Packaging and workflows improvements

.github/actions/build-ci-image/action.yml

@@ -57,7 +57,7 @@ runs:
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ${{ inputs.image }}
         tags: ${{ inputs.tags }}
@@ -68,21 +68,21 @@ runs:
           org.opencontainers.image.title=libfn/ci/${{ inputs.title }}
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
     - name: Login to Docker Hub
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}
         password: ${{ inputs.password  }}
 
     - name: Build and push by digest
       id: build
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       with:
         platforms: ${{ inputs.platform }}
         build-args: ${{ inputs.build_args }}
@@ -105,7 +105,7 @@ runs:
 
     - name: Upload digest
       if: ${{ inputs.push }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: digests-${{ inputs.title }}-${{ env.PLATFORM_PAIR }}
         path: /tmp/digests/*

.github/actions/merge-ci-images/action.yml

@@ -27,24 +27,24 @@ runs:
   using: composite
   steps:
     - name: Download digests
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         path: /tmp/digests
         pattern: digests-${{ inputs.title }}-*
         merge-multiple: true
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ${{ inputs.image }}
         tags: ${{ inputs.tags }}
 
     - name: Login to Docker Hub
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directories:
+      - "/"
+      - "/.github/actions/build-ci-image"
+      - "/.github/actions/merge-ci-images"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -54,16 +54,25 @@ jobs:
           - "clang:20"
           - "clang:21"
           - "clang:22"
+          - "clang-libstdcxx:21"
+          - "clang-libstdcxx:22"
         exclude:
           - mode: cxx23
             compiler: "gcc:12"
           - mode: cxx23
             compiler: "clang:16"
           - mode: cxx23
             compiler: "clang:17"
+        include:
+          - mode: all
+            configuration: Debug
+            compiler: "gcc:14"
+          - mode: all
+            configuration: Release
+            compiler: "gcc:14"
     container: libfn.azurecr.io/ci-build-${{ matrix.compiler }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Prepare build
       run: |
@@ -77,17 +86,17 @@ jobs:
         printf "C++ compilation options: %s\n" "$FLAGS"
 
     - name: Build and test ${{ matrix.mode }}
+      if: matrix.mode != 'all'
       run: |
         cd .build
         cmake --build . --target ${{ matrix.mode }}
         ctest -L ${{ matrix.mode }} --output-on-failure
 
     # Build and test all for one arbitrary configuration
     - name: Build and test all
-      if: ${{ matrix.compiler == 'gcc:14' && matrix.mode == 'cxx23' }}
+      if: matrix.mode == 'all'
       run: |
         cd .build
-        cmake --build . --target clean
         cmake --build .
         ctest --output-on-failure
 
@@ -124,20 +133,33 @@ jobs:
           - mode: cxx23
             compiler: appleclang
             osver: 14
+        include:
+          - mode: all
+            configuration: Debug
+            compiler: appleclang
+            osver: 15
+            clangrelease: NA
+          - mode: all
+            configuration: Release
+            compiler: appleclang
+            osver: 15
+            clangrelease: NA
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Prepare build
       run: |
         mkdir .build
         cd .build
         if [[ "${{ matrix.compiler }}" == "appleclang" ]]; then
-          export CXX="$(which clang++)"
-          export CC="$(which clang)"
+          CXX="$(which clang++)"
+          CC="$(which clang)"
+          export CXX CC
         fi
         if [[ "${{ matrix.compiler }}" == "clang" ]]; then
-          export CXX="$(brew --prefix llvm@${{ matrix.clangrelease }})/bin/clang++"
-          export CC="$(brew --prefix llvm@${{ matrix.clangrelease }})/bin/clang"
+          CXX="$(brew --prefix llvm@${{ matrix.clangrelease }})/bin/clang++"
+          CC="$(brew --prefix llvm@${{ matrix.clangrelease }})/bin/clang"
+          export CXX CC
         fi
         cmake -DCMAKE_BUILD_TYPE=${{ matrix.configuration }} ${{ matrix.mode == 'cxx20' && '-DDISABLE_CXX23=ON' || '' }} ..
         COMPILER=$( grep -iE "^CMAKE_CXX_COMPILER:FILEPATH=" CMakeCache.txt | sed -n 's/^[^=]*=//p' )
@@ -147,22 +169,22 @@ jobs:
         printf "C++ compilation options: %s\n" "$FLAGS"
 
     - name: Build and test ${{ matrix.mode }}
+      if: matrix.mode != 'all'
       run: |
         cd .build
         cmake --build . --target ${{ matrix.mode }}
         ctest -L ${{ matrix.mode }} --output-on-failure
 
     # Build and test all for one arbitrary configuration
     - name: Build and test all
-      if: ${{ matrix.compiler == 'appleclang' && matrix.osver == '15' && matrix.mode == 'cxx23' }}
+      if: matrix.mode == 'all'
       run: |
         cd .build
-        cmake --build . --target clean
         cmake --build .
         ctest --output-on-failure
 
   windows:
-      runs-on: windows-${{ matrix.osver }}
+      runs-on: ${{ matrix.vs.runner }}
       strategy:
         fail-fast: false
         matrix:
@@ -171,19 +193,21 @@ jobs:
           configuration:
             - Debug
             - Release
-          compiler:
-            - "Visual Studio 17 2022"
-          osver:
-            - 2025
+          vs:
+            - generator: "Visual Studio 17 2022"
+              runner: "windows-2022"
+            - generator: "Visual Studio 18 2026"
+              runner: "windows-2025-vs2026"
+
       steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Prepare build
         shell: bash
         run: |
           mkdir .build
           cd .build
-          cmake -G "${{ matrix.compiler }}" -A x64 -DDISABLE_CXX23=ON ..
+          cmake -G "${{ matrix.vs.generator }}" -A x64 -DDISABLE_CXX23=ON ..
           LINKER=$( grep -iE "^CMAKE_LINKER:FILEPATH=" CMakeCache.txt | sed -n 's/^[^=]*=//p' )
           FLAGS=$( grep -iE "^CMAKE_CXX_FLAGS(_${{ matrix.configuration }})?:STRING" CMakeCache.txt | sed -n 's/^[^=]*=//p' | tr '\n' ' ' )
           printf "C++ linker path: %s\n" "$LINKER"
@@ -207,12 +231,10 @@ jobs:
           - gcc
           - clang
     steps:
-    - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.sha }}
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Install Nix
-      uses: cachix/install-nix-action@v30
+      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
         extra_nix_config: |
           access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci-build.yml

