feat: CI/CD fixes, documentation, security policy, and release automation#9
feat: CI/CD fixes, documentation, security policy, and release automation#90xgetz wants to merge 4 commits intounicitynetwork:mainfrom
Conversation
…San + functional test jobs - Fix typo: -DSANITIZE -> -DSANITIZER in pr-ci.yml so AddressSanitizer and UBSan are actually enabled in CI (were silently ignored before) - Pin RandomX GIT_TAG from floating origin/master to specific commit SHA 051d4424394cf8d1f8d0bfff581f0729f2753341 to eliminate supply chain risk - Remove GIT_SHALLOW from RandomX fetch (incompatible with pinned SHA) - Add macOS 14 (Apple Silicon) CI job - Add Linux Clang 18 ASan and UBSan matrix jobs - Add functional-tests CI job running Python test suite on every PR - Make nproc call portable for macOS (nproc || sysctl -n hw.logicalcpu)
- SECURITY.md: responsible disclosure policy, response timeline (48h ack, 7d assessment, 90d fix), scope definition, node operator best practices - CONTRIBUTING.md: dev setup, build instructions, sanitizer usage, coding standards, test instructions, branch naming, commit message conventions, PR/review process - .github/PULL_REQUEST_TEMPLATE: structured checklist with consensus-impact flag requiring two maintainer reviews for consensus-critical changes - .github/ISSUE_TEMPLATE/bug_report.yml: structured bug report with OS, compiler, reproduction steps, and log fields - .github/ISSUE_TEMPLATE/feature_request.yml: feature proposal with problem/solution/alternatives and codebase area dropdown - .github/ISSUE_TEMPLATE/consensus_issue.yml: dedicated template for consensus-critical bugs with impact assessment - .github/ISSUE_TEMPLATE/config.yml: disable blank issues, link security contact to SECURITY.md
- ARCHITECTURE.md: remove stale Orphan Pool component from architecture diagram (removed Feb 2026); headers now flow directly into ActiveTipCandidates. Update DoS protection section to reference candidate tip limits instead of orphan header limits. - CHANGELOG.md: add Keep a Changelog-format file documenting all changes in this PR (Unreleased section) plus a pre-release history summary covering the initial development period (Jan-Apr 2026)
- release.yml: triggered on v*.*.* tags; builds Linux x86_64 (GCC + Clang) and macOS arm64 binaries with LTO, runs unit tests, packages tar.gz with SHA256 checksums, creates GitHub Release with changelog notes extracted from CHANGELOG.md; pre-release flag set automatically for -alpha/-beta/-rc tags - coverage.yml: runs on push/PR to main; builds with GCC --coverage flags, captures lcov data, filters out system headers and third-party deps, generates HTML report artifact, uploads to Codecov with CODECOV_TOKEN secret; prints coverage summary to CI log
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request establishes project governance and documentation by adding issue and pull request templates, a security policy, a changelog, and a contributor guide. It also enhances build reproducibility by pinning the RandomX dependency and updates architectural documentation to reflect recent code removals. Review feedback identifies several necessary corrections: fixing broken relative links in issue templates, removing incorrect dependency requirements, improving build command portability for macOS users, and reconciling documentation regarding the use of assertions for consensus invariants.
| Thank you for taking the time to file a bug report. Please fill out all sections | ||
| to help us reproduce and fix the issue quickly. | ||
|
|
||
| **For security vulnerabilities, do NOT use this form.** See [SECURITY.md](../SECURITY.md). |
There was a problem hiding this comment.
The relative link to SECURITY.md is incorrect. Since this file is located in .github/ISSUE_TEMPLATE/, it needs to go up two levels (../../) to reach the repository root where SECURITY.md resides.
**For security vulnerabilities, do NOT use this form.** See [SECURITY.md](../../SECURITY.md).| Please provide as much detail as possible. | ||
|
|
||
| **If this could be exploited to attack the network, use the private disclosure | ||
| process in [SECURITY.md](../SECURITY.md) instead of this public form.** |
There was a problem hiding this comment.
