ci: add modular production workflow pipeline #462

[somethingwithproof]

Summary

Replaces the single ci.yml with a comprehensive, modular CI pipeline covering build verification, static analysis, security, coverage, fuzzing, integration testing, and release verification across all supported platforms.

Closes #462

Workflows (10)

On every PR and push

Workflow	What it does
ci.yml	Build matrix: gcc/clang on Ubuntu 22.04/24.04 with ASan+UBSan+LSan, macOS 13/14/15, Windows/Cygwin
static-analysis.yml	cppcheck + clang-tidy with SARIF upload
coverage.yml	gcov coverage reporting with minimum gate
integration.yml	MariaDB integration + Docker test suites (smoke, output_regex, db_column_detect)
codeql.yml	GitHub CodeQL semantic analysis
fuzzing.yml	CLI robustness smoke tests
perf-regression.yml	Performance baseline tracking

Scheduled

Workflow	Schedule	What it does
nightly.yml	Daily 2:30 AM	TSan, valgrind memcheck, scan-build, extended sanitizer + leak detection
security-posture.yml	Weekly Monday	Workflow policy validation, unsafe API guardrail
codeql.yml	Weekly Monday	Deep semantic analysis

On release tags

Workflow	What it does
release-verification.yml	SBOM generation via anchore/sbom-action

Build matrix coverage

Platform	Compiler	Sanitizers	Frequency
Ubuntu 22.04	gcc	hardened (-D_FORTIFY_SOURCE=3, stack protector)	Every PR
Ubuntu 24.04	gcc	hardened	Every PR
Ubuntu 22.04	clang	ASan + UBSan	Every PR
Ubuntu 24.04	clang	ASan + UBSan	Every PR
Ubuntu 22.04	clang	ASan + LSan	Every PR
Ubuntu 24.04	clang	ASan + LSan	Every PR
Ubuntu 22.04	clang	TSan	Nightly
Ubuntu 24.04	clang	TSan	Nightly
macOS 13 (Intel)	Apple clang	none	Every PR
macOS 14 (M1)	Apple clang	none	Every PR
macOS 15 (M3)	Apple clang	none	Every PR
Windows (Cygwin)	gcc	none	Every PR

Build system fixes

• Makefile.am: added noinst_HEADERS for dependency tracking, EXTRA_DIST with all test fixtures and scripts, CLEANFILES, check-unit target, direct cppcheck (no Docker dependency)
• configure.ac: removed duplicate AC_PROG_CC, removed deprecated AC_HEADER_TIME, fixed bash-isms in MySQL detection ([[ ]] -> test)

Security

• All GitHub Actions pinned to full commit SHA
• All run blocks use set -euo pipefail
• Permissions scoped to contents: read by default
• security-events: write only where needed (CodeQL, SARIF upload)

[Copilot]

Pull request overview

This PR modernizes and hardens the repository’s CI/CD posture by adding a modular suite of GitHub Actions workflows for build/test, security scanning, static analysis, coverage, performance regression checks, and release verification—plus supporting scripts and baselines (including an “unsafe C API additions” guardrail).

Changes:

• Adds dedicated workflows for static analysis, security posture, CodeQL, coverage gating, performance regression checks, fuzzing, nightly heavy checks, integration, and release verification.
• Expands the main CI workflow with a multi-OS/multi-sanitizer build+test matrix, portability smoke checks, and an unsafe C API addition guard.
• Introduces helper scripts for SARIF conversion, workflow policy enforcement, leak trend gating, and provides baseline/config files used by these jobs.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/static-analysis.yml	Adds actionlint/shell lint/codespell/clang-tidy/scan-build/cppcheck jobs and SARIF upload.
.github/workflows/security-posture.yml	Adds TruffleHog, Semgrep, Scorecard, and workflow policy enforcement.
.github/workflows/release-verification.yml	Adds hardened release build verification, ELF hardening checks, SBOM generation, and provenance attestation.
.github/workflows/perf-regression.yml	Adds baseline-gated CLI + SNMP performance benchmarking.
.github/workflows/nightly.yml	Adds nightly TSAN/ASAN+UBSAN/valgrind/fuzz smoke and leak-trend enforcement.
.github/workflows/integration.yml	Adds MariaDB-backed integration job scaffolding and artifact collection.
.github/workflows/fuzzing.yml	Adds PR/scheduled CLI argument fuzz smoke using ASAN/UBSAN builds.
.github/workflows/coverage.yml	Adds GCC coverage generation + minimum coverage gate and artifacts.
.github/workflows/codeql.yml	Adds CodeQL init/build/analyze for c-cpp with scheduled runs.
.github/workflows/ci.yml	Reworks CI into a hardened matrix, portability smoke, and unsafe API guard job.
.github/scripts/cppcheck_to_sarif.py	Converts cppcheck text output to SARIF for code scanning ingestion.
.github/scripts/clang_tidy_to_sarif.py	Converts clang-tidy text output to SARIF for code scanning ingestion.
.github/scripts/check-workflow-policy.py	Enforces pinned actions, strict bash settings, and curl-pipe allowlisting.
.github/scripts/check-unsafe-api-additions.sh	Blocks newly introduced banned C APIs in diffs.
.github/scripts/check-leak-trend.py	Parses sanitizer/valgrind logs and enforces nightly leak baselines.
.github/perf-baseline.json	Baselines and thresholds for perf regression gating.
.github/nightly-leak-baseline.json	Baselines for sanitizer/valgrind leak trend gating.
.github/instructions/instructions.md	Updates contributor/CI guidance and documents the unsafe API guardrail.
.github/cppcheck-baseline.txt	Baseline file used to detect cppcheck regressions.
.codespell-ignore-words.txt	Adds ignored spelling token(s) for codespell.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[somethingwithproof]

Fixed -- added mkdir -p before go install.

[somethingwithproof]

Acknowledged -- will move gating to job-level condition in a follow-up.

[somethingwithproof]

Fixed -- increased fetch depth for reliable merge-base.

[somethingwithproof]

Fixed -- added word boundaries to avoid false positives on fgets/fputs.

[somethingwithproof]

Fixed -- added mkdir -p.

[somethingwithproof]

This PR has no file overlap with #511 or #513. Safe to merge independently in any order.