feat: Finish hardening

Finishing the first round of hardening our libraries and utilities. There is more to do in the future, but this is a good start.

.cirrus.yml

@@ -1,11 +1,12 @@
+# SPDX-License-Identifier: MPL-2.0
 task:
   name: FreeBSD
   env:
-    GITHUB_TOKEN: ENCRYPTED[!0b1ba5571657559b906aec90e82e3b4b1f0f9f13bacce4c3891ba8ebf90fa23160a51876ade5b3703d7861a3b8ea99b4!]
+    GITHUB_TOKEN: ENCRYPTED[!ee1c9f1da9e4736edb4f543b3d2431949b17e6a86877e95ca4323f677185f7fbaae52c6afeb8145f0735bad487291a27!]
   freebsd_instance:
     matrix:
-      image_family: freebsd-14-0
-      image_family: freebsd-13-2
+      image_family: freebsd-14-1
+      image_family: freebsd-13-3
   install_script: pkg install -y git meson
   submodules_script: git submodule update --init --recursive --progress
   release_script: |

.gitattributes

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: MPL-2.0
 #this file specifies some rules on specific files for line endings and more.
 #it also has a section on which files should NOT be part of an export (git archive) command.
 

.github/workflows/c-cpp.yml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: MPL-2.0
 name: C/C++ CI
 
 on:
@@ -37,7 +38,7 @@ jobs:
         shell: bash
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
 
@@ -69,12 +70,13 @@ jobs:
         ${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" ../${{ matrix.config.builddir }}/openseachest_exes
 
     - name: Uploading artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
+        name: ${{ format('{0}', env.DESTDIR) }}
         path: ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}
 
     # - name: Publish release
     #   if: ${{ startsWith(github.ref, 'refs/tags/v') && matrix.config.publish_release }}
-    #   uses: softprops/action-gh-release@v1
+    #   uses: softprops/action-gh-release@v2
     #   with:
     #     files: ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}

.github/workflows/codeql-analysis.yml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: MPL-2.0
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
@@ -17,8 +18,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
-
+    runs-on: ${{ matrix.config.os }}
     strategy:
       fail-fast: false
       matrix:
@@ -27,15 +27,50 @@ jobs:
         language: ['cpp']
         # Learn more...
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+        config:
+        - {
+          name: "Windows MSVC x64",
+          os: windows-latest,
+          cc: "cl.exe",
+          cxx: "cl.exe",
+          arch: "x64",
+          meson_opts: "-Db_vscrt=static_from_buildtype"
+        }
+        - {
+          name: "Windows MSVC x86",
+          os: windows-latest,
+          cc: "cl.exe",
+          cxx: "cl.exe",
+          arch: "x64_x86",
+          meson_opts: "-Db_vscrt=static_from_buildtype"
+        }
+        - {
+          name: "Ubuntu GCC",
+          os: ubuntu-latest,
+          cc: "gcc",
+          cxx: "g++"
+        }
+        - {
+          name: "Ubuntu Clang",
+          os: ubuntu-latest,
+          cc: "clang",
+          cxx: "clang++"
+          }
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
         submodules: recursive
+
+    - name: Settings vars for MSVC
+      if: startsWith(matrix.config.name, 'Windows MSVC')
+      uses: ilammy/msvc-dev-cmd@v1
+      with:
+        arch: ${{ matrix.config.arch }}
 
     # If this run was triggered by a pull request event, then checkout
     # the head of the pull request instead of the merge commit.
@@ -44,7 +79,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -65,11 +100,12 @@ jobs:
     #    uses a compiled language
 
     - name: Configuring and compiling with meson
-      uses: BSFishy/meson-build@v1.0.3
-      with:
-        action: build
-        options: --verbose
-        meson-version: 0.60.1
+      env:
+        CC: ${{ matrix.config.cc }}
+        CXX: ${{ matrix.config.cxx }}
+      run: |
+        pip install meson ninja
+        meson setup build -Dprefix=/ -Dmandir=/man -Dbindir=/ ${{ matrix.config.meson_opts }} --buildtype=release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/meson.yml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: MPL-2.0
 name: CI for meson build
 
 on:
@@ -40,6 +41,18 @@ jobs:
             release_extension: ".zip",
             archive_command: "7z a -tzip -mmt"
           }
+        - {
+            name: "Windows MSVC ARM64",
+            os: windows-latest,
+            cc: "cl.exe",
+            cxx: "cl.exe",
+            arch: "x64_arm64",
+            publish_release: true,
+            meson_opts: "-Db_vscrt=static_from_buildtype --cross-file=./meson_crosscompile/msvc_arm64.txt",
+            release_name: "win-ARM64",
+            release_extension: ".zip",
+            archive_command: "7z a -tzip -mmt"
+          }
         - {
             name: "Windows GCC",
             os: windows-latest,
@@ -54,6 +67,7 @@ jobs:
             os: windows-latest,
             cc: "clang.exe",
             cxx: "clang++.exe",
+            meson_opts: "--native-file=./meson_crosscompile/Windows-Clang.txt",
             release_name: "win-x86_64-clang",
             release_extension: ".zip",
             archive_command: "7z a -tzip -mmt"
@@ -76,24 +90,13 @@ jobs:
             release_extension: ".tar.xz",
             archive_command: "tar cvfJ"
           }
-        - {
-            name: "Manylinux GCC",
-            os: ubuntu-latest,
-            image: "quay.io/pypa/manylinux2014_x86_64",
-            cc: "gcc",
-            cxx: "g++",
-            publish_release: true,
-            create_package: true,
-            release_name: "linux-x86_64-manylinux",
-            release_extension: ".tar.xz",
-            archive_command: "tar cvfJ"
-          }
         - {
             name: "MUSL Cross Compile x86_64",
             os: ubuntu-latest,
             cc: "",
             cxx: "",
             publish_release: true,
+            create_package: true,
             meson_opts: "--cross-file=./meson_crosscompile/x86_64-linux-musl-cross.txt",
             cross_compiler_arch: "x86_64",
             release_name: "linux-x86_64-portable",
@@ -184,9 +187,24 @@ jobs:
             release_extension: ".tar.xz",
             archive_command: "tar cvfJ"
           }
+    outputs: #where hashes need to be stored for slsa provenance
+      #NOTE: Only doing this for builds with "publish_release: true"
+      #format is hash-${{release_name}} for the zipped packages
+      #
+      hash-win-x64:                                                   ${{ steps.hash.outputs.hash-win-x64 }}
+      hash-win-x86:                                                   ${{ steps.hash.outputs.hash-win-x86 }}
+      hash-win-ARM64:                                                 ${{ steps.hash.outputs.hash-win-ARM64 }}
+      hash-linux-x86_64-portable:                                     ${{ steps.hash.outputs.hash-linux-x86_64-portable }}
+      hash-linux-i686-portable:                                       ${{ steps.hash.outputs.hash-linux-i686-portable }}
+      hash-linux-aarch64-portable:                                    ${{ steps.hash.outputs.hash-linux-aarch64-portable }}
+      hash-linux-armv7l-portable:                                     ${{ steps.hash.outputs.hash-linux-armv7l-portable }}
+      hash-linux-armv6-portable:                                      ${{ steps.hash.outputs.hash-linux-armv6-portable }}
+      hash-linux-armv5l-portable:                                     ${{ steps.hash.outputs.hash-linux-armv5l-portable }}
+      hash-linux-powerpc64-portable:                                  ${{ steps.hash.outputs.hash-linux-powerpc64-portable }}                
+      hash-linux-powerpc64le-portable:                                ${{ steps.hash.outputs.hash-linux-powerpc64le-portable }}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
 
@@ -210,7 +228,7 @@ jobs:
     - name: Restore LLVM from cache
       if: startsWith(matrix.config.name, 'Windows Clang')
       id: llvm-cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: C:/Program Files/LLVM
         key: 'llvm-llvm-project-relid-${{ env.LLVM_RELID }}'
@@ -222,13 +240,6 @@ jobs:
         Invoke-WebRequest -Headers $headers -OutFile "LLVM.exe" ((Invoke-WebRequest -Headers $headers "https://api.github.com/repos/llvm/llvm-project/releases/$($env:LLVM_RELID)").Content | ConvertFrom-Json | Select-Object -ExpandProperty assets | Where -Property name -Like "*win64.exe" | Select-Object -First 1).browser_download_url
         7z x LLVM.exe -y -o"C:/Program Files/LLVM"
 
