GitHub Push/PR Event
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CI Pipeline Stages β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Stage 1: β β Stage 2: β β Stage 3: β
β Lint & FormatββββββββΊβ Build & Test ββββββββΊβ Security β
β β β β β Scanning β
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β Jobs: β Jobs: β Jobs:
β’ clang-format β’ Linux (x64) β’ CodeQL
β’ clang-tidy β’ macOS (x64/ARM) β’ Snyk
β’ cppcheck β’ Windows (x64) β’ Trivy
β’ CMake format β’ Run Tests β’ Gitleaks
β’ Shell lint β’ Coverage β’ Semgrep
β’ YAML lint β’ Bearer
β’ Spell check β’ Grype
β β β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββ
β Stage 4: β
β Quality Analysis β
βββββββββββββββββββββ
β Jobs:
β’ SonarCloud
β’ Lizard (complexity)
β’ Valgrind (memory)
β
βΌ
βββββββββββββββββββββββββββββ
β All Checks Passed? β
βββββββββββββ¬ββββββββββββββββ
β
ββββββββββββ΄βββββββββββ
β β
Yesβ βNo
βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ
β PR Approved β β Fix Issues & β
β Ready to Merge β β Re-run Pipelineβ
βββββββββββββββββββ βββββββββββββββββββ
Purpose: Fast failure for code style and format issues
Format Check (clang-format)
β
βββΊ Checks C/C++ code formatting
βββΊ Uses clang-format-18
βββΊ Runs in ~15 seconds
CMake Format Check
β
βββΊ Validates CMake file formatting
βββΊ Uses gersemi
βββΊ Runs in ~10 seconds
Static Analysis (clang-tidy)
β
βββΊ Advanced C/C++ static analysis
βββΊ Checks for bugs, performance issues
βββΊ Runs in ~50 seconds
Static Analysis (cppcheck)
β
βββΊ C/C++ static analysis
βββΊ Finds bugs and undefined behavior
βββΊ Runs in ~30 seconds
Shell Script Analysis (shellcheck)
β
βββΊ Validates bash scripts
βββΊ Runs in ~5 seconds
YAML Lint
β
βββΊ Validates workflow YAML files
βββΊ Runs in ~5 seconds
Spell Check (codespell)
β
βββΊ Catches typos in code and docs
βββΊ Runs in ~15 seconds
Exit Criteria: All linters pass, code is properly formatted
Purpose: Verify code compiles and tests pass on all platforms
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Multi-Platform Build Matrix β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Ubuntu 22.04 (x86_64) β
β βββΊ Build Debug & Release β
β βββΊ Run Unit Tests (CTest) β
β βββΊ Generate Coverage Report β
β βββΊ Upload Artifacts β
β β
β macOS (Intel x64) β
β βββΊ Build Universal Binary β
β βββΊ Run Unit Tests β
β βββΊ Code Sign (if certificates available) β
β βββΊ Upload Artifacts β
β β
β macOS (Apple Silicon ARM64) β
β βββΊ Build Universal Binary β
β βββΊ Run Unit Tests β
β βββΊ Upload Artifacts β
β β
β Windows (x64) β
β βββΊ Build Debug & Release β
β βββΊ Run Unit Tests β
β βββΊ Upload Artifacts β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Build Process:
Install Dependencies
β
βββΊ libobs-dev
βββΊ libcurl-dev
βββΊ libjansson-dev
βββΊ CMake, Ninja
β
βΌ
Configure CMake
β
βββΊ -DCMAKE_BUILD_TYPE=Release
βββΊ -DENABLE_TESTING=ON
βββΊ -DENABLE_COVERAGE=ON (Linux only)
β
βΌ
Build Project
β
βββΊ ninja build
βββΊ ~2 minutes per platform
β
βΌ
Run Tests
β
βββΊ Unit tests (CTest)
βββΊ API tests
βββΊ Config tests
βββΊ Multistream tests
β
βΌ
Generate Reports
β
βββΊ Coverage (Linux)
βββΊ Test Results (JUnit XML)
βββΊ Build Artifacts
Exit Criteria: All platforms build successfully, all tests pass
Purpose: Identify security vulnerabilities and secrets
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Scanners β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β CodeQL (GitHub Native) - SECURITY + QUALITY β
β βββΊ Deep semantic code analysis β
β βββΊ Queries: security-extended + security-and-qualityβ
β βββΊ Security: SQL injection, XSS, buffer overflow β
β βββΊ Quality: Code smells, best practices, bugs β
β βββΊ Maintainability & reliability metrics β
β βββΊ Results β GitHub Security Tab + Code Scanning β
β β
β Snyk β
β βββΊ Dependency vulnerability scanning β
β βββΊ Severity threshold: high β
β βββΊ SARIF output β
β βββΊ Results β GitHub Security Tab β
β β
β Trivy (Aqua Security) β
β βββΊ Filesystem vulnerability scanner β
β βββΊ Detects: HIGH, CRITICAL β
β βββΊ Scans dependencies and code β
β βββΊ Results β GitHub Security Tab β
β β
β Gitleaks β
β βββΊ Secret scanning (API keys, tokens) β
β βββΊ Full git history scan β
β βββΊ Prevents credential leaks β
β β
β Semgrep β
β βββΊ Pattern-based code analysis β
β βββΊ Config: auto (community rules) β
β βββΊ Detects: insecure patterns β
β βββΊ Results β GitHub Security Tab β
β β
β Bearer β
β βββΊ Data security and privacy scanner β
β βββΊ Detects: PII handling issues β
β βββΊ With SARIF validation β
β βββΊ Results β GitHub Security Tab β
β β
β Grype (Anchore) β
β βββΊ Vulnerability scanner β
β βββΊ Severity cutoff: high β
β βββΊ Results β GitHub Security Tab β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Flow:
PR/Push Event
β
βββΊ Run 7 security scanners in parallel
β
βββΊ Generate SARIF reports
β
βββΊ Upload to GitHub Security Tab
β
βββΊ Check for CRITICAL/HIGH findings
β
βββΊ Flag PR if critical issues found
Exit Criteria: No critical/high vulnerabilities, no secrets detected
Purpose: Ensure code maintainability and performance
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Code Quality Tools β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β SonarCloud β
β βββΊ Comprehensive quality metrics β
β βββΊ Code coverage analysis β
β βββΊ Technical debt calculation β
β βββΊ Code smells detection β
β βββΊ Duplicate code detection β
β βββΊ Quality gate: Pass/Fail β
β β
β Lizard (Complexity Analysis) β
β βββΊ Cyclomatic complexity (CCN) β
β βββΊ Threshold: CCN < 15 β
β βββΊ Function analysis β
β βββΊ HTML report generation β
β βββΊ Artifact: lizard-report.html β
β β
β Valgrind (Memory Analysis) β
β βββΊ Memory leak detection β
β βββΊ Invalid memory access β
β βββΊ Uninitialized value usage β
β βββΊ Runs tests with --leak-check=full β
β βββΊ Artifact: valgrind-output.txt β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Quality Metrics:
SonarCloud Quality Gate
β
βββΊ Coverage: > 80%
βββΊ Duplications: < 3%
βββΊ Maintainability Rating: A
βββΊ Reliability Rating: A
βββΊ Security Rating: A
βββΊ Pass/Fail Decision
Complexity Check
β
βββΊ Max CCN per function: 15
βββΊ Flag high-complexity functions
βββΊ Suggest refactoring
Memory Safety
β
βββΊ Zero memory leaks
βββΊ No invalid access
βββΊ All tests pass under Valgrind
Exit Criteria: Quality gate passes, complexity acceptable, no memory leaks
Tag Created (v*.*.*)
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Release Pipeline Triggers β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββΊ Build all platforms (Linux, macOS, Windows)
β
βββΊ Run full test suite
β
βββΊ Package binaries
β βββΊ .tar.gz (Linux)
β βββΊ .pkg (macOS)
β βββΊ .zip (Windows)
β
βββΊ Generate checksums (SHA256)
β
βββΊ Create GitHub Release
β βββΊ Upload artifacts
β βββΊ Generate release notes
β βββΊ Mark as latest/pre-release
β
βββΊ Notify (optional)
Build Artifacts
β
βββΊ Build Outputs
β βββΊ obs-polyemesis.so (Linux)
β βββΊ obs-polyemesis.dylib (macOS)
β βββΊ obs-polyemesis.dll (Windows)
β
βββΊ Test Results
β βββΊ test-results.xml (JUnit)
β βββΊ coverage.xml (Cobertura)
β
βββΊ Security Reports
β βββΊ *.sarif files
β βββΊ Uploaded to GitHub Security
β
βββΊ Quality Reports
β βββΊ lizard-report.html
β βββΊ valgrind-output.txt
β βββΊ sonarcloud results
β
βββΊ Retention: 30 days
Typical pipeline execution times:
| Stage | Duration |
|---|---|
| Lint & Format | ~2 min |
| Build (all platforms) | ~8 min |
| Tests | ~3 min |
| Security Scanning | ~5 min |
| Quality Analysis | ~6 min |
| Total | ~25 min |
main branch
β
βββΊ Require pull request
β βββΊ Require 1 approval (recommended)
β βββΊ Dismiss stale reviews
β
βββΊ Require status checks
β βββΊ lint (all jobs)
β βββΊ build-and-test (all platforms)
β βββΊ security (CodeQL, Snyk, Trivy)
β βββΊ quality-analysis (SonarCloud)
β
βββΊ Require branches up to date
β
βββΊ Block force pushes
β
βββΊ Block deletions
# List recent runs
gh run list --limit 10
# View specific run
gh run view <run-id>
# View logs
gh run view <run-id> --log
# Download artifacts
gh run download <run-id>1. Check which job failed:
gh run view <run-id>
2. View detailed logs:
gh run view <run-id> --log-failed
3. Download artifacts for inspection:
gh run download <run-id>
4. Reproduce locally:
- Use same CMake flags
- Run same test commands
- Check dependencies match CI
# Install act (GitHub Actions locally)
brew install act # macOS
# or
curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
# Run lint workflow
act workflow_call -W .github/workflows/lint.yaml
# Run build workflow (Linux only)
act workflow_call -W .github/workflows/build-project.yaml -j ubuntu-build
# List available workflows
act -l- No secrets in code - Gitleaks prevents this
- Dependency scanning - Snyk, Trivy catch vulnerabilities
- Code analysis - CodeQL, Semgrep find security bugs
- SARIF upload - All findings go to Security tab
- Scheduled scans - Security runs weekly on Monday
-
Use caching:
- uses: actions/cache@v4 with: path: build key: ${{ runner.os }}-build-${{ hashFiles('**/CMakeLists.txt') }}
-
Parallel jobs:
- Lint jobs run in parallel
- Build matrix runs concurrently
- Security scanners run simultaneously
-
Fail fast:
- Lint fails early (Stage 1)
- Prevents unnecessary builds
-
Self-hosted runners for heavy jobs
-
Skip CI for docs-only changes:
git commit -m "docs: update readme [skip ci]" -
Conditional workflows:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
For more information, see: