From 5e5a41b3082b8fc95f654e5447b21b5f6cd970d3 Mon Sep 17 00:00:00 2001 From: Alan George Date: Tue, 7 Apr 2026 22:51:41 -0600 Subject: [PATCH 01/15] Add clang-tidy in GHA CI --- .clang-tidy | 21 ++++++++++++ .github/workflows/builds.yml | 62 ++++++++++++++++++++++++++++++++++++ compile_commands.json | 1 + 3 files changed, 84 insertions(+) create mode 100644 .clang-tidy create mode 120000 compile_commands.json diff --git a/.clang-tidy b/.clang-tidy new file mode 100644 index 0000000..855e151 --- /dev/null +++ b/.clang-tidy @@ -0,0 +1,21 @@ +Checks: > + -*, + bugprone-*, + performance-*, + modernize-*, + readability-braces-around-statements, + readability-misleading-indentation, + readability-redundant-smartptr-get, + -modernize-use-trailing-return-type, + -modernize-avoid-c-arrays, + -bugprone-easily-swappable-parameters + +WarningsAsErrors: '' + +HeaderFilterRegex: '(include/livekit|src|bridge/(include|src)|examples)' + +FormatStyle: file + +CheckOptions: + - key: modernize-use-nullptr.NullMacros + value: 'NULL' diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 1a7dfef..89e1fc5 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -244,6 +244,16 @@ jobs: ${{ matrix.build_dir }}/bin/ retention-days: 7 + - name: Upload compile database (for clang-tidy) + if: matrix.name == 'linux-x64' + uses: actions/upload-artifact@v4 + with: + name: compile-database + path: | + ${{ matrix.build_dir }}/compile_commands.json + ${{ matrix.build_dir }}/generated/ + retention-days: 1 + # ---------- Cleanup ---------- - name: Clean after build (best-effort) if: always() @@ -382,3 +392,55 @@ jobs: cmake -S . -B build -DLIVEKIT_LOCAL_SDK_DIR=/opt/livekit-sdk cmake --build build --parallel ' + + clang-tidy: + name: clang-tidy + needs: build + runs-on: ubuntu-latest + continue-on-error: true + if: ${{ !cancelled() }} + + steps: + - name: Checkout (with submodules) + uses: actions/checkout@v4 + with: + submodules: recursive + fetch-depth: 0 + + - name: Install dependencies + run: | + set -eux + sudo apt-get update + sudo apt-get install -y \ + clang-tidy \ + llvm-dev libclang-dev clang \ + libssl-dev \ + libprotobuf-dev protobuf-compiler \ + libabsl-dev \ + libspdlog-dev \ + libva-dev libdrm-dev libgbm-dev libx11-dev libgl1-mesa-dev \ + libxext-dev libxcomposite-dev libxdamage-dev libxfixes-dev \ + libxrandr-dev libxi-dev libxkbcommon-dev \ + libasound2-dev libpulse-dev \ + libwayland-dev libdecor-0-dev + + - name: Download compile database + uses: actions/download-artifact@v4 + with: + name: compile-database + path: build-release/ + + - name: Collect source files + run: | + find src/ bridge/src/ examples/ \ + -name '*.cpp' -not -path '*/tests/*' \ + | sort -u > /tmp/tidy-files.txt + echo "Files to analyze ($(wc -l < /tmp/tidy-files.txt)):" + cat /tmp/tidy-files.txt + + - name: Run clang-tidy + run: | + run-clang-tidy \ + -p build-release \ + -header-filter='(include/livekit|src|bridge/(include|src)|examples)' \ + $(cat /tmp/tidy-files.txt) diff --git a/compile_commands.json b/compile_commands.json new file mode 120000 index 0000000..5a5ec6c --- /dev/null +++ b/compile_commands.json @@ -0,0 +1 @@ +build-release/compile_commands.json \ No newline at end of file From 5e2268f46be6b1b8de672f9d52dc7648d5794064 Mon Sep 17 00:00:00 2001 From: Alan George Date: Tue, 7 Apr 2026 22:51:41 -0600 Subject: [PATCH 02/15] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/builds.