Merging latest main to vanilla to update to the best stable state. #1
Conversation
Updated README.md to modernize formatting and improve clarity.
…ld scripts and artifact names for consistency with project branding.
…3e' to 'idtech3' and adjust minimum CMake version to 3.24. Changed default renderer to 'vulkan' for improved compatibility.
This new file outlines the security policy, including supported versions, reporting procedures for vulnerabilities, response expectations, and guidelines for coordinated disclosure. It aims to enhance the project's security practices and provide clear instructions for users reporting security issues.
This commit introduces a comprehensive constitution document outlining the project's goals, architectural principles, coding conventions, development workflow, and amendment process. It serves as a guiding framework for contributors to ensure stability, maintainability, and adherence to project values.
This commit introduces two new scripts: `make-macosx-app.sh` for creating macOS application bundles with support for multiple architectures, and `make-macosx-ub2.sh` for building Universal 2 binaries (x86_64 and aarch64). The scripts include functionality for notarization and signing, enhancing the build process for macOS applications.
This commit expands the .gitignore file to exclude various build-related directories and files, including specific mod files and logs, ensuring a cleaner repository by preventing unnecessary files from being tracked.
This commit introduces two new scripts: `compile_engine.sh` for building the id Tech 3 engine with options for different rendering backends and build types, and `compile_game.sh` for compiling game mods with robust CMake cache handling. These scripts streamline the build process and enhance usability for developers working on the project.
This commit modifies the .gitignore file to exclude specific mod files related to the 'mymod' directory, ensuring that unnecessary build artifacts are not tracked in the repository. This change contributes to a cleaner project structure and better management of version control.
…d directory This commit modifies the .gitignore file to exclude all shared object files (*.so) in the 'mymod/vm' directory, ensuring that only relevant files are tracked in the repository and improving project cleanliness.
This commit introduces a new source file, snd_mix_fallback.c, which provides a weak C implementation of the S_WriteLinearBlastStereo16_SSE_x64 function. This implementation forwards calls to the portable C writer, allowing for an optimized assembly version to take precedence if available. The change enhances audio processing capabilities while maintaining compatibility with existing systems.
This commit modifies the S_WriteLinearBlastStereo16_SSE_x64 function to set the global buffer pointers and count without restoring previous values after execution. This change ensures that the caller receives the updated state, aligning with expected behavior and improving the function's reliability in audio processing.
…uration This commit introduces logic to normalize architecture identifiers (x86_64, x86, arm64, arm) in the CMakeLists.txt file. It sets the output names for OpenGL and Vulkan renderer libraries based on the detected architecture, ensuring compatibility with dlopen-friendly plugin naming conventions. This change enhances the build process by providing clearer and more consistent output filenames.
This commit modifies the server name format in the CMakeLists.txt file from "idtech3.server" to "idtech3_server". This change improves consistency in naming conventions across the project.
This commit simplifies the error messages in the FS_CheckIdPaks function by removing specific instructions related to missing or incorrect pak files. The updated messages now focus on the issues without suggesting actions, enhancing readability and maintaining consistency in error reporting.
This commit changes the server file naming convention in the compile_engine.sh script from "idtech3.server.x86_64" to "idtech3_server.x86_64". This update aligns with previous naming conventions and improves consistency across the build process.
This commit introduces a new CMake option, SKIP_IDPAK_CHECK, allowing users to bypass the check for original Quake III pak files during the build process. Additionally, the compile_engine.sh script is updated to copy both client and server binaries if they exist, enhancing the release process. The files.c is modified to conditionally check for id paks based on the new option, improving flexibility in game file management.
This commit eliminates the SKIP_IDPAK_CHECK option from the CMakeLists.txt file, streamlining the build process by removing unnecessary compile definitions. Additionally, it ensures proper formatting by correcting the end-of-file newline issue.
…ing in CMake This commit introduces a compile definition for SKIP_IDPAK_CHECK, allowing for conditional compilation based on this option. Additionally, it improves the handling of SDL2 targets by synthesizing lightweight IMPORTED targets when necessary, ensuring compatibility across different systems and configurations. This enhances the build process and maintains flexibility in library linking.
This commit applies the SKIP_IDPAK_CHECK compile definition to the qcommon and qcommon_ded targets, allowing for conditional compilation based on this option. The previous definition check has been streamlined, enhancing the build configuration for these targets.
…port This commit improves the SDL2 target configuration in CMake by adding support for specifying include directories when defining the SDL2::Core target. This enhancement ensures that the necessary include paths are correctly set, improving compatibility and flexibility in the build process.
This commit introduces a new argument handling for SKIP_IDPAK in the compile_engine.sh script, allowing users to skip the IDPAK check during the build process. The script now sets the SKIP_IDPAK variable based on user input, enhancing flexibility in the build configuration.
This commit updates the GitHub Actions build workflow to include the CFLAGS environment variable with the definition for SKIP_IDPAK_CHECK. This change allows the build process to skip the IDPAK check across multiple job configurations, enhancing flexibility in the build process.
This commit introduces the `-Wl,--export-dynamic` option for the main executable targets in CMake when building on UNIX systems (excluding MSVC). Additionally, it enhances the renderer name handling in `cl_main.c` by sanitizing the renderer name to strip surrounding quotes, ensuring proper formatting when loading renderer libraries. This improves compatibility and stability in the build process.
