Skip to content

Update github workflows#14

Closed
Mika3578 wants to merge 6 commits into
mainfrom
vs2019v142
Closed

Update github workflows#14
Mika3578 wants to merge 6 commits into
mainfrom
vs2019v142

Conversation

@Mika3578

@Mika3578 Mika3578 commented Nov 10, 2025

Copy link
Copy Markdown
Owner

Summary by Sourcery

Introduce a suite of GitHub Actions workflows for automated building, code quality checks, dependency and security scanning, and add documentation to guide usage and configuration of these workflows.

New Features:

  • Add Build workflow for Debug and Release configurations on Windows runners
  • Add CodeQL workflow for deep C++ security analysis
  • Add Dependency Review workflow to detect and comment on vulnerable dependencies
  • Add Code Quality workflow for static analysis, metrics, and common issue detection
  • Add Security Scan workflow with Trivy-based vulnerability scanning and license compliance check

Documentation:

  • Add detailed workflow documentation in .github/workflows/README.md
  • Add WORKFLOWS.md in the root to overview and quick start all CI/CD and security workflows

Copilot AI and others added 4 commits November 10, 2025 16:16
…uality checks

Co-authored-by: Mika3578 <58137747+Mika3578@users.noreply.github.com>
Co-authored-by: Mika3578 <58137747+Mika3578@users.noreply.github.com>
Co-authored-by: Mika3578 <58137747+Mika3578@users.noreply.github.com>
Co-authored-by: Mika3578 <58137747+Mika3578@users.noreply.github.com>
Copilot AI review requested due to automatic review settings November 10, 2025 18:06
@sourcery-ai

sourcery-ai Bot commented Nov 10, 2025

Copy link
Copy Markdown

Reviewer's Guide

This PR implements a comprehensive GitHub Actions CI/CD pipeline by adding workflows for building, security scanning, dependency review, and code quality checks, along with updated documentation.

Flow diagram for build workflow process

flowchart TD
  A["Trigger: push/PR/manual"] --> B["Checkout code (with submodules)"]
  B --> C["Setup Visual Studio & MSBuild"]
  C --> D["Restore NuGet packages"]
  D --> E["Build Solution (Debug/Release)"]
  E --> F["Upload Build Artifacts (Release)"]
  E --> G["Build Summary"]
Loading

Flow diagram for security scan workflow process

flowchart TD
  A["Trigger: push/PR/schedule/manual"] --> B["Checkout code (with submodules)"]
  B --> C["Run Trivy vulnerability scanner"]
  C --> D["Upload Trivy results to Security tab"]
  C --> E["Generate Security Report"]
  B --> F["License Compliance Check"]
Loading

Flow diagram for code quality check workflow process

flowchart TD
  A["Trigger: push/PR/manual"] --> B["Checkout code (with submodules)"]
  B --> C["Setup Visual Studio & MSBuild"]
  C --> D["Restore NuGet packages"]
  D --> E["Build with Code Analysis"]
  E --> F["Count Source Files"]
  F --> G["Check for TODO/FIXME/HACK comments"]
  G --> H["Check for hardcoded paths"]
  B --> I["Submodule Security Check"]
Loading

Flow diagram for dependency review workflow process

flowchart TD
  A["Trigger: PR/manual"] --> B["Checkout repository (with submodules)"]
  B --> C["Dependency Review Action"]
  C --> D["Fail on moderate severity or higher"]
  C --> E["Post summary comment in PR"]
Loading