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 89e1fc5..93e5756 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -35,6 +35,8 @@ on: permissions: contents: read + actions: read + packages: read env: CARGO_TERM_COLOR: always From a584b27fbbac50fd74d7ed187ac21c85e1147328 Mon Sep 17 00:00:00 2001 From: Alan George Date: Tue, 7 Apr 2026 22:51:42 -0600 Subject: [PATCH 03/15] Remove compile commands --- compile_commands.json | 1 - 1 file changed, 1 deletion(-) delete mode 120000 compile_commands.json diff --git a/compile_commands.json b/compile_commands.json deleted file mode 120000 index 5a5ec6c..0000000 --- a/compile_commands.json +++ /dev/null @@ -1 +0,0 @@ -build-release/compile_commands.json \ No newline at end of file From 918a2c0b87e7b5be7855ab5a3cdcb4343ca60048 Mon Sep 17 00:00:00 2001 From: Alan George Date: Tue, 7 Apr 2026 22:51:42 -0600 Subject: [PATCH 04/15] Possibly fix pathing --- .github/workflows/builds.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 93e5756..472901a 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -430,7 +430,13 @@ jobs: uses: actions/download-artifact@v4 with: name: compile-database - path: build-release/ + + - name: Verify compile database + run: | + echo "Artifact contents:" + find build-release/ -type f | head -20 + test -f build-release/compile_commands.json + echo "compile_commands.json found ($(wc -l < build-release/compile_commands.json) lines)" - name: Collect source files run: | From e65e8ab599238470b426d94e206290401617f791 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 09:40:50 -0600 Subject: [PATCH 05/15] Rebase and optimize build for debugging --- .github/workflows/builds.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 472901a..4a9a34f 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -55,22 +55,22 @@ jobs: name: linux-x64 build_cmd: ./build.sh release-examples build_dir: build-release - - os: ubuntu-24.04-arm - name: linux-arm64 - build_cmd: ./build.sh release-examples - build_dir: build-release - - os: macos-latest - name: macos-arm64 - build_cmd: ./build.sh release-examples - build_dir: build-release - - os: macos-latest - name: macos-x64 - build_cmd: ./build.sh release-examples --macos-arch x86_64 - build_dir: build-release - - os: windows-latest - name: windows-x64 - build_cmd: .\build.cmd release-examples - build_dir: build-release + # - os: ubuntu-24.04-arm + # name: linux-arm64 + # build_cmd: ./build.sh release-examples + # build_dir: build-release + # - os: macos-latest + # name: macos-arm64 + # build_cmd: ./build.sh release-examples + # build_dir: build-release + # - os: macos-latest + # name: macos-x64 + # build_cmd: ./build.sh release-examples --macos-arch x86_64 + # build_dir: build-release + # - os: windows-latest + # name: windows-x64 + # build_cmd: .\build.cmd release-examples + # build_dir: build-release name: Build (${{ matrix.name }}) runs-on: ${{ matrix.os }} From 99081abb75b2ac970c6d61968cbb4f91ab2cfced Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 11:04:44 -0600 Subject: [PATCH 06/15] Debugging clang stage --- .github/workflows/builds.yml | 37 +++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 4a9a34f..123a30c 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -246,6 +246,16 @@ jobs: ${{ matrix.build_dir }}/bin/ retention-days: 7 + - name: Debug compile database before upload + if: matrix.name == 'linux-x64' + run: | + echo "=== Files to be uploaded ===" + echo "build_dir=${{ matrix.build_dir }}" + ls -la ${{ matrix.build_dir }}/compile_commands.json || echo "compile_commands.json NOT FOUND" + echo "Generated headers:" + ls -la ${{ matrix.build_dir }}/generated/*.pb.h 2>/dev/null | head -5 || echo "No .pb.h files found" + echo "Generated header count: $(find ${{ matrix.build_dir }}/generated -name '*.pb.h' 2>/dev/null | wc -l)" + - name: Upload compile database (for clang-tidy) if: matrix.name == 'linux-x64' uses: actions/upload-artifact@v4 @@ -430,13 +440,30 @@ jobs: uses: actions/download-artifact@v4 with: name: compile-database + path: build-release/ - - name: Verify compile database + - name: Debug download artifact layout run: | - echo "Artifact contents:" - find build-release/ -type f | head -20 - test -f