This commit changes the log file name from "qconsole.log" to "console.log" in the Com_Printf function. This update improves consistency in log file naming conventions and enhances clarity in the logging process.
This commit introduces a new function, Cmd_SanitizeInput, to sanitize command input, preventing malicious characters and buffer issues. It also improves argument handling in Cmd_ArgsFrom and Cmd_TokenizeString2 by adding input validation and buffer overflow checks. Additionally, the command completion functions are updated to suppress unused parameter warnings. These changes enhance the security and stability of command processing in the Quake III Arena source code.
This commit adds a call to FS_FreeFile after the command buffer has safely copied the inserted text. This change ensures that memory is properly managed, preventing potential issues with fs_loadStack during hunk initialization and maintaining balanced memory accounting.
This commit introduces a new MP3 codec to the sound system, enabling playback of MP3 audio files. It includes the addition of relevant source files, header definitions, and integration into the existing sound codec framework. The CMake configuration is updated to allow enabling or disabling MP3 support through a new option. This enhancement improves audio playback capabilities and expands the range of supported audio formats in the project.
This commit updates the MP3 codec implementation to replace Hunk memory allocation with Z_Malloc and Z_Free for better memory management. It also introduces a maximum sound size check to prevent excessive memory usage when loading MP3 files. Additionally, the sound loading function is modified to ensure proper allocation and deallocation of memory for sound samples, improving overall stability and performance in the sound system.
…d build process This commit removes the outdated Makefile, streamlining the build configuration. Additionally, it updates the GitHub Actions workflow to enhance build flexibility by specifying the MOUNT_DIR variable and ensuring proper handling of SDL and renderer options. These changes improve the overall build process and maintainability of the project.
…penGL builds This commit deletes the outdated Makefile and significantly refactors the GitHub Actions workflow to implement CMake for building Vulkan and OpenGL targets. The workflow now includes separate build steps for Vulkan and OpenGL, enhancing build flexibility and maintainability. Additionally, it updates the installation of required packages and optimizes the build process by using Ninja as the build system. These changes streamline the overall build configuration and improve compatibility across different environments.
…GitHub Actions workflow for SDL2 path This commit modifies the CMakeLists.txt to conditionally include assembly source files based on the architecture, ensuring compatibility with x86/x86_64 systems. It also updates the GitHub Actions workflow to set the SDL2 path dynamically for different architectures, improving build configuration for both Apple Silicon and Intel systems.
…dd ARM64 cache flushing support This commit modifies the GitHub Actions workflow to include SDL2 in the installation step and updates artifact naming conventions for Windows builds. Additionally, it introduces a declaration for the __clear_cache function in the ARM64 architecture source file to ensure compatibility with macOS/Clang, enhancing the build process and memory management for ARM64 systems.
…for Unix-like x86/x86_64 architectures This commit modifies the CMakeLists.txt to ensure that assembly source files are only included for x86/x86_64 architectures on Unix-like systems, while disabling assembly inclusion on Windows due to compatibility issues with MSYS2/MinGW. This change enhances the build process by improving architecture-specific handling of assembly files.
This commit modifies the resource file paths in win_resource.rc to ensure they point to the correct directory structure. The paths for the icon and manifest files have been updated from "code/win32/" to "src/win32/", improving consistency and compatibility across different build environments.
…tibility This commit updates the paths in BUILD.md to reflect the correct directory structure, changing references from "code/win32/" to "src/win32/". Additionally, it modifies CMakeLists.txt to set include directories for the resource compiler when using MinGW, ensuring proper compilation of resource files. These changes enhance the build process and maintain consistency across different environments.
This commit modifies the build.yml file in the GitHub Actions workflow to replace references to the idtech3 project with the Quake3e project. The changes include updating the msbuild commands and output file names to reflect the new project structure, ensuring proper compilation and artifact generation for the Quake3e server and renderer components.
Remove common.c from AUX_SRCS and change Z_Free to ri.Free in Vulkan renderer to prevent massive symbol conflicts when building shared renderer libraries. Root cause: common.c contains the full engine implementation including Com_Init, Com_Frame, etc. which depend on hundreds of client/server symbols. Renderer libraries should only use the renderer interface (ri.Malloc, ri.Free) for memory management, not direct Z_* functions. This fixes linker errors on macOS ARM64, Linux ARM64, and all other platforms using USE_RENDERER_DLOPEN=1.
Add USE_ASM preprocessor define when assembly is enabled, and check for it in snd_mix.c to prevent calling assembly functions when they haven't been compiled. This fixes linker errors on Windows MSYS2 where assembly is disabled but the code was still trying to call S_WriteLinearBlastStereo16_SSE_x64. The C fallback S_WriteLinearBlastStereo16() is used when USE_ASM is not defined.
This commit introduces a portable wrapper for clearing the instruction cache on non-Windows platforms. It defines a static inline function `vm_clear_icache` that utilizes the appropriate method based on the compiler being used (Clang/GCC or a fallback to the platform-specific `__clear_cache`). This change enhances compatibility and ensures proper cache management across different environments.
