U/sgriffin/vc2026

[stephenegriffin]

No description provided.

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 3c74dae. ± Comparison against base commit 9d1e8b0.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

Updates the Windows/Visual Studio build setup to target a newer toolset/SDK baseline and align CI/security scanning workflows with those build requirements.

Changes:

• Centralizes MSBuild defaults (toolset/SDK pin + security/quality flags) via Directory.Build.props and removes per-configuration duplication from the .vcxproj.
• Updates the solution/project configurations (drops Prefast configs) and bumps the .sln Visual Studio version metadata.
• Updates GitHub Actions workflows (new Windows runner label, ARM64EC matrix, Windows 11 SDK install step) and bumps CodeQL action SHAs.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
mapistub.vcxproj	Removes per-config toolset/SDK/security flags and drops Prefast/Fuzz ARM64* configurations in favor of repo-wide props.
mapistub.sln	Updates VS version metadata and removes Prefast solution configurations.
Directory.Build.props	Introduces centralized toolset/SDK pin and baseline compiler/link security settings.
.vsconfig	Updates required SDK component to Windows 11 SDK 22621.
.github/workflows/github-ci.yml	Switches to a VS2026 runner label, adds ARM64EC to the build matrix, and installs Windows 11 SDK.
.github/workflows/codeql.yml	Switches to a VS2026 runner label, installs Windows 11 SDK, and updates CodeQL action SHAs.
.github/workflows/scorecards.yml	Updates upload-sarif action SHA.
.github/workflows/devskim.yml	Updates upload-sarif action SHA.
.github/workflows/clang.yml	Replaces the clang-format action with an apt-based install + manual formatting check script.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The "Install Windows 11 SDK" step appears broken: it logs "Downloading..." and defines $installer, but never downloads or runs it. Instead it calls scripts/install-winsdk.ps1, which does not exist in the repo (only scripts/clang.ps1 is present). This will fail the CodeQL workflow on fresh runners. Either add the referenced script (and have it perform the download/install) or inline the same download/install logic used in github-ci.yml and remove the unused variables/log lines.

Suggested change

	Write-Host "Downloading Windows 11 SDK 10.0.22621.0..."
	$installer = "$env:TEMP\winsdksetup.exe"
	& "${{ github.workspace }}\scripts\install-winsdk.ps1"
	Write-Host "Windows SDK 10.0.22621.0 not found. Downloading installer..."
	$installer = Join-Path $env:TEMP "winsdksetup.exe"
	$sdkUrl = "https://go.microsoft.com/fwlink/?linkid=2196241"
	Write-Host "Downloading Windows 11 SDK 10.0.22621.0 from $sdkUrl to $installer"
	Invoke-WebRequest -Uri $sdkUrl -OutFile $installer
	Write-Host "Running Windows 11 SDK installer..."
	$arguments = "/quiet /norestart"
	$process = Start-Process -FilePath $installer -ArgumentList $arguments -PassThru -Wait
	if ($process.ExitCode -ne 0) {
	Write-Error "Windows 11 SDK installer failed with exit code $($process.ExitCode)"
	exit $process.ExitCode
	}
	Write-Host "Cleaning up installer..."
	if (Test-Path $installer) {
	Remove-Item $installer -Force
	}
	if (-not (Test-Path $sdkPath)) {
	Write-Error "Windows 11 SDK 10.0.22621.0 did not install correctly (path '$sdkPath' not found)"
	exit 1
	}
	Write-Host "Windows SDK 10.0.22621.0 installed successfully"

[Copilot]

This step downloads and executes the Windows SDK installer directly from a fwlink URL without any authenticity verification (e.g., checking Authenticode signature and/or a pinned hash). To reduce supply-chain risk, consider validating the downloaded binary before executing it, or installing the SDK via a package manager/mechanism that provides integrity verification.

Suggested change

	$installer = "$env:TEMP\winsdksetup.exe"
	Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2196241" -OutFile $installer
	$installer = "$env:TEMP\winsdksetup.exe"
	# SHA256 hash of the official Windows 11 SDK 10.0.22621.0 installer.
	# TODO: Replace this value with the official SHA256 from Microsoft if the SDK installer is updated.
	$expectedHash = "REPLACE_WITH_OFFICIAL_SHA256_HASH"
	Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2196241" -OutFile $installer
	$actualHash = (Get-FileHash -Path $installer -Algorithm SHA256).Hash
	if ($actualHash -ne $expectedHash) {
	Write-Error "Downloaded Windows SDK installer hash mismatch. Expected $expectedHash but got $actualHash."
	Remove-Item -Path $installer -ErrorAction SilentlyContinue
	exit 1
	}