Disable preserve_none under ASan on aarch64: every clang tested (20,
21, trunk 22) miscompiles the continuation chains with that
combination, crashing ~97% of fuzz corpus tests. The chains still work
with the default calling convention. See #38.
Mark the masked Node3 scan results defined for valgrind on aarch64:
clang 21+ lowers the in-bounds tests through flags+csel, which
memcheck models imprecisely, tainting bits the mask provably clears.
See #39.
Skip valgrind tests in the arm64 release job, since -DNVALGRIND
compiles out the client requests the workaround relies on.
Both issues track filing upstream bugs.
hardening-check tests both CET (x86-only) and branch protection
(arm64-only), so pass the ignore flag for whichever doesn't apply to
the build arch.
The release upload step runs with if: always() so test results are
uploaded even when an earlier step fails, but in that case cpack never
ran and mc errored on the unmatched package globs. Skip missing
packages instead.
Pushing per-hash tags accumulates multi-GB versions in the registry,
and package cleanup rules can't distinguish the hash tags that the
latest-{arch} tags currently point to from stale ones. Push only
latest-{arch} and record the Dockerfile hash as an image label; the
skip-rebuild check reads the label back via buildx imagetools.
apt.llvm.org has no repository for the current ubuntu:rolling release,
and nothing pins clang 20 - CC=clang already resolved to the distro
clang. Drop the llvm.sh step along with its helper packages.
docker build now runs under the buildx docker-container driver, which
keeps the result in the build cache unless told otherwise, so push
directly from the build instead of tagging locally.
Jobs run as root in the job container; the earlier permission errors
were SELinux denials on the mounted podman socket, fixed in the runner
config with --security-opt label=disable.
Gitea's ephemeral Actions token is not accepted by the container
registry, so docker login and image pulls use REGISTRY_USER /
REGISTRY_TOKEN secrets (a dedicated low-privilege account and its
personal access token with package read/write scope) instead.
Replace the Jenkinsfile with .gitea/workflows/ci.yml. The CI image is
built from the Dockerfile and pushed to the Gitea container registry,
rebuilt only when the Dockerfile or pre-commit config changes. The
aarch64 release build now runs natively on an arm64 runner instead of
cross-compiling, so the cross toolchain and qemu are dropped from the
image. Artifacts still go to MinIO (via mc, skipped gracefully if
credentials are not configured); ccache uses actions/cache instead of a
host volume.
andrew