…d -m32 to asm flags
…o avoid arch mismatches
…ew cross-arch SDL issues
Different community project.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: ${{ github.event_name == 'release' }} | ||
| needs: [windows-msys, windows-msvc, ubuntu-x86, ubuntu-arm, macos-x86] | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| matrix: | ||
| include: | ||
| # - artifact_dir: linux-aarch64 | ||
| # artifact_name: idtech3-linux-aarch64.zip | ||
|
|
||
| # - artifact_dir: linux-armv7 | ||
| # artifact_name: idtech3-linux-armv7.zip | ||
|
|
||
| - artifact_dir: linux-x86 | ||
| artifact_name: idtech3-linux-x86.zip | ||
|
|
||
| - artifact_dir: linux-x86_64 | ||
| artifact_name: idtech3-linux-x86_64.zip | ||
|
|
||
| - artifact_dir: linux-arm64 | ||
| artifact_name: idtech3-linux-arm64.zip | ||
|
|
||
| - artifact_dir: windows-gcc-x86 | ||
| artifact_name: idtech3-windows-x86.zip | ||
|
|
||
| - artifact_dir: windows-gcc-x86_64 | ||
| artifact_name: idtech3-windows-x86_64.zip | ||
|
|
||
| - artifact_dir: windows-msvc-arm64 | ||
| artifact_name: idtech3-windows-arm64.zip | ||
|
|
||
| - artifact_dir: macos-x86_64 | ||
| artifact_name: idtech3-macos-x86_64.zip | ||
|
|
||
| - artifact_dir: macos-aarch64 | ||
| artifact_name: idtech3-macos-aarch64.zip | ||
|
|
||
| steps: | ||
| - name: Download Artifacts | ||
| uses: actions/download-artifact@v4 | ||
|
|
||
| - name: Create archive | ||
| run: 7z a -r ${{ matrix.artifact_name }} ./${{ matrix.artifact_dir }}/* | ||
|
|
||
| - name: Upload archive | ||
| uses: "svenstaro/upload-release-action@latest" | ||
| with: | ||
| repo_token: ${{ secrets.GITHUB_TOKEN }} | ||
| tag: ${{ github.ref }} | ||
| overwrite: true | ||
| file: ${{ matrix.artifact_name }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, fix this by adding an explicit permissions block to the workflow so that the GITHUB_TOKEN is limited to only the scopes required. You can set it at the workflow level (applies to all jobs) or at each job. Since most jobs only need to read code and artifacts, but create-testing and update-release need to modify releases, we can set a conservative default at the top and override only for the release‑modifying jobs.
The minimal, behavior‑preserving approach is:
- Add a workflow‑level
permissionsblock after theon:section to restrict defaults to read‑only access to contents (and nothing else). - Add
permissionsblocks to thecreate-testingandupdate-releasejobs to grantcontents: write, which is what their release‑upload actions require to create/update release assets. - No imports or external dependencies are involved; all changes are within
.github/workflows/build.yml.
Concretely:
- After line 21 (
workflow_dispatch:), insert:
permissions:
contents: read- In the
create-testingjob (around line 447), add:
permissions:
contents: writeright under runs-on: ubuntu-latest.
- In the
update-releasejob (around line 479), add:
permissions:
contents: writeright under runs-on: ubuntu-latest.
This satisfies CodeQL’s requirement and enforces least privilege without changing how the workflow currently functions.
| @@ -20,6 +20,9 @@ | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| windows-msys: | ||
| name: ${{ matrix.btype }} Windows-${{ matrix.cc }} ${{ matrix.arch }} | ||
| @@ -448,6 +451,8 @@ | ||
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' || github.event_name == 'workflow_dispatch' | ||
| needs: [windows-msys, windows-msvc, ubuntu-x86, ubuntu-arm64, macos-x86] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - name: Download Artifacts | ||
| uses: actions/download-artifact@v4 | ||
| @@ -480,6 +485,8 @@ | ||
| if: ${{ github.event_name == 'release' }} | ||
| needs: [windows-msys, windows-msvc, ubuntu-x86, ubuntu-arm, macos-x86] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
|
|
||
| strategy: | ||
| matrix: |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' || github.event_name == 'workflow_dispatch' | ||
| needs: [windows-msys, windows-msvc, ubuntu-x86, ubuntu-arm64, macos-x86] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Download Artifacts | ||
| uses: actions/download-artifact@v4 | ||
|
|
||
| - name: Create binary archives | ||
| run: | | ||
| if [ -d ./linux-x86 ]; then 7z a -r idtech3-linux-x86.zip ./linux-x86/*; else echo "skip linux-x86"; fi | ||
| if [ -d ./linux-x86_64 ]; then 7z a -r idtech3-linux-x86_64.zip ./linux-x86_64/*; else echo "skip linux-x86_64"; fi | ||
| if [ -d ./linux-arm64 ]; then 7z a -r idtech3-linux-arm64.zip ./linux-arm64/*; else echo "skip linux-arm64"; fi | ||
| if [ -d ./windows-gcc-x86 ]; then 7z a -r idtech3-windows-gcc-x86.zip ./windows-gcc-x86/*; else echo "skip windows-gcc-x86"; fi | ||
| if [ -d ./windows-gcc-x86_64 ]; then 7z a -r idtech3-windows-gcc-x86_64.zip ./windows-gcc-x86_64/*; else echo "skip windows-gcc-x86_64"; fi | ||
| if [ -d ./windows-msvc-arm64 ]; then 7z a -r idtech3-windows-msvc-arm64.zip ./windows-msvc-arm64/*; else echo "skip windows-msvc-arm64"; fi | ||
| if [ -d ./macos-aarch64 ]; then 7z a -r idtech3-macos-aarch64.zip ./macos-aarch64/*; else echo "skip macos-aarch64"; fi | ||
| # 7z a -r idtech3-linux-aarch64.zip ./linux-aarch64/* | ||
| # 7z a -r idtech3-linux-armv7.zip ./linux-armv7/* | ||
| # 7z a -r idtech3-windows-msvc-x86.zip ./windows-msvc-x86/* | ||
| # 7z a -r idtech3-windows-msvc-x86_64.zip ./windows-msvc-x86_64/* | ||
|
|
||
| - name: Create latest build | ||
| uses: czietz/action-automatic-releases@latest | ||
| with: | ||
| repo_token: ${{ secrets.GITHUB_TOKEN }} | ||
| automatic_release_tag: "latest" | ||
| prerelease: false | ||
| title: Latest Build | ||
| files: | | ||
| *.zip | ||
|
|
||
| update-release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the problem is fixed by explicitly defining a permissions: block so that the GITHUB_TOKEN gets only the least privileges necessary. For build and artifact upload jobs that only need to read repository contents, contents: read is sufficient. For jobs that create or update releases using GITHUB_TOKEN, contents: write is typically required. No other scopes (issues, pull-requests, etc.) are needed from what is shown.
The best way to fix this workflow without changing behavior is:
-
Add a root-level
permissions:block near the top of the file (aftername:and beforeon:) to restrict all jobs to read-only access by default:permissions: contents: read
This is enough for checkout and general reading of repo contents.
-
Override permissions only where write access is actually needed:
- Job
create-testingusesczietz/action-automatic-releases@latestwithrepo_token: ${{ secrets.GITHUB_TOKEN }}to create/update a “Latest Build” release, so it needscontents: write. - Job
update-releaseruns onreleaseevents (and is presumably updating release assets using GITHUB_TOKEN in omitted parts), so it should also getcontents: write.
Thus, add a
permissions:block undercreate-testing:andupdate-release::create-testing: permissions: contents: write if: ... ...
and
update-release: permissions: contents: write if: ... ...
- Job
No extra imports or external dependencies are needed; this is purely a change to the workflow YAML. All edits occur within .github/workflows/build.yml at the shown regions.
| @@ -1,5 +1,8 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths-ignore: | ||
| @@ -445,6 +448,8 @@ | ||
| retention-days: 5 | ||
|
|
||
| create-testing: | ||
| permissions: | ||
| contents: write | ||
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' || github.event_name == 'workflow_dispatch' | ||
| needs: [windows-msys, windows-msvc, ubuntu-x86, ubuntu-arm64, macos-x86] | ||
| runs-on: ubuntu-latest | ||
| @@ -477,6 +482,8 @@ | ||
| *.zip | ||
|
|
||
| update-release: | ||
| permissions: | ||
| contents: write | ||
| if: ${{ github.event_name == 'release' }} | ||
| needs: [windows-msys, windows-msvc, ubuntu-x86, ubuntu-arm, macos-x86] | ||
| runs-on: ubuntu-latest |
| name: ${{ matrix.btype }} macOS ${{ matrix.arch }} | ||
| runs-on: macos-14 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| # Build only the native Apple Silicon architecture on macOS runners to avoid cross-arch Homebrew issues. | ||
| # Apple-provided runners are arm64 (aarch64); building x86_64 here pulls arm64 Homebrew libs and causes linker mismatches. | ||
| arch: [aarch64] | ||
| cc: [clang] | ||
| btype: [Release, Debug] | ||
|
|
||
| steps: | ||
|
|
||
| - name: Install tools | ||
| run: brew install coreutils sdl2 cmake ninja | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Build Vulkan | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1" | ||
| run: | | ||
| # Set SDL2 path for Homebrew (Apple Silicon uses /opt/homebrew, Intel uses /usr/local) | ||
| SDL2_PREFIX=$(brew --prefix sdl2) | ||
| mkdir -p build-vk-${{ matrix.btype }} | ||
| cmake -S . -B build-vk-${{ matrix.btype }} \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }} \ | ||
| -DSDL2_PATH="${SDL2_PREFIX}" \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=vulkan \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-vk-${{ matrix.btype }} -j$(sysctl -n hw.logicalcpu) | ||
| mkdir -p bin | ||
| cp -f build-vk-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - name: Build OpenGL | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1" | ||
| run: | | ||
| # Set SDL2 path for Homebrew (Apple Silicon uses /opt/homebrew, Intel uses /usr/local) | ||
| SDL2_PREFIX=$(brew --prefix sdl2) | ||
| mkdir -p build-gl-${{ matrix.btype }} | ||
| cmake -S . -B build-gl-${{ matrix.btype }} \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }} \ | ||
| -DSDL2_PATH="${SDL2_PREFIX}" \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=opengl \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-gl-${{ matrix.btype }} -j$(sysctl -n hw.logicalcpu) | ||
| cp -f build-gl-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| if: matrix.cc == 'clang' && matrix.btype == 'Release' | ||
| with: | ||
| name: macos-${{ matrix.arch }} | ||
| path: bin | ||
| if-no-files-found: error | ||
| retention-days: 5 | ||
|
|
||
| create-testing: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to explicitly declare a permissions block so the GITHUB_TOKEN has only the minimal scopes required. Since all shown jobs just check out code, build, and upload/download artifacts, they only need read access to repository contents, not write access.
The best fix without changing existing functionality is to add a single top-level permissions block (just under name: and before on:) to apply to all jobs, setting contents: read. This matches CodeQL’s suggested minimal starting point and is sufficient for actions/checkout and actions/upload-artifact. We don’t see any steps requiring other scopes (like pull-requests, issues, or packages), so there’s no need to grant them. No changes are required inside individual jobs, including macos-x86; limiting permissions at the workflow root will resolve the flagged issue and may fix similar ones on other jobs in this workflow.
Concretely, edit .github/workflows/build.yml near the top:
- After line 1 (
name: build), insert:permissions: contents: read
No imports or additional definitions are needed because this is pure workflow configuration.
| @@ -1,5 +1,8 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths-ignore: |
| name: ${{ matrix.btype }} Ubuntu ${{ matrix.arch }} | ||
| runs-on: ubuntu-22.04-arm | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: [arm64] | ||
| cc: [gcc] | ||
| btype: [Release, Debug] | ||
|
|
||
| steps: | ||
|
|
||
| - name: Install tools | ||
| run: | | ||
| sudo apt-get -qq update | ||
| sudo apt-get install -y make gcc g++ cmake ninja-build | ||
| sudo apt-get -y install libcurl4-openssl-dev mesa-common-dev libxxf86dga-dev libxrandr-dev libxxf86vm-dev libasound-dev libsdl2-dev | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Build Vulkan | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1" | ||
| run: | | ||
| mkdir -p build-vk-${{ matrix.btype }} | ||
| cmake -S . -B build-vk-${{ matrix.btype }} \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=vulkan \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-vk-${{ matrix.btype }} -j$(nproc) | ||
| mkdir -p bin | ||
| cp -f build-vk-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - name: Build OpenGL | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1" | ||
| run: | | ||
| mkdir -p build-gl-${{ matrix.btype }} | ||
| cmake -S . -B build-gl-${{ matrix.btype }} \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=opengl \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-gl-${{ matrix.btype }} -j$(nproc) | ||
| cp -f build-gl-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| if: matrix.cc == 'gcc' && matrix.btype == 'Release' | ||
| with: | ||
| name: linux-${{ matrix.arch }} | ||
| path: bin | ||
| if-no-files-found: error | ||
| retention-days: 5 | ||
|
|
||
| macos-x86: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to explicitly declare a permissions: block either at the workflow level (recommended, so all jobs inherit it) or per job, restricting the GITHUB_TOKEN to the least privileges needed. For this workflow, the jobs only appear to need read access to repository contents for actions/checkout and standard artifact uploading, which works with contents: read. No code in the snippet needs to write to the repo, issues, or pull requests.
The single best fix with minimal behavioral change is to add a root-level permissions: block after the name: (or after on:) setting contents: read. This will apply to all jobs (ubuntu-x86, ubuntu-arm, ubuntu-arm64, macos-x86, create-testing, etc.) unless they later override it, tightening GITHUB_TOKEN’s permissions without impacting build or artifact upload steps. No additional imports, tools, or structural changes to jobs/steps are required; we only add the YAML keys.
Concretely:
- Edit
.github/workflows/build.yml. - Insert:
just after the
permissions: contents: read
name: buildline (line 1–2 region), before theon:block. This ensures CodeQL sees explicit restrictions and that all jobs in the workflow inherit these permissions.
| @@ -1,5 +1,8 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths-ignore: |
| name: ${{ matrix.btype }} Ubuntu [ARM] ${{ matrix.arch }} | ||
| runs-on: ubuntu-24.04 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: [aarch64, armv7] | ||
| cc: [gcc] | ||
| btype: [Release, Debug] | ||
| include: | ||
| - btype: Release | ||
| rule: install | ||
|
|
||
| - btype: Debug | ||
| rule: debug | ||
|
|
||
| steps: | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| if: false | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Build ${{ matrix.arch }} | ||
| #if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| if: false | ||
| uses: uraimo/run-on-arch-action@v3 | ||
| with: | ||
| arch: ${{ matrix.arch }} | ||
| distro: ubuntu24.04 | ||
| githubToken: ${{ github.token }} | ||
| shell: /bin/sh | ||
| run: | | ||
| apt-get -qq update | ||
| apt-get install -y make gcc g++ | ||
| apt-get -y install libcurl4-openssl-dev mesa-common-dev libxxf86dga-dev libxrandr-dev libxxf86vm-dev libasound-dev | ||
|
|
||
| make ${{ matrix.rule }} -j$(nproc) ARCH=${{ matrix.arch }} CC=${{ matrix.cc }} DESTDIR=bin MOUNT_DIR=src USE_SDL=0 USE_RENDERER_DLOPEN=0 RENDERER_DEFAULT=vulkan CNAME=idtech3-vulkan BUILD_SERVER=0 | ||
| make clean ARCH=${{ matrix.arch }} | ||
| make ${{ matrix.rule }} -j$(nproc) ARCH=${{ matrix.arch }} CC=${{ matrix.cc }} DESTDIR=bin MOUNT_DIR=src USE_SDL=0 USE_RENDERER_DLOPEN=0 RENDERER_DEFAULT=opengl | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| if: false | ||
| #if: matrix.cc == 'gcc' && matrix.btype == 'Release' | ||
| with: | ||
| name: linux-${{ matrix.arch }} | ||
| path: bin | ||
| if-no-files-found: error | ||
| retention-days: 5 | ||
|
|
||
| ubuntu-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to explicitly set permissions for the GITHUB_TOKEN either at the workflow root (applies to all jobs without their own override) or per job. Since this workflow is build‑only and uses standard actions that require at most read access to repository contents, we can safely set contents: read as a minimal, least‑privilege baseline.
The best way to fix this, without changing any existing behavior, is to add a single permissions: block at the top level of .github/workflows/build.yml, directly under the name: build (or at the same level as on: and jobs:). This will apply to all jobs in the workflow, including ubuntu-arm, ubuntu-arm64, windows-msvc, ubuntu-x86, etc. We’ll set:
permissions:
contents: readNo steps in the provided snippet need any additional scopes like pull-requests: write or issues: write, and no job is pushing code or creating releases, so contents: read is sufficient. There is no need for new imports or any changes inside individual jobs or steps; only the workflow YAML header is updated.
Concretely:
- Edit
.github/workflows/build.yml. - Insert a
permissions:block after line 1 (name: build) and before line 3 (on:), with two spaces indentation for thecontentskey to match YAML style. - Do not modify any other lines.
| @@ -1,5 +1,8 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths-ignore: |
| name: ${{ matrix.btype }} Ubuntu ${{ matrix.arch }} | ||
| runs-on: ubuntu-24.04 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: [x86, x86_64] | ||
| cc: [gcc] | ||
| btype: [Release, Debug] | ||
| include: | ||
| - arch: x86 | ||
| cmake_arch: i686 | ||
|
|
||
| - arch: x86_64 | ||
| cmake_arch: x86_64 | ||
|
|
||
| steps: | ||
|
|
||
| - name: Install tools | ||
| run: | | ||
| if [ ${{ matrix.arch }} == "x86" ]; then | ||
| sudo dpkg --add-architecture i386 | ||
| sudo apt-get -qq update | ||
| sudo apt-get -y install gcc-multilib g++-multilib cmake ninja-build libcurl4-openssl-dev:i386 mesa-common-dev:i386 libxxf86dga-dev:i386 libxrandr-dev:i386 libxxf86vm-dev:i386 libasound-dev:i386 libsdl2-dev:i386 | ||
| else | ||
| sudo apt-get -qq update | ||
| sudo apt-get -y install cmake ninja-build libcurl4-openssl-dev mesa-common-dev libxxf86dga-dev libxrandr-dev libxxf86vm-dev libasound-dev libsdl2-dev | ||
| fi | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Build Vulkan | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip in Release builds | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1 ${{ matrix.arch == 'x86' && '-m32' || '' }}" | ||
| CXXFLAGS: "-DSKIP_IDPAK_CHECK=1 ${{ matrix.arch == 'x86' && '-m32' || '' }}" | ||
| run: | | ||
| mkdir -p build-vk-${{ matrix.btype }} | ||
| cmake -S . -B build-vk-${{ matrix.btype }} \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=vulkan \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-vk-${{ matrix.btype }} -j$(nproc) | ||
| mkdir -p bin | ||
| cp -f build-vk-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - name: Build OpenGL | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip in Release builds | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1 ${{ matrix.arch == 'x86' && '-m32' || '' }}" | ||
| CXXFLAGS: "-DSKIP_IDPAK_CHECK=1 ${{ matrix.arch == 'x86' && '-m32' || '' }}" | ||
| run: | | ||
| mkdir -p build-gl-${{ matrix.btype }} | ||
| cmake -S . -B build-gl-${{ matrix.btype }} \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=opengl \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-gl-${{ matrix.btype }} -j$(nproc) | ||
| cp -f build-gl-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| if: matrix.cc == 'gcc' && matrix.btype == 'Release' | ||
| with: | ||
| name: linux-${{ matrix.arch }} | ||
| path: bin | ||
| if-no-files-found: error | ||
| retention-days: 5 | ||
|
|
||
| ubuntu-arm: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
To fix this, explicitly declare minimal GITHUB_TOKEN permissions in the workflow. Since no job in the provided snippet needs to write to the repository, a workflow-level permissions: contents: read is appropriate. This both satisfies CodeQL and follows least-privilege.
The best, least intrusive fix is:
- Add a
permissions:block at the top level of.github/workflows/build.yml, after thename:and beforeon:. - Set
contents: readsoactions/checkout@v4can read the repository, but no write permissions are granted to repo contents. - No per-job
permissionsoverrides are necessary unless other, unseen jobs require more access.