File-Level Changes

Change Details Files
Introduce Build workflow for Windows builds
  • Defines push, pull_request, and manual triggers for main branches
  • Implements a matrix strategy for Release and Debug on Win32
  • Checks out code with recursive submodules and full history
  • Sets up MSBuild and Visual Studio developer environment
  • Restores NuGet packages and builds solution
  • Uploads Release artifacts and generates build summary with file size
.github/workflows/build.yml
Add CodeQL security scanning
  • Triggers on push, PR, weekly schedule, and manual dispatch
  • Initializes CodeQL with C++ extended security queries and path ignores
  • Sets up build environment and restores NuGet packages
  • Builds solution for analysis and performs CodeQL scan
  • Uploads results to the Security tab
.github/workflows/codeql.yml
Add Dependency Review action
  • Runs on pull requests with read and write permissions
  • Checks out code including submodules
  • Invokes the dependency-review-action
  • Fails on moderate severity or higher and posts summary comment
.github/workflows/dependency-review.yml
Add Code Quality Check workflow
  • Triggers on push, PR, and manual dispatch
  • Sets up MSBuild, developer command prompt, and restores NuGet
  • Builds with code analysis enabled and allows continued on errors
  • Counts source files and reports metrics
  • Detects TODO/FIXME/HACK comments and hardcoded paths
  • Performs a submodule status check
.github/workflows/code-quality.yml
Add Security Scan workflow with Trivy and license check
  • Schedules weekly Trivy fs scans plus push, PR, and manual triggers
  • Runs Trivy to produce SARIF output and uploads to Security tab
  • Summarizes scan results and lists project dependencies
  • Includes a license-compliance job to locate and report license files
.github/workflows/security-scan.yml
Add documentation for workflows
  • Adds a README in .github/workflows explaining each workflow
  • Creates a WORKFLOWS.md with overview, quick start, and detailed steps
  • Documents triggers, configuration options, permissions, and troubleshooting
.github/workflows/README.md
WORKFLOWS.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@github-actions

github-actions Bot commented Nov 10, 2025

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
actions/actions/checkout 4.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/upload-artifact 4.*.* 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 68 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities🟢 64 existing vulnerabilities detected
actions/ilammy/msvc-dev-cmd 1.*.* 🟢 3.7
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 5Found 16/30 approved changesets -- score normalized to 5
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 82 existing vulnerabilities detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/microsoft/setup-msbuild 2.*.* 🟢 3.3
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 2Found 5/20 approved changesets -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 038 existing vulnerabilities detected
actions/actions/checkout 4.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/ilammy/msvc-dev-cmd 1.*.* 🟢 3.7
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 5Found 16/30 approved changesets -- score normalized to 5
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 82 existing vulnerabilities detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/microsoft/setup-msbuild 2.*.* 🟢 3.3
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 2Found 5/20 approved changesets -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 038 existing vulnerabilities detected
actions/actions/checkout 4.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/github/codeql-action/analyze 3.*.* UnknownUnknown
actions/github/codeql-action/init 3.*.* UnknownUnknown
actions/ilammy/msvc-dev-cmd 1.*.* 🟢 3.7
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 5Found 16/30 approved changesets -- score normalized to 5
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 82 existing vulnerabilities detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/microsoft/setup-msbuild 2.*.* 🟢 3.3
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 2Found 5/20 approved changesets -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 038 existing vulnerabilities detected
actions/actions/checkout 4.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/dependency-review-action 4.*.* 🟢 7.7
Details
CheckScoreReason
Security-Policy🟢 9security policy file detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Vulnerabilities🟢 64 existing vulnerabilities detected
SAST🟢 10SAST tool is run on all commits
actions/actions/checkout 4.*.* 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/aquasecurity/trivy-action 0.28.0 🟢 5.8
Details
CheckScoreReason
Maintained🟢 1011 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 9Found 22/23 approved changesets -- score normalized to 9
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 100 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif 3.*.* UnknownUnknown

Scanned Files

  • .github/workflows/build.yml
  • .github/workflows/code-quality.yml
  • .github/workflows/codeql.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/security-scan.yml

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • Consider consolidating the duplicated documentation in .github/workflows/README.md and WORKFLOWS.md into a single source to avoid maintenance drift.
  • You have repeated checkout and Visual Studio setup steps across multiple workflows—consider extracting them into a reusable composite action to reduce duplication.
  • The build matrix only covers Win32; if you need x64 support, consider expanding the matrix to include x64 builds as well.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider consolidating the duplicated documentation in .github/workflows/README.md and WORKFLOWS.md into a single source to avoid maintenance drift.
- You have repeated checkout and Visual Studio setup steps across multiple workflows—consider extracting them into a reusable composite action to reduce duplication.
- The build matrix only covers Win32; if you need x64 support, consider expanding the matrix to include x64 builds as well.

