Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions .github/workflows/clang.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,22 @@ jobs:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run clang-format style check for C/C++ programs.
uses: jidicula/clang-format-action@6cd220de46c89139a0365edae93eee8eb30ca8fe # v4.16.0
with:
clang-format-version: '17'
exclude-regex: 'include/*'
fallback-style: 'Microsoft'

- name: Install clang-format
run: |
sudo apt-get update
sudo apt-get install -y clang-format-17

Comment on lines +23 to +27
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Installing clang-format-17 via apt-get on ubuntu-latest is not stable because the available package versions change as the runner image updates. To avoid formatting CI breaking when the package isn’t available, consider using the previously used clang-format action, pinning an Ubuntu version, or adding the LLVM apt repository for the desired clang-format version.

Copilot uses AI. Check for mistakes.
- name: Run clang-format style check
run: |
# Find all C/C++ files, excluding include directory
files=$(find . -type f \( -name "*.cpp" -o -name "*.h" -o -name "*.c" \) \
! -path "./include/*" ! -path "./.git/*" | sort)

if [ -z "$files" ]; then
echo "No C/C++ files found"
exit 0
fi

# Check formatting (--dry-run -Werror exits non-zero if changes needed)
echo "$files" | xargs clang-format-17 --verbose --dry-run -Werror --style=file --fallback-style=Microsoft
42 changes: 38 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ permissions:
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: windows-latest
# Use VS 2026 preview runner (GA May 4, 2026, then switch to windows-2025)
runs-on: windows-2025-vs2026
permissions:
packages: read
actions: read
Expand All @@ -39,9 +40,42 @@ jobs:
with:
submodules: 'recursive'

- name: Install Windows 11 SDK (10.0.22621.0)
shell: pwsh
run: |
$sdkPath = "${env:ProgramFiles(x86)}\Windows Kits\10\Include\10.0.22621.0"
if (Test-Path $sdkPath) {
Write-Host "Windows SDK 10.0.22621.0 already installed"
exit 0
}

# Download and verify installer
$installer = "$env:TEMP\winsdksetup.exe"
$expectedHash = "73FE3CC0E50D946D0C0A83A1424111E60DEE23F0803E305A8974A963B58290C0"
Write-Host "Downloading Windows 11 SDK 10.0.22621.0..."
Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2196241" -OutFile $installer

# Verify SHA256 hash
$actualHash = (Get-FileHash -Path $installer -Algorithm SHA256).Hash
if ($actualHash -ne $expectedHash) {
Write-Error "SHA256 hash mismatch! Expected: $expectedHash, Got: $actualHash"
exit 1
}
Write-Host "SHA256 verified: $actualHash"

# Install SDK
Write-Host "Installing SDK (this may take a few minutes)..."
$proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
if (!(Test-Path $sdkPath)) {
Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
Write-Error "Windows SDK installation failed"
Comment on lines +69 to +71
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The installer process exit code is captured in $proc but not checked. Consider validating $proc.ExitCode and failing with a clearer message/log snippet when the install fails.

Suggested change
if (!(Test-Path $sdkPath)) {
Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
Write-Error "Windows SDK installation failed"
if ($proc.ExitCode -ne 0 -or !(Test-Path $sdkPath)) {
Write-Host "Last 50 lines of SDK install log (if available):"
Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
if ($proc.ExitCode -ne 0) {
Write-Error "Windows SDK installer exited with code $($proc.ExitCode)."
} elseif (!(Test-Path $sdkPath)) {
Write-Error "Windows SDK installation may have failed: SDK path '$sdkPath' not found after installer completed successfully."
}

Copilot uses AI. Check for mistakes.
exit 1
}
Comment on lines +52 to +73
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This SDK install step pins a SHA256 for a fwlink URL. fwlink targets can change over time, which risks random CI failures when the binary hash changes. Prefer installing via a stable package/component mechanism (or a stable, versioned direct download URL) rather than a mutable fwlink.