The relative link to SECURITY.md is incorrect. It should point to the root of the repository using ../../SECURITY.md.
process in [SECURITY.md](../../SECURITY.md) instead of this public form.**| - **Boost** (system, filesystem) | ||
| - **libminiupnpc** |
There was a problem hiding this comment.
Boost is listed as a prerequisite, but the project's CMakeLists.txt (line 143) specifically uses standalone Asio to avoid a Boost dependency. Additionally, libminiupnpc is handled via FetchContent in CMake, so it is not strictly a system prerequisite. The Boost requirement should be removed to avoid confusion for new contributors.
| - **Boost** (system, filesystem) | |
| - **libminiupnpc** | |
| - **libminiupnpc** |
|
|
||
| ```bash | ||
| cmake -B build -DCMAKE_BUILD_TYPE=Debug | ||
| cmake --build build -j$(nproc) |
There was a problem hiding this comment.
The nproc command is a GNU utility and is not available by default on macOS. To ensure the build instructions are portable for macOS users (a goal of this PR), use cmake --build build --parallel. This applies to lines 56, 60, and 64 as well.
| cmake --build build -j$(nproc) | |
| cmake --build build --parallel |
| ```bash | ||
| # AddressSanitizer | ||
| cmake -B build -DSANITIZER=address -DCMAKE_BUILD_TYPE=RelWithDebInfo | ||
| cmake --build build -j$(nproc) |
There was a problem hiding this comment.
Use the portable --parallel flag instead of nproc for macOS compatibility.
| cmake --build build -j$(nproc) | |
| cmake --build build --parallel |
|
|
||
| # ThreadSanitizer | ||
| cmake -B build -DSANITIZER=thread -DCMAKE_BUILD_TYPE=RelWithDebInfo | ||
| cmake --build build -j$(nproc) |
There was a problem hiding this comment.
Use the portable --parallel flag instead of nproc for macOS compatibility.
| cmake --build build -j$(nproc) | |
| cmake --build build --parallel |
|
|
||
| # UndefinedBehaviorSanitizer | ||
| cmake -B build -DSANITIZER=undefined -DCMAKE_BUILD_TYPE=RelWithDebInfo | ||
| cmake --build build -j$(nproc) |
There was a problem hiding this comment.
Use the portable --parallel flag instead of nproc for macOS compatibility.
| cmake --build build -j$(nproc) | |
| cmake --build build --parallel |
| - Follow the existing **clang-format** style (run `clang-format -i` before committing) | ||
| - Run **clang-tidy** and address all warnings | ||
| - Run **cppcheck** for static analysis | ||
| - No `assert()` for consensus invariants in release builds — use explicit error handling |
There was a problem hiding this comment.
This statement contradicts the project's build configuration. CMakeLists.txt (lines 39-42) explicitly keeps assert() active in all build types (including Release) to guard consensus-critical invariants. The documentation should reflect that asserts are used for invariants.
| - No `assert()` for consensus invariants in release builds — use explicit error handling | |
| - Use assert() for consensus invariants (active in all build types) — use explicit error handling for runtime/user errors |
1 participant
Summary
This pull request consolidates four commits of improvements across CI/CD, documentation, security, and release automation:
1. Fix sanitizer flags + macOS CI + ASan/UBSan jobs
2. Add SECURITY.md + CONTRIBUTING.md + issue/PR templates
SECURITY.mdwith a vulnerability disclosure and security policyCONTRIBUTING.mdwith contribution guidelines and developer workflow3. Update ARCHITECTURE.md + add CHANGELOG.md
ARCHITECTURE.mdto reflect current system design and component structureCHANGELOG.mdto track version history and notable changes going forward4. Add release automation workflow + Codecov coverage CI