LLVM
+IndentWidth: 4
+ColumnLimit: 100
+UseTab: Never

.github/workflows/ci.yml

@@ -0,0 +1,228 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CCACHE_DIR: ${{ github.workspace }}/.ccache
+  DEFAULT_CFLAGS: >-
+    -Wall -Wextra -Werror -O2 -g
+    -fstack-protector-strong -D_FORTIFY_SOURCE=2
+  DEFAULT_VERIFY_CFLAGS: >-
+    -Wall -Wextra -Werror -O2
+    -fstack-protector-strong -D_FORTIFY_SOURCE=2
+  SANITIZER_CFLAGS: >-
+    -Wall -Wextra -Werror -O1 -g
+    -fsanitize=address,undefined -fno-omit-frame-pointer
+
+jobs:
+  lint:
+    name: Lint and static analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install linting tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clang-format cppcheck
+
+      - name: Verify formatting with clang-format
+        shell: bash
+        run: |
+          mapfile -t files < <(find src tests -type f \( -name '*.c' -o -name '*.h' \) | sort)
+
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No C source files found to format-check."
+            exit 0
+          fi
+
+          clang-format --version
+          clang-format \
+            --style=file \
+            --fallback-style=LLVM \
+            --dry-run \
+            --Werror \
+            "${files[@]}"
+
+      - name: Run cppcheck
+        shell: bash
+        run: |
+          cppcheck \
+            --std=c11 \
+            --language=c \
+            --enable=warning,style,performance,portability \
+            --error-exitcode=1 \
+            --inline-suppr \
+            --suppress=missingIncludeSystem \
+            src tests
+
+  build-test:
+    name: Build and test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    needs: lint
+    timeout-minutes: 20
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            install_cmd: |
+              sudo apt-get update
+              sudo apt-get install -y gcc make ccache
+          - os: macos-latest
+            install_cmd: |
+              brew update
+              brew install gcc make ccache
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: ${{ matrix.install_cmd }}
+
+      - name: Resolve toolchain
+        shell: bash
+        run: |
+          if [ "${{ runner.os }}" = "macOS" ]; then
+            CC_BIN="$(command -v gcc-14 || command -v gcc-13 || command -v gcc-12)"
+            MAKE_BIN="$(command -v gmake)"
+            BUILD_CFLAGS="-Wall -Wextra -Werror -O2 -g -fstack-protector-strong"
+            BUILD_VERIFY_CFLAGS="-Wall -Wextra -Werror -O2 -fstack-protector-strong"
+          else
+            CC_BIN="$(command -v gcc)"
+            MAKE_BIN="$(command -v make)"
+            BUILD_CFLAGS="${DEFAULT_CFLAGS}"
+            BUILD_VERIFY_CFLAGS="${DEFAULT_VERIFY_CFLAGS}"
+          fi
+
+          if [ -z "${CC_BIN}" ] || [ -z "${MAKE_BIN}" ]; then
+            echo "Failed to resolve compiler or make binary."
+            exit 1
+          fi
+
+          echo "CC_BIN=${CC_BIN}" >> "${GITHUB_ENV}"
+          echo "MAKE_BIN=${MAKE_BIN}" >> "${GITHUB_ENV}"
+          echo "BUILD_CFLAGS=${BUILD_CFLAGS}" >> "${GITHUB_ENV}"
+          echo "BUILD_VERIFY_CFLAGS=${BUILD_VERIFY_CFLAGS}" >> "${GITHUB_ENV}"
+
+      - name: Restore ccache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.CCACHE_DIR }}
+          key: ${{ runner.os }}-ccache-${{ hashFiles('Makefile', 'src/**/*.c', 'src/**/*.h', 'tests/**/*.c', 'tests/**/*.h') }}
+          restore-keys: |
+            ${{ runner.os }}-ccache-
+
+      - name: Configure ccache
+        shell: bash
+        run: |
+          ccache --max-size 250M
+          ccache --zero-stats
+
+      - name: Run verify, test, and check
+        shell: bash
+        run: |
+          "${MAKE_BIN}" clean
+          "${MAKE_BIN}" verify \
+            CC="ccache ${CC_BIN}" \
+            CFLAGS="${BUILD_CFLAGS}" \
+            VERIFY_CFLAGS="${BUILD_VERIFY_CFLAGS}"
+          "${MAKE_BIN}" test \
+            CC="ccache ${CC_BIN}" \
+            CFLAGS="${BUILD_CFLAGS}" \
+            VERIFY_CFLAGS="${BUILD_VERIFY_CFLAGS}"
+          "${MAKE_BIN}" check \
+            CC="ccache ${CC_BIN}" \
+            CFLAGS="${BUILD_CFLAGS}" \
+            VERIFY_CFLAGS="${BUILD_VERIFY_CFLAGS}"
+
+      - name: Show ccache statistics
+        if: always()
+        run: ccache --show-stats
+
+      - name: Upload compiled binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-${{ runner.os }}
+          if-no-files-found: error
+          retention-days: 14
+          path: |
+            vuln_buffer_overflow
+            safe_input_demo
+            stack_layout_demo
+            overflow_behavior_demo
+            control_flow_simulation
+            demo_runtime_checks
+
+  security:
+    name: Hardened and sanitizer checks
+    runs-on: ubuntu-latest
+    needs: lint
+    timeout-minutes: 20
+
+    env:
+      ASAN_OPTIONS: detect_leaks=1:halt_on_error=1:strict_string_checks=1
+      UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install security build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc make ccache
+
+      - name: Restore ccache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.CCACHE_DIR }}
+          key: security-ccache-${{ hashFiles('Makefile', 'src/**/*.c', 'src/**/*.h', 'tests/**/*.c', 'tests/**/*.h') }}
+          restore-keys: |
+            security-ccache-
+
+      - name: Configure ccache
+        shell: bash
+        run: |
+          ccache --max-size 250M
+          ccache --zero-stats
+
+      - name: Run hardened build and test
+        shell: bash
+        run: |
+          make clean
+          make check \
+            CC="ccache gcc" \
+            CFLAGS="${DEFAULT_CFLAGS}" \
+            VERIFY_CFLAGS="${DEFAULT_VERIFY_CFLAGS}"
+
+      - name: Run AddressSanitizer and UBSan checks
+        shell: bash
+        run: |
+          make clean
+          make check \
+            CC="ccache gcc" \
+            CFLAGS="${SANITIZER_CFLAGS}" \
+            VERIFY_CFLAGS="${SANITIZER_CFLAGS}"
+
+      - name: Show ccache statistics
+        if: always()
+        run: ccache --show-stats

src/control_flow_simulation.c

@@ -44,8 +44,7 @@ int run_control_flow_simulation(FILE *output) {
      * redirect execution unexpectedly. This demo only illustrates the idea
      * of control-flow redirection without exploit code.
      */
-    fprintf(output,
-            "\nSimulating conceptual pointer corruption by manual reassignment...\n");
+    fprintf(output, "\nSimulating conceptual pointer corruption by manual reassignment...\n");
     func_ptr = target_function;
 
     fprintf(output, "Calling through function pointer (after change):\n");
@@ -55,7 +54,5 @@ int run_control_flow_simulation(FILE *output) {
 }
 
 #ifndef DEMO_NO_MAIN
-int main(void) {
-    return run_control_flow_simulation(stdout);
-}
+int main(void) { return run_control_flow_simulation(stdout); }
 #endif

src/overflow_behavior_demo.c

@@ -4,10 +4,7 @@
 
 #include "demo_programs.h"
 
-enum {
-    OVERFLOW_DEMO_BUFFER_SIZE = 16,
-    OVERFLOW_DEMO_MAX_INPUT = 96
-};
+enum { OVERFLOW_DEMO_BUFFER_SIZE = 16, OVERFLOW_DEMO_MAX_INPUT = 96 };
 
 struct overflow_demo_layout {
     char buffer[OVERFLOW_DEMO_BUFFER_SIZE];
@@ -46,8 +43,7 @@ static void print_hex_bytes(FILE *output, const unsigned char *bytes, size_t byt
     fputc('\n', output);
 }
 
-static size_t simulate_unbounded_copy(struct overflow_demo_layout *layout,
-                                      const char *input) {
+static size_t simulate_unbounded_copy(struct overflow_demo_layout *layout, const char *input) {
     unsigned char *raw_bytes = (unsigned char *)layout;
     size_t input_len = strlen(input);
     size_t index = 0;
@@ -107,17 +103,20 @@ int run_overflow_behavior_demo(FILE *input, FILE *output) {
 
     memcpy(&x, layout.x_bytes, sizeof(x));
 
-    fprintf(output, "Input length: %lu\n", (unsigned long)input_len);
+    const unsigned long cap_ul = (unsigned long)(OVERFLOW_DEMO_BUFFER_SIZE - 1);
+    const unsigned long input_ul = (unsigned long)input_len;
+    const unsigned long past_ul = (unsigned long)bytes_past_buffer;
+    const unsigned long into_ul = (unsigned long)bytes_into_x;
+    const unsigned long x_size_ul = (unsigned long)sizeof(layout.x_bytes);
+
+    fprintf(output, "Input length: %lu\n", input_ul);
     if (input_len >= sizeof(layout.buffer)) {
         fprintf(output,
-                "WARNING: Input length (%lu) exceeds buffer capacity (%lu).\n",
-                (unsigned long)input_len,
-                (unsigned long)(sizeof(layout.buffer) - 1));
-        fprintf(output, "Simulated bytes written past buffer: %lu\n",
-                (unsigned long)bytes_past_buffer);
-        fprintf(output, "Bytes that reached adjacent int: %lu of %lu\n",
-                (unsigned long)bytes_into_x,
-                (unsigned long)sizeof(layout.x_bytes));
+                "WARNING: Input length (%lu) exceeds "
+                "buffer capacity (%lu).\n",
+                input_ul, cap_ul);
+        fprintf(output, "Simulated bytes written past buffer: %lu\n", past_ul);
+        fprintf(output, "Bytes that reached adjacent int: %lu of %lu\n", into_ul, x_size_ul);
         fprintf(output, "Adjacent int bytes after simulation: ");
         print_hex_bytes(output, layout.x_bytes, sizeof(layout.x_bytes));
     } else {
@@ -131,7 +130,5 @@ int run_overflow_behavior_demo(FILE *input, FILE *output) {
 }
 
 #ifndef DEMO_NO_MAIN
-int main(void) {
-    return run_overflow_behavior_demo(stdin, stdout);
-}
+int main(void) { return run_overflow_behavior_demo(stdin, stdout); }
 #endif

src/safe_input_demo.c

@@ -29,7 +29,5 @@ int run_safe_input_demo(FILE *input, FILE *output) {
 }
 
 #ifndef DEMO_NO_MAIN
-int main(void) {
-    return run_safe_input_demo(stdin, stdout);
-}
+int main(void) { return run_safe_input_demo(stdin, stdout); }
 #endif

src/stack_layout_demo.c

@@ -9,15 +9,15 @@
  * to help visualize how function-call memory is arranged.
  */
 static void print_stack_layout(FILE *output, int demo_id) {
-    char buffer[16];
+    const char buffer[16] = {0};
     int x = 10;
 
     /*
      * These addresses are typically in the current stack frame.
      * On many systems, the stack often grows downward
      * (from higher addresses toward lower addresses).
      */
-    fprintf(output, "Address of buffer: %p\n", (void *)buffer);
+    fprintf(output, "Address of buffer: %p\n", (const void *)buffer);
     fprintf(output, "Address of x: %p\n", (void *)&x);
     fprintf(output, "Address of parameter demo_id: %p\n", (void *)&demo_id);
 }
@@ -33,7 +33,5 @@ int run_stack_layout_demo(FILE *output) {
 }
 
 #ifndef DEMO_NO_MAIN
-int main(void) {
-    return run_stack_layout_demo(stdout);
-}
+int main(void) { return run_stack_layout_demo(stdout); }
 #endif

src/vuln_buffer_overflow.c

@@ -16,6 +16,7 @@ int run_vuln_buffer_overflow(FILE *input, FILE *output) {
     fprintf(output, "[vuln_buffer_overflow] Unsafe input demo\n");
     fprintf(output, "Enter a word: ");
 
+    /* cppcheck-suppress invalidscanf */
     if (fscanf(input, "%s", buffer) != 1) {
         fprintf(output, "Input error.\n");
         return 1;
@@ -26,7 +27,5 @@ int run_vuln_buffer_overflow(FILE *input, FILE *output) {
 }
 
 #ifndef DEMO_NO_MAIN
-int main(void) {
-    return run_vuln_buffer_overflow(stdin, stdout);
-}
+int main(void) { return run_vuln_buffer_overflow(stdin, stdout); }
 #endif