build-release/compile_commands.json - echo "compile_commands.json found ($(wc -l < build-release/compile_commands.json) lines)" + echo "=== Workspace root ===" + ls -la + echo "" + echo "=== build-release/ contents ===" + find build-release/ -type f 2>/dev/null | head -30 || echo "build-release/ directory NOT FOUND" + echo "" + echo "=== Looking for compile_commands.json anywhere ===" + find . -name 'compile_commands.json' -not -path './.git/*' 2>/dev/null + echo "" + echo "=== Looking for .pb.h anywhere ===" + find . -name '*.pb.h' -not -path './.git/*' 2>/dev/null | head -5 + echo "" + if [ -f build-release/compile_commands.json ]; then + echo "SUCCESS: build-release/compile_commands.json found ($(wc -l < build-release/compile_commands.json) lines)" + else + echo "FAIL: build-release/compile_commands.json not found" + echo "Trying without build-release/ prefix:" + ls -la compile_commands.json 2>/dev/null || echo " Not at workspace root either" + exit 1 + fi - name: Collect source files run: | From 36e91108b0ce6c28feaffd5a6f0ec6d84c84d9e6 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 11:57:48 -0600 Subject: [PATCH 07/15] Remove debug output --- .github/workflows/builds.yml | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 123a30c..8f7aee6 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -441,30 +441,7 @@ jobs: with: name: compile-database path: build-release/ - - - name: Debug download artifact layout - run: | - echo "=== Workspace root ===" - ls -la - echo "" - echo "=== build-release/ contents ===" - find build-release/ -type f 2>/dev/null | head -30 || echo "build-release/ directory NOT FOUND" - echo "" - echo "=== Looking for compile_commands.json anywhere ===" - find . -name 'compile_commands.json' -not -path './.git/*' 2>/dev/null - echo "" - echo "=== Looking for .pb.h anywhere ===" - find . -name '*.pb.h' -not -path './.git/*' 2>/dev/null | head -5 - echo "" - if [ -f build-release/compile_commands.json ]; then - echo "SUCCESS: build-release/compile_commands.json found ($(wc -l < build-release/compile_commands.json) lines)" - else - echo "FAIL: build-release/compile_commands.json not found" - echo "Trying without build-release/ prefix:" - ls -la compile_commands.json 2>/dev/null || echo " Not at workspace root either" - exit 1 - fi - + - name: Collect source files run: | find src/ bridge/src/ examples/ \ From 85caa49b269630d97eaae9eb6da97d224bcf36b3 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 12:09:32 -0600 Subject: [PATCH 08/15] Try cpplinter stage instead --- .github/workflows/builds.yml | 52 +++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 8f7aee6..809e59c 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -246,16 +246,6 @@ jobs: ${{ matrix.build_dir }}/bin/ retention-days: 7 - - name: Debug compile database before upload - if: matrix.name == 'linux-x64' - run: | - echo "=== Files to be uploaded ===" - echo "build_dir=${{ matrix.build_dir }}" - ls -la ${{ matrix.build_dir }}/compile_commands.json || echo "compile_commands.json NOT FOUND" - echo "Generated headers:" - ls -la ${{ matrix.build_dir }}/generated/*.pb.h 2>/dev/null | head -5 || echo "No .pb.h files found" - echo "Generated header count: $(find ${{ matrix.build_dir }}/generated -name '*.pb.h' 2>/dev/null | wc -l)" - - name: Upload compile database (for clang-tidy) if: matrix.name == 'linux-x64' uses: actions/upload-artifact@v4 @@ -411,6 +401,9 @@ jobs: runs-on: ubuntu-latest continue-on-error: true if: ${{ !cancelled() }} + permissions: + contents: read + pull-requests: write steps: - name: Checkout (with submodules) @@ -441,18 +434,33 @@ jobs: with: name: compile-database path: build-release/ - - - name: Collect source files - run: | - find src/ bridge/src/ examples/ \ - -name '*.cpp' -not -path '*/tests/*' \ - | sort -u > /tmp/tidy-files.txt - echo "Files to analyze ($(wc -l < /tmp/tidy-files.txt)):" - cat /tmp/tidy-files.txt - name: Run clang-tidy + uses: cpp-linter/cpp-linter-action@v2 + id: linter + with: + style: '' + tidy-checks: '' + database: build-release + files-changed-only: true + lines-changed-only: false + ignore: 'build-*|client-sdk-rust|vcpkg_installed' + file-annotations: true + thread-comments: update + step-summary: true + tidy-review: true + passive-reviews: true + no-lgtm: true + version: '' + + - name: Check warning thresholds + env: + TIDY_FINDINGS: ${{ steps.linter.outputs.clang-tidy-checks-failed }} + MAX_TIDY_FINDINGS: '0' run: | - run-clang-tidy \ - -p build-release \ - -header-filter='(include/livekit|src|bridge/(include|src)|examples)' \ - $(cat /tmp/tidy-files.txt) + echo "clang-tidy findings: ${TIDY_FINDINGS}" + if [ "${TIDY_FINDINGS}" -gt "${MAX_TIDY_FINDINGS}" ]; then + echo "::warning::clang-tidy found ${TIDY_FINDINGS} issue(s), threshold is ${MAX_TIDY_FINDINGS}" + exit 1 + fi + echo "clang-tidy findings within threshold" From cce7d8ba09f23092e8a88762646d5ce72cd547c3 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 16:33:44 -0600 Subject: [PATCH 09/15] Hopefully fix clang issue --- .github/workflows/builds.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 809e59c..05f0884 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -451,7 +451,6 @@ jobs: tidy-review: true passive-reviews: true no-lgtm: true - version: '' - name: Check warning thresholds env: From cccbc74cc00dbe59ca779d5dccba8ebd35342ce3 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 16:56:36 -0600 Subject: [PATCH 10/15] Add github token --- .github/workflows/builds.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 05f0884..cb8c0ff 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -438,6 +438,8 @@ jobs: - name: Run clang-tidy uses: cpp-linter/cpp-linter-action@v2 id: linter + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: style: '' tidy-checks: '' From 72c2fe469e51021ffa0df368899fd6e1470efd47 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 17:40:21 -0600 Subject: [PATCH 11/15] Turn files changed only off --- .github/workflows/builds.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index cb8c0ff..e0ec9ae 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -444,7 +444,7 @@ jobs: style: '' tidy-checks: '' database: build-release - files-changed-only: true + files-changed-only: false lines-changed-only: false ignore: 'build-*|client-sdk-rust|vcpkg_installed' file-annotations: true From 8aa951d56230e20a5d321d1bee2cdf6ce84b2343 Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 20:45:53 -0600 Subject: [PATCH 12/15] New clang-tidy error list for the critical stuff --- .clang-tidy | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.clang-tidy b/.clang-tidy index 855e151..8fee8e5 100644 --- a/.clang-tidy +++ b/.clang-tidy @@ -10,7 +10,16 @@ Checks: > -modernize-avoid-c-arrays, -bugprone-easily-swappable-parameters -WarningsAsErrors: '' +WarningsAsErrors: > + bugprone-use-after-move, + bugprone-dangling-handle, + bugprone-undefined-memory-manipulation, + bugprone-move-forwarding-reference, + bugprone-incorrect-roundings, + bugprone-sizeof-expression, + bugprone-string-literal-with-embedded-nul, + bugprone-suspicious-memset-usage, + bugprone-infinite-loop HeaderFilterRegex: '(include/livekit|src|bridge/(include|src)|examples)' From 65d923e03c670049f3bb76db2586f8eeea10bddb Mon Sep 17 00:00:00 2001 From: Alan George Date: Wed, 8 Apr 2026 21:27:16 -0600 Subject: [PATCH 13/15] Adjustments to clang-tidy checks --- .clang-tidy | 9 +++++++-- .github/workflows/builds.yml | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.clang-tidy b/.clang-tidy index 8fee8e5..ba581b4 100644 --- a/.clang-tidy +++ b/.clang-tidy @@ -3,23 +3,28 @@ Checks: > bugprone-*, performance-*, modernize-*, - readability-braces-around-statements, readability-misleading-indentation, readability-redundant-smartptr-get, -modernize-use-trailing-return-type, -modernize-avoid-c-arrays, -bugprone-easily-swappable-parameters + # Suppressing spammy ones for now + -modernize-use-nodiscard, + -readability-braces-around-statements, +# These warnings have determined to be critical and are as such treated as errors WarningsAsErrors: > + clang-analyzer-*, bugprone-use-after-move, bugprone-dangling-handle, + bugprone-infinite-loop, + bugprone-narrowing-conversions, bugprone-undefined-memory-manipulation, bugprone-move-forwarding-reference, bugprone-incorrect-roundings, bugprone-sizeof-expression, bugprone-string-literal-with-embedded-nul, bugprone-suspicious-memset-usage, - bugprone-infinite-loop HeaderFilterRegex: '(include/livekit|src|bridge/(include|src)|examples)' diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index e0ec9ae..62b1fb7 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -399,7 +399,7 @@ jobs: name: clang-tidy needs: build runs-on: ubuntu-latest - continue-on-error: true + continue-on-error: false if: ${{ !cancelled() }} permissions: contents: read @@ -457,7 +457,7 @@ jobs: - name: Check warning thresholds env: TIDY_FINDINGS: ${{ steps.linter.outputs.clang-tidy-checks-failed }} - MAX_TIDY_FINDINGS: '0' + MAX_TIDY_FINDINGS: '396' run: | echo "clang-tidy findings: ${TIDY_FINDINGS}" if [ "${TIDY_FINDINGS}" -gt "${MAX_TIDY_FINDINGS}" ]; then From 45b9e5b42e46996a7478f38d548842d2a6405691 Mon Sep 17 00:00:00 2001 From: Alan George Date: Thu, 9 Apr 2026 12:46:15 -0600 Subject: [PATCH 14/15] Fix one introduce another --- bridge/src/bridge_audio_track.cpp | 6 +++++- src/ffi_client.cpp | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/bridge/src/bridge_audio_track.cpp b/bridge/src/bridge_audio_track.cpp index 5816cfc..0e93581 100644 --- a/bridge/src/bridge_audio_track.cpp +++ b/bridge/src/bridge_audio_track.cpp @@ -38,7 +38,11 @@ BridgeAudioTrack::BridgeAudioTrack( : name_(std::move(name)), sample_rate_(sample_rate), num_channels_(num_channels), source_(std::move(source)), track_(std::move(track)), publication_(std::move(publication)), - participant_(participant) {} + participant_(participant) { + std::cout << "Bad name use: " << name << "\n"; // Should invoke clang-tidy warning + + while(true); // should invoke another warning + } BridgeAudioTrack::~BridgeAudioTrack() { release(); } diff --git a/src/ffi_client.cpp b/src/ffi_client.cpp index 9c20691..82f4d1c 100644 --- a/src/ffi_client.cpp +++ b/src/ffi_client.cpp @@ -244,7 +244,7 @@ void FfiClient::PushEvent(const proto::FfiEvent &event) const { void LivekitFfiCallback(const uint8_t *buf, size_t len) { proto::FfiEvent event; - event.ParseFromArray(buf, len); + event.ParseFromArray(buf, static_cast(len)); // TODO: this fixes for now, what if len exceeds int? FfiClient::instance().PushEvent(event); } From 357b85fe9395cb082b6f0b26f2b667a2d086de9f Mon Sep 17 00:00:00 2001 From: Alan George Date: Thu, 9 Apr 2026 16:07:45 -0600 Subject: [PATCH 15/15] Cleanup clang file --- .clang-tidy | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.clang-tidy b/.clang-tidy index ba581b4..5171352 100644 --- a/.clang-tidy +++ b/.clang-tidy @@ -3,14 +3,13 @@ Checks: > bugprone-*, performance-*, modernize-*, + -readability-braces-around-statements, readability-misleading-indentation, readability-redundant-smartptr-get, -modernize-use-trailing-return-type, -modernize-avoid-c-arrays, - -bugprone-easily-swappable-parameters - # Suppressing spammy ones for now -modernize-use-nodiscard, - -readability-braces-around-statements, + -bugprone-easily-swappable-parameters # These warnings have determined to be critical and are as such treated as errors WarningsAsErrors: >