@@ -62,9 +62,11 @@ jobs:
         run: |
           image=${{ matrix.image }}
           name=${image%%:*}
-          echo "IMAGE=${name}" >> "${GITHUB_ENV}"
-          echo "RELEASE=${image##*:}" >> "${GITHUB_ENV}"
-          echo "COMPILER=${name%%-*}" >> "${GITHUB_ENV}"
+          {
+            echo "IMAGE=${name}"
+            echo "RELEASE=${image##*:}"
+            echo "COMPILER=${name%%-*}"
+          } >> "${GITHUB_ENV}"
 
       - name: Determine Debian version
         run: |
@@ -83,7 +85,7 @@ jobs:
             fi
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           sparse-checkout: .github
 
@@ -142,7 +144,7 @@ jobs:
           echo "IMAGE=${image%%:*}" >> "${GITHUB_ENV}"
           echo "RELEASE=${image##*:}" >> "${GITHUB_ENV}"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           sparse-checkout: .github
 

.github/workflows/ci-docs.yml

@@ -19,6 +19,8 @@ on:
 
 env:
   REGISTRY_IMAGE: libfn.azurecr.io/ci-docs
+  DEBIAN_VERSION: trixie
+  JAVA_VERSION: openjdk-21-jdk
   DOXYGEN_RELEASE: 1.12.0
   ZNAI_RELEASE: 1.73
   CATCH_RELEASE: 3.14.0
@@ -36,7 +38,7 @@ jobs:
           - linux/arm64
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           sparse-checkout: .github
 
@@ -52,6 +54,8 @@ jobs:
           username: ${{ secrets.AZURECR_NAME }}
           password: ${{ secrets.AZURECR_PASS }}
           build_args: |
+            DEBIAN_VERSION=${{ env.DEBIAN_VERSION }}
+            JAVA_VERSION=${{ env.JAVA_VERSION }}
             DOXYGEN_RELEASE=${{ env.DOXYGEN_RELEASE }}
             ZNAI_RELEASE=${{ env.ZNAI_RELEASE }}
             CATCH_RELEASE=${{ env.CATCH_RELEASE }}
@@ -68,7 +72,7 @@ jobs:
       - build
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           sparse-checkout: .github
 

.github/workflows/ci-pre-commit.yml

@@ -32,7 +32,7 @@ jobs:
           - linux/arm64
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           sparse-checkout: .github
 
@@ -59,7 +59,7 @@ jobs:
       - build
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           sparse-checkout: .github
 

.github/workflows/coverage.yml

@@ -29,7 +29,7 @@ jobs:
       GCOV: /usr/local/bin/gcov
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Verify compiler compatibility
       env:
@@ -47,9 +47,10 @@ jobs:
         printf "CXX=%s\nCXXFLAGS=%s\n" "$CXX" "$CXXFLAGS"
         $CXX --version | head -1
         FILE=$(mktemp --tmpdir XXXXXX.cpp)
-        printf "$SOURCE\n" > $FILE
+        printf '%s\n' "$SOURCE" > "$FILE"
         OUT=$(mktemp --tmpdir  XXXXXX)
-        $CXX -std=c++2b $CXXFLAGS -Wall $FILE -o $OUT
+        # shellcheck disable=SC2086  # $CXXFLAGS may carry multiple flags; word-splitting intentional
+        $CXX -std=c++2b $CXXFLAGS -Wall "$FILE" -o "$OUT"
         $OUT
 
     - name: Build with coverage instrumentation and compilation database
@@ -65,17 +66,18 @@ jobs:
         printf "C++ compiler path: %s\n" "$COMPILER"
         $COMPILER --version
         printf "gcov version: %s\n" "$( $GCOV --version | head -1 )"
-        cmake --build . --target tests -- -j$(nproc)
+        cmake --build . --target tests -- -j"$(nproc)"
 
     - name: Generate coverage data with gcov
       shell: bash
       run: |
         cd .build
         ctest -L 'tests_p?fn' -j1 # generate .gcda files
-        $GCOV -pbc -r -s $( realpath .. ) $( find tests -type f -name '*.gcno' ) # generate .gcov files
+        # shellcheck disable=SC2046  # find emits one path per result; intentional word-splitting into gcov arg list
+        $GCOV -pbc -r -s "$(realpath ..)" $(find tests -type f -name '*.gcno') # generate .gcov files
 
     - name: Upload .gcov files
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
       with:
         fail_ci_if_error: true
         disable_search: false

.github/workflows/docs.yml

@@ -27,7 +27,7 @@ jobs:
       group: runners-arm64
     container: libfn.azurecr.io/ci-docs:latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # Guardrail to ensure that we do not update docs after a bad merge
       - name: Build and run tests
@@ -46,16 +46,16 @@ jobs:
           cmake --build . --target export_docs
 
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: ./.build/docs
           name: docs-develop
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
         with:
           artifact_name: docs-develop