Concretely, edit .github/workflows/build.yml around the top of the file (lines 1–4 in the snippet) to insert:
permissions:
contents: readbetween name: build and on:. No additional methods, imports, or external packages are needed.
| @@ -1,5 +1,8 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths-ignore: |
| name: ${{ matrix.btype }} Windows-MSVC ${{ matrix.arch }} | ||
| runs-on: windows-2022 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: [arm64, x86, x64] | ||
| btype: [Release, Debug] | ||
| include: | ||
| - arch: arm64 | ||
| platform: ARM64 | ||
| suffix: .arm64 | ||
| pkg_suffix: arm64 | ||
|
|
||
| - arch: x86 | ||
| platform: Win32 | ||
| pkg_suffix: x86 | ||
|
|
||
| - arch: x64 | ||
| platform: x64 | ||
| suffix: .x64 | ||
| pkg_suffix: x86_64 | ||
|
|
||
| steps: | ||
|
|
||
| - uses: microsoft/setup-msbuild@v2 | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Build | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| run: | | ||
| mkdir bin | ||
|
|
||
| msbuild src\win32\msvc2017\quake3e-ded.vcxproj -p:TargetName=idtech3_server,Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }} /p:PlatformToolset=v143 | ||
| copy src\win32\msvc2017\output\idtech3_server.exe bin\idtech3_server${{ matrix.suffix }}.exe | ||
| msbuild src\win32\msvc2017\quake3e-ded.vcxproj -p:TargetName=idtech3_server,Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }} -t:Clean | ||
|
|
||
| msbuild src\win32\msvc2017\renderer.vcxproj -p:Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }} /p:PlatformToolset=v143 | ||
| msbuild src\win32\msvc2017\quake3e.vcxproj -p:TargetName=idtech3,Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }},UseWasapi=USE_WASAPI=0 /p:PlatformToolset=v143 | ||
| copy src\win32\msvc2017\output\idtech3.exe bin\idtech3${{ matrix.suffix }}.exe | ||
| msbuild src\win32\msvc2017\renderer.vcxproj -p:Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }} -t:Clean | ||
| msbuild src\win32\msvc2017\quake3e.vcxproj -p:TargetName=idtech3,Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }},UseWasapi=USE_WASAPI=0 -t:Clean | ||
|
|
||
| msbuild src\win32\msvc2017\renderervk.vcxproj -p:Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }} /p:PlatformToolset=v143 | ||
| msbuild src\win32\msvc2017\quake3e.vcxproj -p:TargetName=idtech3,Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }},UseWasapi=USE_WASAPI=0 /p:PlatformToolset=v143 | ||
| copy src\win32\msvc2017\output\idtech3.exe bin\idtech3-vulkan${{ matrix.suffix }}.exe | ||
| msbuild src\win32\msvc2017\renderervk.vcxproj -p:Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }} -t:Clean | ||
| msbuild src\win32\msvc2017\quake3e.vcxproj -p:TargetName=idtech3,Configuration=${{ matrix.btype }},Platform=${{ matrix.platform }},UseWasapi=USE_WASAPI=0 -t:Clean | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| if: ${{ matrix.btype == 'Release' }} | ||
| with: | ||
| name: windows-msvc-${{ matrix.pkg_suffix }} | ||
| path: bin | ||
| if-no-files-found: error | ||
| retention-days: 5 | ||
|
|
||
| ubuntu-x86: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to explicitly declare a minimal permissions: block in the workflow so that the GITHUB_TOKEN used by all jobs (including windows-msvc) has only the access it needs. Since the workflow checks out code and uploads artifacts, it only needs read access to repository contents; it does not appear to need to write to contents, issues, or pull requests.
The best targeted fix without changing functionality is to add a root-level permissions: section near the top of .github/workflows/build.yml, before the on: block. This applies to all jobs that do not have their own permissions block, including windows-msvc, and resolves the CodeQL warning. We set:
permissions:
contents: readNo other modifications to jobs or steps are required, and no additional libraries or actions are needed.
Concretely: in .github/workflows/build.yml, between line 1 (name: build) and line 3 (on:), insert a root-level permissions: block with contents: read, keeping indentation consistent with YAML top-level keys.
| @@ -1,5 +1,8 @@ | ||
| name: build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths-ignore: |
| name: ${{ matrix.btype }} Windows-${{ matrix.cc }} ${{ matrix.arch }} | ||
| runs-on: windows-2022 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: [x86, x86_64] | ||
| cc: [gcc] | ||
| btype: [Release, Debug] | ||
| include: | ||
| - arch: x86 | ||
| msystem: MINGW32 | ||
| prefix: mingw-w64-i686 | ||
|
|
||
| - arch: x86_64 | ||
| msystem: MINGW64 | ||
| prefix: mingw-w64-x86_64 | ||
|
|
||
| defaults: | ||
| run: | ||
| shell: msys2 {0} | ||
|
|
||
| steps: | ||
|
|
||
| - uses: msys2/setup-msys2@v2 | ||
| with: | ||
| install: base-devel ${{ matrix.prefix }}-binutils ${{ matrix.prefix }}-make ${{ matrix.prefix }}-${{ matrix.cc }} ${{ matrix.prefix }}-cmake ${{ matrix.prefix }}-ninja ${{ matrix.prefix }}-SDL2 | ||
| msystem: ${{ matrix.msystem }} | ||
| path-type: minimal | ||
| release: false | ||
| update: false | ||
| cache: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Build Vulkan | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1" | ||
