Skip to content

Enable supported release hardening options#7895

Open
Copilot wants to merge 5 commits into
mainfrom
copilot/add-hardening-options-ccf-release-targets
Open

Enable supported release hardening options#7895
Copilot wants to merge 5 commits into
mainfrom
copilot/add-hardening-options-ccf-release-targets

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 15, 2026
edited
Loading

  • Review new PR feedback and locate affected release workflow step
  • Add pipefail to the Build Release run block before the ninja pipeline
  • Run targeted workflow/script formatting checks
  • Run final validation and reply to PR comment

Copilot AI and others added 2 commits May 15, 2026 15:46
@achamayou
Add release hardening compile options
393f8b5 
Agent-Logs-Url: https://github.com/microsoft/CCF/sessions/86ec6a3f-e863-4120-80d2-0053630dd7cb

Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
@achamayou
Add release linker hardening flags
6e4e5e7 
Agent-Logs-Url: https://github.com/microsoft/CCF/sessions/86ec6a3f-e863-4120-80d2-0053630dd7cb

Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Copilot AI requested a review from achamayou May 15, 2026 16:25
@achamayou
Copy link
Copy Markdown
Member

achamayou commented May 15, 2026

@copilot please enable this CMake flag in the release pipeline, and where the option is defined in CMake, add a comment paragraph describing the various options, a summary of their effect, and a link to their documentation page, wherever it lives.

@achamayou
Address release hardening review feedback
66512af 
Agent-Logs-Url: https://github.com/microsoft/CCF/sessions/037f8d1d-810e-4bf8-b065-39391094a066

Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 15, 2026

@copilot please enable this CMake flag in the release pipeline, and where the option is defined in CMake, add a comment paragraph describing the various options, a summary of their effect, and a link ...

Addressed in 66512af: the release and RPM reproduction CMake invocations now explicitly set CCF_ENABLE_RELEASE_HARDENING=ON, and the CMake option has a documentation comment covering the hardening flags and references.

@achamayou achamayou marked this pull request as ready for review May 15, 2026 17:00
@achamayou achamayou requested a review from a team as a code owner May 15, 2026 17:00
Copilot AI review requested due to automatic review settings May 15, 2026 17:00
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces an opt-in (default ON) CMake toggle to apply supported compiler/linker hardening flags to optimized “release” configurations, and ensures the release/repro pipelines explicitly enable it for reproducible packaging.

Changes:

  • Adds CCF_ENABLE_RELEASE_HARDENING (default ON) and conditionally enables supported hardening compile/link options for Release, RelWithDebInfo, and MinSizeRel.
  • Updates the release GitHub Actions workflow and RPM reproduction script to explicitly set -DCCF_ENABLE_RELEASE_HARDENING=ON for Release builds.
  • Improves RPM reproduction script robustness by enabling pipefail.

Custom instructions used:

  • .github/copilot-instructions.md
  • .github/instructions/reviewing.instructions.md

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
reproduce/reproduce_rpm.sh Enables pipefail and explicitly turns on release hardening during RPM reproduction builds.
CMakeLists.txt Adds CCF_ENABLE_RELEASE_HARDENING and applies supported hardening flags via CMake feature checks for release configurations.
.github/workflows/release.yml Explicitly enables release hardening in the release build and RPM packaging workflow.

Comment thread .github/workflows/release.yml
Comment on lines +146 to 148
cmake -GNinja -DCLIENT_PROTOCOLS_TEST=ON -DCCF_ENABLE_RELEASE_HARDENING=ON -DCMAKE_BUILD_TYPE=Release ..
ninja -v | tee build.log

Copy link
Copy Markdown
Member

@achamayou achamayou May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot fix it

Copy link
Copy Markdown
Contributor Author

Copilot AI May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 9e6c768 by adding set -o pipefail before the ninja -v | tee build.log pipeline in the release build step.

@achamayou
Add pipefail to release build pipeline
9e6c768 
Agent-Logs-Url: https://github.com/microsoft/CCF/sessions/781667e0-a79e-4c73-bfbe-ad212dcc3d1b

Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@achamayou achamayou Awaiting requested review from achamayou

At least 1 approving review is required to merge this pull request.

Assignees

@achamayou achamayou

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@achamayou