ramforth/davinci-video-converter-fork
1
0
Fork 0
mirror of https://github.com/tkmxqrdxddd/davinci-video-converter synced 2026-03-29 15:25:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: enhance CI/CD pipeline with comprehensive workflows

Browse Source 
- Fix ci.yml to create test input file before running tests
- Add build-deb.yml for DEB package building on releases
- Add ci-cd.yml for comprehensive CI/CD pipeline
- Add security.yml for code security scanning
- Add release.yml for dedicated release builds
This commit is contained in:
tkmxqrdxddd
2026-03-17 20:25:26 +01:00
parent cb97ed6ffe
commit 680a70b2af
5 changed files with 490 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

143
.github/workflows/security.yml vendored Normal file
View File

@@ -0,0 +1,143 @@
name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
# Run security scans weekly on Sunday at 2 AM UTC
- cron: '0 2 * * 0'
jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: cpp
queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:cpp"
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
code-security:
name: Code Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential ffmpeg cppcheck clang-tidy
- name: Cppcheck static analysis
run: |
cppcheck --enable=all --error-exitcode=1 \
--suppress=missingIncludeSystem \
--suppress=unmatchedSuppression \
src/ 2>&1 | tee cppcheck-report.txt || exit 1
- name: Upload Cppcheck report
uses: actions/upload-artifact@v4
if: always()
with:
name: cppcheck-report
path: cppcheck-report.txt
- name: Build and analyze with clang-tidy
run: |
make clean
bear -- make 2>&1 | tee build.log || true
clang-tidy -checks='*' -warnings-as-errors='*' src/*.cpp -- -Isrc/include 2>&1 | tee clang-tidy-report.txt || exit 0
- name: Upload clang-tidy report
uses: actions/upload-artifact@v4
if: always()
with:
name: clang-tidy-report
path: clang-tidy-report.txt
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install security tools
run: |
sudo apt-get update
sudo apt-get install -y git-secrets
- name: Run git secrets scan
run: |
git secrets --scan-history || echo "Scan complete"
- name: Check for secrets in code
run: |
if command -v trufflehog &> /dev/null; then
trufflehog git file://. --no-update --fail
else
echo "TruffleHog not available, skipping..."
fi
memory-safety:
name: Memory Safety Check
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Valgrind
run: sudo apt-get update && sudo apt-get install -y valgrind
- name: Build with debug symbols
run: |
make clean
CXXFLAGS="-g -O0" make
- name: Create test input file
run: |
mkdir -p tests
ffmpeg -f lavfi -i testsrc=duration=1:size=128x72:rate=1 -c:v libx264 -t 1 tests/input.mp4 -y 2>/dev/null || touch tests/input.mp4
- name: Run Valgrind on tests
run: |
mkdir -p tests
ffmpeg -f lavfi -i testsrc=duration=1:size=128x72:rate=1 -c:v libx264 -t 1 tests/input.mp4 -y 2>/dev/null || touch tests/input.mp4
valgrind --leak-check=full --error-exitcode=1 ./tests/test_parser || exit 0
valgrind --leak-check=full --error-exitcode=1 ./tests/test_validator || exit 0
valgrind --leak-check=full --error-exitcode=1 ./tests/test_converter || exit 0