| run: | | ||
| mkdir -p build-vk-${{ matrix.btype }} | ||
| cmake -S . -B build-vk-${{ matrix.btype }} -G Ninja \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=vulkan \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-vk-${{ matrix.btype }} -j$(nproc) | ||
| mkdir -p bin | ||
| cp -f build-vk-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - name: Build OpenGL | ||
| if: ${{ github.event_name != 'release' || matrix.btype != 'Debug' }} # skip Debug configuration in Release build | ||
| env: | ||
| CFLAGS: "-DSKIP_IDPAK_CHECK=1" | ||
| run: | | ||
| mkdir -p build-gl-${{ matrix.btype }} | ||
| cmake -S . -B build-gl-${{ matrix.btype }} -G Ninja \ | ||
| -DCMAKE_BUILD_TYPE=${{ matrix.btype }} \ | ||
| -DUSE_STB_TRUETYPE=ON \ | ||
| -DENABLE_FORTIFY_SOURCE=OFF \ | ||
| -DENABLE_ASAN=OFF \ | ||
| -DBUILD_SERVER=OFF \ | ||
| -DUSE_VULKAN=ON \ | ||
| -DRENDERER_DEFAULT=opengl \ | ||
| -DSKIP_IDPAK_CHECK=ON \ | ||
| -Wno-dev | ||
| cmake --build build-gl-${{ matrix.btype }} -j$(nproc) | ||
| cp -f build-gl-${{ matrix.btype }}/idtech3* bin/ || true | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| if: matrix.cc == 'gcc' && matrix.btype == 'Release' | ||
| with: | ||
| name: windows-${{ matrix.cc }}-${{ matrix.arch }} | ||
| path: bin | ||
| if-no-files-found: error | ||
| retention-days: 5 | ||
|
|
||
|
|
||
|
|
||
| windows-msvc: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
In general, the fix is to explicitly specify a permissions block in the workflow so that the automatically provided GITHUB_TOKEN has only the minimal required privileges. Since the entire workflow only needs to read repository contents (for checkout) and upload artifacts (which does not require repository write permissions), the safest minimal starting point is permissions: contents: read at the workflow root. This will apply to all jobs that do not override permissions, including windows-msys, windows-msvc, ubuntu-x86, and ubuntu-arm.
The best way to fix this without changing existing functionality is to add a root-level permissions block just after the on: section and before jobs:. That way we do not need to touch each job individually, and all current steps (checkout, build, upload-artifact) continue to work. No additional imports or dependencies are required; this is pure YAML configuration. Concretely, in .github/workflows/build.yml, insert:
permissions:
contents: readbetween the workflow_dispatch: line and the jobs: key. No other changes are necessary.
| @@ -20,6 +20,9 @@ | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| windows-msys: | ||
| name: ${{ matrix.btype }} Windows-${{ matrix.cc }} ${{ matrix.arch }} |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| SET(BINEXT .arm) | ||
| SET(RENDEXT _arm) | ||
| list(APPEND QCOMMON_SRCS code/qcommon/vm_armv7l.c) | ||
| list(APPEND QCOMMON_SRCS src/qcommon/vm_armv7l.c) |
There was a problem hiding this comment.
CMake targets used before creation on unsupported architectures
Medium Severity
The TARGET_COMPILE_DEFINITIONS calls on qcommon and qcommon_ded at lines 48-49 execute before these targets are created at lines 74 and 77. When CMAKE_SYSTEM_PROCESSOR doesn't match x86, x86_64, aarch64, or arm patterns, CMake configuration will fail with "Cannot specify compile definitions for target which is not built by this project."
Additional Locations (1)
| artifact_name: idtech3-windows-arm64.zip | ||
|
|
||
| - artifact_dir: macos-x86_64 | ||
| artifact_name: idtech3-macos-x86_64.zip |
There was a problem hiding this comment.
Release workflow expects non-existent macOS x86_64 artifact
High Severity
The update-release job expects a macos-x86_64 artifact directory, but the macos-x86 job only builds arch: [aarch64] and produces artifact named macos-aarch64. When a release is published, the workflow will fail trying to create idtech3-macos-x86_64.zip from a non-existent directory.
Additional Locations (1)
| TARGET_LINK_LIBRARIES(${DNAME}${BINEXT} qcommon_ded botlib) | ||
| #TARGET_LINK_OPTIONS(${DNAME} PRIVATE -fno-pie) # v3.13+ | ||
|
|
||
| if(UNIX AND NOT MSVC AND NOT APPLE) |
There was a problem hiding this comment.
BUILD_SERVER option not implemented but used in CI
Medium Severity
The CI workflow passes -DBUILD_SERVER=OFF expecting to skip building the dedicated server, but CMakeLists.txt doesn't define this option and always builds the server unconditionally. CMake silently ignores unknown -D options. The idtech3_server binary is built anyway and copied to artifacts via the cp -f build-*/idtech3* bin/ wildcard, including files the CI explicitly intended to exclude.
Additional Locations (1)
1 participant
Note
Major build/CI modernization and project rename.
quake3e→idtech3(idtech3,idtech3_server); defaultRENDERER_DEFAULTnowvulkansrc/; add MP3 option andSKIP_IDPAK_CHECK; robust SDL2 finding; x86_64 ASM handling; linker fixes; normalized renderer plugin names (e.g.,idtech3_opengl_x86_64.so)scripts/compile_engine.sh,scripts/compile_game.sh, macOS packaging); updateBUILD.md/README.md; expand.gitignore; addSECURITY.mdandCLAUDE.mdWritten by Cursor Bugbot for commit ff9f520. This will update automatically on new commits. Configure here.