Copilot uses AI. Check for mistakes.
Write-Host "Windows SDK 10.0.22621.0 installed successfully"

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
uses: github/codeql-action/init@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Expand All @@ -53,11 +87,11 @@ jobs:
# queries: security-extended,security-and-quality

- name: Autobuild
uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
uses: github/codeql-action/autobuild@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2

- name: Perform CodeQL Analysis
id: analyze
uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
uses: github/codeql-action/analyze@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
with:
category: "/language:${{matrix.language}}"

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/devskim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,11 @@ jobs:
uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16

- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
with:
sarif_file: devskim-results.sarif

- name: Upload DevSkim scan results as an artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
path: devskim-results.sarif
path: devskim-results.sarif
51 changes: 48 additions & 3 deletions .github/workflows/github-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,25 @@ permissions:

jobs:
build:
runs-on: windows-latest
# Use VS 2026 preview runner (GA May 4, 2026, then switch to windows-2025)
runs-on: windows-2025-vs2026
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
configuration: [ 'Release', 'Debug', 'Release_Unicode', 'Debug_Unicode' ]
platform: [ 'Win32', 'x64' ]
platform: [ 'Win32', 'x64', 'ARM64', 'ARM64EC' ]
exclude:
# ARM64/ARM64EC only need Unicode builds
- platform: ARM64
configuration: Release
- platform: ARM64
configuration: Debug
- platform: ARM64EC
configuration: Release
- platform: ARM64EC
configuration: Debug

steps:
- name: Harden Runner
Expand All @@ -32,6 +44,39 @@ jobs:
with:
submodules: 'recursive'

- name: Install Windows 11 SDK (10.0.22621.0)
shell: pwsh
run: |
$sdkPath = "${env:ProgramFiles(x86)}\Windows Kits\10\Include\10.0.22621.0"
if (Test-Path $sdkPath) {
Write-Host "Windows SDK 10.0.22621.0 already installed"
exit 0
}

# Download and verify installer
$installer = "$env:TEMP\winsdksetup.exe"
$expectedHash = "73FE3CC0E50D946D0C0A83A1424111E60DEE23F0803E305A8974A963B58290C0"
Write-Host "Downloading Windows 11 SDK 10.0.22621.0..."
Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2196241" -OutFile $installer

# Verify SHA256 hash
$actualHash = (Get-FileHash -Path $installer -Algorithm SHA256).Hash
if ($actualHash -ne $expectedHash) {
Write-Error "SHA256 hash mismatch! Expected: $expectedHash, Got: $actualHash"
exit 1
Comment on lines +56 to +66
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This SDK install step pins a SHA256 for a fwlink URL. fwlink targets can change over time (even for the same SDK version), which would cause spurious CI failures when the hash no longer matches. Prefer using a stable/package-based install method (e.g., VS workloads/components on the runner, winget, or a versioned direct download URL you control) or making the hash/version pair configurable.

Copilot uses AI. Check for mistakes.
}
Write-Host "SHA256 verified: $actualHash"

# Install SDK
Write-Host "Installing SDK (this may take a few minutes)..."
$proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
if (!(Test-Path $sdkPath)) {
Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
Comment on lines +72 to +74
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The installer process exit code is captured in $proc but never checked. If the installer exits non-zero (or partially installs), the subsequent path check may not provide a clear failure reason. Consider validating $proc.ExitCode and surfacing the last lines of the log when it fails.

Suggested change
$proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
if (!(Test-Path $sdkPath)) {
Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
$logPath = Join-Path $env:TEMP "sdk_install.log"
$proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log `"$logPath`"" -Wait -PassThru
if ($proc.ExitCode -ne 0) {
Get-Content $logPath -ErrorAction SilentlyContinue | Select-Object -Last 50
Write-Error "Windows SDK installer exited with code $($proc.ExitCode)"
exit 1
}
if (!(Test-Path $sdkPath)) {
Get-Content $logPath -ErrorAction SilentlyContinue | Select-Object -Last 50

Copilot uses AI. Check for mistakes.
Write-Error "Windows SDK installation failed"
exit 1
}
Write-Host "Windows SDK 10.0.22621.0 installed successfully"

- name: "Build"
shell: pwsh
run: |
Expand Down Expand Up @@ -63,4 +108,4 @@ jobs:
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0
with:
files: "artifacts/**/*.trx"
files: "artifacts/**/*.trx"
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .vsconfig
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"Microsoft.VisualStudio.Component.VC.Tools.ARM64",
"Microsoft.VisualStudio.Component.VC.Tools.ARM64EC",
"Microsoft.VisualStudio.Component.VC.Tools.x86.x64",
"Microsoft.VisualStudio.Component.Windows10SDK.18362",
"Microsoft.VisualStudio.Component.Windows11SDK.22621",
"Microsoft.VisualStudio.ComponentGroup.ArchitectureTools.Native",
"Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Core",
"Microsoft.VisualStudio.Workload.CoreEditor",
Expand Down
38 changes: 38 additions & 0 deletions Directory.Build.props
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="utf-8"?>
<Project>
<PropertyGroup>
<!-- VS 2026 Toolset -->
<PlatformToolset>v145</PlatformToolset>

<!-- Windows 11 SDK (pinned for reproducible builds) -->
<WindowsTargetPlatformVersion>10.0.22621.0</WindowsTargetPlatformVersion>

<!-- Security Features (PropertyGroup level) -->
<!-- Note: Spectre mitigated libs may not be available for ARM64/ARM64EC -->
<SpectreMitigation Condition="'$(Platform)' != 'ARM64' AND '$(Platform)' != 'ARM64EC'">Spectre</SpectreMitigation>
<SpectreMitigation Condition="'$(Platform)' == 'ARM64' OR '$(Platform)' == 'ARM64EC'">false</SpectreMitigation>
<ControlFlowGuard>Guard</ControlFlowGuard>
<GuardEHContMetadata>true</GuardEHContMetadata>
</PropertyGroup>

<!-- Compiler Settings - Quality & Security Baseline -->
<!-- CET (Control-flow Enforcement Technology) enabled by default, disabled for ARM64/ARM64EC below -->
<ItemDefinitionGroup>
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<TreatWarningAsError>true</TreatWarningAsError>
<SDLCheck>true</SDLCheck>
<LanguageStandard>stdcpplatest</LanguageStandard>
</ClCompile>
<Link>
<CETCompat>true</CETCompat>
</Link>
</ItemDefinitionGroup>

<!-- Disable CET for ARM64/ARM64EC (not supported) -->
<ItemDefinitionGroup Condition="'$(Platform)' == 'ARM64' OR '$(Platform)' == 'ARM64EC'">
<Link>
<CETCompat>false</CETCompat>
</Link>
</ItemDefinitionGroup>
</Project>
17 changes: 2 additions & 15 deletions mapistub.sln
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.779
# Visual Studio Version 18
VisualStudioVersion = 18.0.0.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mapistub", "mapistub.vcxproj", "{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}"
EndProject
Expand All @@ -15,10 +14,6 @@ Global
Debug|Win32 = Debug|Win32
Debug|ARM64 = Debug|ARM64
Debug|ARM64EC = Debug|ARM64EC
Prefast|x64 = Prefast|x64
Prefast|Win32 = Prefast|Win32
Prefast|ARM64 = Prefast|ARM64
Prefast|ARM64EC = Prefast|ARM64EC
Release_Unicode|x64 = Release_Unicode|x64
Release_Unicode|Win32 = Release_Unicode|Win32
Release_Unicode|ARM64 = Release_Unicode|ARM64
Expand All @@ -45,14 +40,6 @@ Global
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Debug|ARM64.Build.0 = Debug|ARM64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Debug|ARM64EC.ActiveCfg = Debug|ARM64EC
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Debug|ARM64EC.Build.0 = Debug|ARM64EC
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|x64.ActiveCfg = Prefast|x64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|x64.Build.0 = Prefast|x64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|Win32.ActiveCfg = Prefast|Win32
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|Win32.Build.0 = Prefast|Win32
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64.ActiveCfg = Prefast|ARM64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64.Build.0 = Prefast|ARM64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64EC.ActiveCfg = Prefast|ARM64EC
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64EC.Build.0 = Prefast|ARM64EC
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Release_Unicode|x64.ActiveCfg = Release_Unicode|x64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Release_Unicode|x64.Build.0 = Release_Unicode|x64
{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Release_Unicode|Win32.ActiveCfg = Release_Unicode|Win32
Expand Down
Loading
Loading