-    - name: Setup toolchain for Manylinux
-      if: ${{ matrix.config.image == 'quay.io/pypa/manylinux2014_x86_64' }}
-      shell: bash
-      run: |
-        if [[ ${{ matrix.config.cc }} == "clang" ]] ; then yum install -y clang compat-gcc-44 ; fi
-        echo "/opt/python/cp310-cp310/bin" >> $GITHUB_PATH
-
     - name: Escape backslash in branch name
       shell: bash
       run: echo "BRANCH_NAME=$(echo ${{ github.ref_name }} | tr / -)" >> $GITHUB_ENV
@@ -245,7 +256,7 @@ jobs:
         CC: ${{ matrix.config.cc }}
         CXX: ${{ matrix.config.cxx }}
       run: |
-        pip install meson==0.60.3 ninja
+        pip install meson ninja
         meson setup build -Dprefix=/ -Dmandir=/man -Dbindir=/ ${{ matrix.config.meson_opts }} --buildtype=release
         meson install -C build
 
@@ -258,16 +269,17 @@ jobs:
       shell: bash
 
     # add `GOBIN` to the `PATH` otherwise nfpm in next step can't be found
-    - uses: actions/setup-go@v3
+    - uses: actions/setup-go@v5
       if: ${{ matrix.config.create_package }}
       with:
         go-version: 'stable'
+        cache: false
 
     - name: Create packages
       if: ${{ matrix.config.create_package }}
       working-directory: ${{ format('build/{0}', env.DESTDIR) }}
       run: | # https://nfpm.goreleaser.com/install/
-        go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.22.2
+        go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.36.1
         if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9\.]+$ ]]; then
           version=$(echo ${{ github.ref_name }} | tr -d 'v')
         else
@@ -278,19 +290,61 @@ jobs:
         nfpm package -f ../../nfpm.yaml -p rpm -t ..
       shell: bash
 
+    - name: Generate Hashes
+      if: ${{ matrix.config.publish_release }}
+      shell: bash
+      id: hash
+      run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact | base64 -w0
+          # NOTE: Using suggested method to generate sha across OS's from slsa documentation
+          # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-artifacts-built-across-multiple-operating-systems
+          set -euo pipefail
+          (sha256sum -t ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }} || shasum -a 256 ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}) > checksum
+          echo "hash-${{ matrix.config.release_name }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}"
+
     - name: Uploading artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
+        name: ${{ format('{0}', matrix.config.release_name) }}
         path: |
           ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}
           build/*.deb
           build/*.rpm
 
     - name: Publish release
       if: ${{ startsWith(github.ref, 'refs/tags/v') && matrix.config.publish_release }}
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@v2
       with:
         files: |
           ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}
           build/*.deb
           build/*.rpm
+
+  # This step takes all the generated hashes from all build targets and combines them so slsa provenance step can run
+  combine_hashes:
+    runs-on: ubuntu-latest
+    needs: [build]
+    outputs:
+      hashes: ${{ steps.hashes.outputs.hashes }}
+    env:
+      HASHES: ${{ toJSON(needs.build.outputs) }}
+    steps:
+      - id: hashes
+        run: |
+          echo "$HASHES"
+          echo "$HASHES" | jq -r '.[] | @base64d' | sed "/^$/d" > hashes.txt
+          echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  # Generate the slsa provenance
+  provenance:
+    needs: [combine_hashes]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}"
+      upload-assets: true # Optional: Upload to a new release

.github/workflows/msbuild.yml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: MPL-2.0
 name: MSBuild
 
 on: 
@@ -23,41 +24,26 @@ env:
 
 jobs:
   build:
-    runs-on: windows-2019 # Windows latest is now Win11, which codeQL will not run on
+    runs-on: windows-latest
     strategy:
       matrix:
         platform: [ x64, x86 ]
         language: ['cpp']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v1
+      uses: microsoft/setup-msbuild@v2
 
     - name: Restore NuGet packages
       working-directory: ${{env.GITHUB_WORKSPACE}}
       run: nuget restore ${{env.SOLUTION_FILE_PATH}}
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      if: ${{ startsWith(github.ref, 'refs/heads/develop') || startsWith(github.ref, 'refs/heads/master') }} 
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
     - name: Build
       working-directory: ${{env.GITHUB_WORKSPACE}}
       # Add additional options to the MSBuild command line here (like platform or verbosity level).
       # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
       run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}} /p:Platform=${{matrix.platform}}
-
-    - name: Perform CodeQL Analysis
-      if: ${{ startsWith(github.ref, 'refs/heads/develop') || startsWith(github.ref, 'refs/heads/master') }} 
-      uses: github/codeql-action/analyze@v2