Merge branch 'main' into dev/gsinha/recovery-owner

.azure-pipelines-templates/deploy_aci.yml

@@ -50,7 +50,7 @@ jobs:
         env:
           ACR_REGISTRY_RESOURCE_NAME: ccfmsrc
           ACR_REGISTRY: ccfmsrc.azurecr.io
-          BASE_IMAGE: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+          BASE_IMAGE: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
 
       - script: |
           set -ex

.azure_pipelines_snp.yml

@@ -22,7 +22,7 @@ schedules:
 resources:
   containers:
     - container: virtual
-      image: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
 jobs:

.github/workflows/README.md

@@ -1,20 +1,14 @@
 Documents the various GitHub Actions workflows, the role they fulfil and 3rd party dependencies if any.
 
-# Backport
-
-Attempts to auto-open backport PRs from main to LTS branch(es) whenever possible. This works well in the absence of conflicts, typically early on during the life of an LTS, and less well later. The alternatives are running the backport tool manually, or cherry picking commits.
-Triggered when the label `auto-backport` is applied to a PR, along with the `X.*-todo` label to set the target branch.
-
-File: `backport.yml`
-3rd party dependencies: `sorenlouv/backport-github-action@main`
-
 # Bencher
 
 Builds and runs CCF performance tests, both end to end and micro-benchmarks. Results are posted to bencher.dev, and [plotted to make regressions obvious](https://bencher.dev/console/projects/ccf/plots).
 Triggered on every commit on `main`, but not on PR builds because the setup required to build from forks is complex and fragile in terms of security, and the increase in pool usage would be substantial.
 
 File: `bencher.yml`
-3rd party dependencies: `bencherdev/bencher@main`
+3rd party dependencies:
+
+- `bencherdev/bencher@main`
 
 # Continuous Integration Containers GHCR
 
@@ -28,6 +22,8 @@ File: `ci-containers-ghcr.yml`
 - `docker/metadata-action@v5`
 - `docker/build-push-action@v6`
 
+Note: This job will be removed with Ubuntu support, because installing dependencies on Azure Linux images is very fast, and producing CI-specific images is no longer necessary there.
+
 # Continuous Integration
 
 Main continuous integration job. Builds CCF for all target platforms, runs unit, end to end and partition tests Virtual. Run on every commit, including PRs from forks, gates merging. Also runs once a week, regardless of commits.
@@ -37,10 +33,10 @@ File: `ci.yml`
 
 # Long Tests
 
-Secondary continuous integration job. Runs more expensive, longer tests, such as tests against ASAN builds, fuzzing etc.
+Secondary continuous integration job. Runs more expensive, longer tests, such as tests against ASAN and TSAN builds, fuzzing etc.
 
-- Runs daily.
-- Can be manually run on a PR by setting `run-long-test` label.
+- Runs daily on week days.
+- Can be manually run on a PR by setting `run-long-test` label, or via workflow dispatch.
 
 File: `long-test.yml`
 3rd party dependencies: None
@@ -50,7 +46,10 @@ File: `long-test.yml`
 Builds CCF with CodeQL, and runs the security-extended checks. Triggered on PRs that affect ".github/workflows/codeql-analysis.yml", and once a week on main.
 
 File: `codeql-analysis.yml`
-3rd party dependencies: None
+3rd party dependencies:
+
+- `github/codeql-action/init@v3`
+- `github/codeql-action/analyze@v3`
 
 # Continuous Verification
 
@@ -71,7 +70,7 @@ File: `long-verification.yml`
 
 # Release
 
-Produces CCF release artefacts from 5.0.0-rc0 onwards, for all languages and platforms. Triggered on tags matching "ccf-5.\*". The output of the job is a draft release, which needs to be published manually. Publishing triggers the downstream jobs listed below.
+Produces CCF release artefacts from 5.0.0-rc0 onwards, for all languages and platforms. Triggered on tags matching `ccf-[56].\*`. The output of the job is a draft release, which needs to be published manually. Publishing triggers the downstream jobs listed below.
 
 File: `release.yml`
 3rd party dependencies: None
@@ -106,4 +105,6 @@ File: `pypi.yml`
 Builds and publishes documentation to GitHub Pages. Triggered on pushes to main, and manually. Note that special permissions (Settings > Environment) are configured.
 
 File: `doc.yml`
-3rd party dependencies: None
+3rd party dependencies:
+
+- peaceiris/actions-gh-pages@v3

.github/workflows/bencher.yml

@@ -13,7 +13,7 @@ jobs:
     name: Continuous Benchmarking with Bencher
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/ci-verification.yml

@@ -24,7 +24,7 @@ jobs:
     name: Model Checking - Consistency
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
     defaults:
       run:
         working-directory: tla
@@ -102,7 +102,7 @@ jobs:
     name: Model Checking - Consensus
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
     defaults:
       run:
         working-directory: tla
@@ -158,7 +158,7 @@ jobs:
     name: Trace Validation - Consensus
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
   checks:
     name: "Format and License Checks"
     runs-on: ubuntu-latest
-    container: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+    container: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
 
     steps:
       - run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
@@ -44,7 +44,7 @@ jobs:
             options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
     runs-on: ${{ matrix.platform.nodes }}
     container:
-      image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-14-01-2025
       options: ${{ matrix.platform.options }}
     steps:
       - uses: actions/checkout@v4
@@ -116,7 +116,7 @@ jobs:
           # libc++
           tdnf -y install libcxx-devel llvm-libunwind-devel llvm-libunwind-static
           # Dependencies
-          tdnf -y install openssl-devel libuv-devel nghttp2-devel
+          tdnf -y install openssl-devel libuv-devel nghttp2-devel curl-devel
           # Test dependencies
           tdnf -y install libarrow-devel parquet-libs-devel lldb npm jq expect
           # Install CDDL via rubygems

.github/workflows/codeql-analysis.yml

@@ -25,7 +25,7 @@ jobs:
     # Insufficient space to run on public runner, so use custom pool
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-08-01-2025-2
+      image: ghcr.io/microsoft/ccf/ci/default:build-14-01-2025
       options: --user root
 
     permissions: