Three new jobs in build.yml:
1. sanitizers (clang + ASan/UBSan)
Runs the same 88-test suite under AddressSanitizer +
UndefinedBehaviorSanitizer. -fno-sanitize-recover=all so any
finding fails CI loudly rather than scrolling past. -O1 + frame-
pointers preserved for usable backtraces. CC=clang because clang's
sanitizer integration is more mature than gcc's; gcc-built binaries
still get exercised by the matrix in the main 'build' job.
2. clang-tidy (advisory)
Lints core/ + skeletonkey.c (the files we control most directly;
module sources often bundle published PoC code we keep close to
upstream style, so they're excluded). continue-on-error: true for
now so it sets a baseline without blocking merges; we can tighten
incrementally as the warning surface shrinks.
3. drift-check (cron + workflow_dispatch)
Runs weekly (Mon 06:00 UTC) and on-demand. Two sub-steps:
- tools/refresh-cve-metadata.py --check (CISA KEV + NVD CWE)
- tools/refresh-kernel-ranges.py (Debian security tracker)
Both already exit non-zero on actionable drift. Network-required,
so NOT gated on regular PR runs — random PRs shouldn't fail because
CISA published a new KEV entry. The job runs ONLY on schedule +
manual trigger (if: github.event_name == 'schedule' || ...).
When it fires, the GH Actions warning annotation points the
maintainer at the right refresh script to rerun + commit.
Smoke-tested locally:
- macOS local ASan+UBSan build: kernel_range tests pass; detect()
tests skipped (non-Linux platform stubs).
- clang-tidy not installed locally; CI installs from apt.
leviathan
5b79b23ff2