ci: add manual abicheck demo workflow (report-only)

[napetrov]

Summary

Switch the abicheck integration from CI pipeline job to a manual demo workflow.

What changed

• Removed abicheck-rfc job from .github/workflows/ci.yml (no pipeline impact)
• Added separate .github/workflows/abicheck-demo.yml
• Trigger is workflow_dispatch only (manual run)
• Keeps report-only behavior (fail-on-breaking=false, fail-on-api-break=false)
• Uses napetrov/abicheck@v0.2.0

Goal

Pure demonstration scan path for maintainer evaluation, without changing normal CI behavior.

Ref: #2499 (comment)

[napetrov]

ABI Report: libfoo.so

Old version	unknown
New version	unknown
Verdict	✅ NO_CHANGE
Breaking changes	0
Source-level breaks	0
Deployment risk changes	0
Compatible changes	0

Analysis Confidence

Field	Value
Confidence	HIGH
Evidence tiers	elf, dwarf, dwarf_advanced, header
Coverage gap	Detector 'pe' disabled: missing PE metadata
Coverage gap	Detector 'macho' disabled: missing Mach-O metadata
Coverage gap	Detector 'sycl' disabled: missing SYCL metadata

Policy: strict_abi

No ABI changes detected.

Legend

Verdict	Meaning
✅ NO_CHANGE	Identical ABI
✅ COMPATIBLE	Only additions (backward compatible)
⚠️ COMPATIBLE_WITH_RISK	Binary-compatible; verify target environment
⚠️ API_BREAK	Source-level API change — recompilation required
❌ BREAKING	Binary ABI break — recompilation required

Generated by abicheck

[napetrov]

Added workflows for regular ABI/API checks

1. abicheck-baseline.yml

Generates JSON baseline on tag creation (push tags v*).

• Builds the library, creates a dump via abicheck dump.
• Saves to .abi-baselines/libyang-<tag>.json.
• Creates a latest.json symlink.
• Automatically commits to the repository.

2. abicheck-ci.yml

Regular ABI/API break checks.

• Trigger: push to devel/main (changes in include/, src/) and pull_request.
• Uses existing baseline (.abi-baselines/latest.json) if available.
• Otherwise builds the previous tag (or HEAD~1).
• Builds the current version, creates dumps.
• Runs abicheck compare with --fail-on-breaking --fail-on-api-break.
• Blocks merge on any binary ABI or source‑level API changes.

3. Structure

• .abi-baselines/.gitkeep — placeholder for the baseline directory.
• Demo workflow (abicheck-demo.yml) remains manual (report‑only).

Files

.github/workflows/abicheck-baseline.yml

name: abicheck baseline generation

on:
push:
tags:
- 'v*' # matches tags like v5.4.9, v4.2.2

jobs:
generate-baseline:
name: Generate ABI baseline for tag
runs-on: ubuntu-22.04
permissions:
contents: write
security-events: write
steps:
- uses: actions/checkout@main
with:
fetch-depth: 0

  - name: Deps-packages
    shell: bash
    run: |
      sudo apt-get update
      sudo apt-get install -y cmake libpcre2-dev libxxhash-dev

  - name: Build library
    shell: bash
    run: |
      cmake -S . -B /tmp/build -DCMAKE_BUILD_TYPE=RelWithDebInfo -DENABLE_TESTS=OFF -DENABLE_TOOLS=OFF
      cmake --build /tmp/build -j2

  - name: Run abicheck dump
    uses: napetrov/abicheck@v0.2.0
    with:
      mode: dump
      library: /tmp/build/libyang.so
      header: src/libyang.h
      include: src /tmp/build/libyang
      lang: c
      output-file: libyang-${{ github.ref_name }}.json

  - name: Create baseline directory
    shell: bash
    run: |
      mkdir -p .abi-baselines

  - name: Move baseline into directory
    shell: bash
    run: |
      mv libyang-${{ github.ref_name }}.json .abi-baselines/
      # Create/update latest.json symlink
      cd .abi-baselines
      ln -sf libyang-${{ github.ref_name }}.json latest.json

  - name: Commit and push baseline
    shell: bash
    run: |
      git config --local user.email "action@github.com"
      git config --local user.name "GitHub Action"
      git add .abi-baselines/
      git commit -m "ci: add ABI baseline for ${{ github.ref_name }}"
      git push origin HEAD:${{ github.ref }}

.github/workflows/abicheck-ci.yml

name: abicheck CI

on:
push:
branches:
- devel
- main
paths:
- 'include/'
- 'src/'
- '.github/workflows/abicheck-ci.yml'
pull_request:
paths:
- 'include/'
- 'src/'
- '.github/workflows/abicheck-ci.yml'

jobs:
abi-check:
name: ABI/API compatibility check
runs-on: ubuntu-22.04
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@main
with:
fetch-depth: 0

  - name: Deps-packages
    shell: bash
    run: |
      sudo apt-get update
      sudo apt-get install -y cmake libpcre2-dev libxxhash-dev

  - name: Determine baseline
    id: baseline
    shell: bash
    run: |
      # Try to find latest baseline file
      if [ -f .abi-baselines/latest.json ]; then
        echo "Using existing baseline: .abi-baselines/latest.json"
        echo "baseline_exists=true" >> "$GITHUB_OUTPUT"
      else
        echo "No baseline found, will build previous tag"
        echo "baseline_exists=false" >> "$GITHUB_OUTPUT"
      fi

  - name: Prepare old snapshot (baseline)
    if: steps.baseline.outputs.baseline_exists == 'true'
    shell: bash
    run: |
      cp .abi-baselines/latest.json old.json
      echo "Copied baseline to old.json"

  - name: Build old revision (if no baseline)
    if: steps.baseline.outputs.baseline_exists == 'false'
    shell: bash
    run: |
      # Determine previous tag or fallback
      LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
      if [ -n "$LATEST_TAG" ]; then
        BASE_SHA="$LATEST_TAG"
        echo "Building old revision from tag: $BASE_SHA"
      else
        BASE_SHA="HEAD~1"
        echo "No tags found, building from: $BASE_SHA"
      fi
      git worktree add /tmp/libyang-base "$BASE_SHA"
      cmake -S /tmp/libyang-base -B /tmp/build-old -DCMAKE_BUILD_TYPE=RelWithDebInfo -DENABLE_TESTS=OFF -DENABLE_TOOLS=OFF
      cmake --build /tmp/build-old -j2

  - name: Dump old snapshot (if built)
    if: steps.baseline.outputs.baseline_exists == 'false'
    uses: napetrov/abicheck@v0.2.0
    with:
      mode: dump
      library: /tmp/build-old/libyang.so
      header: /tmp/libyang-base/src/libyang.h
      include: /tmp/libyang-base/src /tmp/build-old/libyang
      lang: c
      output-file: old.json

  - name: Build current revision
    shell: bash
    run: |
      cmake -S . -B /tmp/build-new -DCMAKE_BUILD_TYPE=RelWithDebInfo -DENABLE_TESTS=OFF -DENABLE_TOOLS=OFF
      cmake --build /tmp/build-new -j2

  - name: Dump current snapshot
    uses: napetrov/abicheck@v0.2.0
    with:
      mode: dump
      library: /tmp/build-new/libyang.so
      header: src/libyang.h
      include: src /tmp/build-new/libyang
      lang: c
      output-file: new.json

  - name: Compare snapshots (using abicheck CLI)
    id: compare
    shell: bash
    run: |
      # abicheck is installed via the action
      abicheck compare old.json new.json \
        --format json \
        --output abicheck-report.json \
        --fail-on-breaking \
        --fail-on-api-break
      # Exit code handling is done by abicheck itself

  - name: Upload report artifact
    if: always()
    uses: actions/upload-artifact@v4
    with:
      name: abicheck-report
      path: abicheck-report.json

Next steps

1. After merging the PR, the baseline workflow activates on new tags.
2. Regular CI will start checking all PRs with changes in include/src.
3. If needed, a manual trigger can be added to update the baseline on any branch.

(English translation of the previous comment)