## Individual Comments

### Comment 1
<location> `.github/workflows/security-scan.yml:35` </location>
<code_context>
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+        exit-code: '0'
+    
+    - name: Upload Trivy results to GitHub Security tab
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Trivy scan is configured to always succeed regardless of findings.

Consider setting exit-code to a non-zero value for critical vulnerabilities to ensure the workflow fails when severe issues are detected.

```suggestion
        exit-code: '1'
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/security-scan.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces comprehensive CI/CD infrastructure by adding GitHub Actions workflows for automated building, testing, and security scanning of the eMule MorphXT project.

  • Adds five GitHub Actions workflows for build automation and security
  • Adds documentation explaining workflow usage and configuration
  • Updates .gitignore to exclude workflow artifacts

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
WORKFLOWS.md User-facing documentation for CI/CD workflows
.gitignore Adds entries to ignore SARIF security scan results
.github/workflows/build.yml Windows build workflow for Debug/Release configurations
.github/workflows/codeql.yml CodeQL security analysis workflow
.github/workflows/code-quality.yml Static analysis and code quality checks
.github/workflows/dependency-review.yml Dependency vulnerability scanning for PRs
.github/workflows/security-scan.yml Trivy security scanner and license compliance
.github/workflows/README.md Technical documentation for workflow configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/security-scan.yml Outdated
Comment thread .github/workflows/code-quality.yml Outdated
Comment thread .github/workflows/code-quality.yml Outdated
Comment thread .github/workflows/build.yml Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/build.yml
Comment thread .github/workflows/security-scan.yml
@Mika3578

Copy link
Copy Markdown
Owner Author

@copilot Your build is failing due to two main issues:

  1. Missing 'atlbase.h':

    fatal error C1083: Cannot open include file: 'atlbase.h': No such file or directory [ReplaceVistaIcon.vcxproj]
    

    This file is part of the "Visual C++ ATL Support" feature.

  2. Missing MFC libraries:

    error MSB8041: MFC libraries are required for this project. Install them from the Visual Studio installer (Individual Components tab) for any toolsets
    

    Your build environment lacks the necessary Microsoft Foundation Classes (MFC).

How to fix:

  1. Update your build agent (CI environment or local machine) to include both "Desktop development with C++" and the optional individual components:

    • "C++ ATL for latest v143 build tools (x86 & x64)" (or the version used, e.g., v142, v141)
    • "C++ MFC for latest v143 build tools (x86 & x64)"
    • You may also need the "Windows 10 SDK" (latest) and "C++ CMake tools for Windows"
  2. On GitHub Actions, modify your workflow YAML to install these components. Example for Windows runners:

- name: Install MFC and ATL
  run: |
    choco install visualstudio2022-workload-vctools --package-parameters "--add Microsoft.VisualStudio.Component.VC.ATL --add Microsoft.VisualStudio.Component.VC.MFC"

Or use the actions/setup-msbuild and check runner/Visual Studio image is recent enough and includes ATL/MFC.

  1. If you maintain a local .vcxproj or .sln file, ensure you don’t mark ATL/MFC as "Static" unless needed (use "Use MFC in a Shared DLL" in project settings), but the main issue is the absence of components from the build image.

Summary:
Install the "MFC" and "ATL" C++ components in your CI and local environment. This will resolve both errors. No code changes are needed, only build environment adjustments.

If you need a more specific workflow snippet for your environment, let me know!

Copilot AI commented Nov 10, 2025

Copy link
Copy Markdown

@Mika3578 I've opened a new pull request, #15, to work on those changes. Once the pull request is ready, I'll request review from you.

Mika3578 and others added 2 commits November 10, 2025 20:16
Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
Co-authored-by: Mika3578 <58137747+Mika3578@users.noreply.github.com>
@Mika3578 Mika3578 closed this Nov 10, 2025
@Mika3578
Mika3578 deleted the vs2019v142 branch November 10, 2025 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants