// Maintainer workflow for scoping and updating iccDEV CI, CTest, CPack, sanitizer, workflow, and release-gate infrastructure.
Reproduce and triage ASAN/UBSAN findings against iccDEV tools with authoritative exit-code and stack-frame handling.
Maintainer workflow for the pre-PR secure loop: code, build/test, SAST/CodeQL, dynamic sanitizer checks, fixes, and concise handoff.
Add or update iccDEV regression gates and tool-test workflow coverage while preserving GitHub Actions governance, sanitizer reporting, and issue traceability.
Maintain iccDEV repository labels, path labeler rules, issue triage labels, PR CI status labels, and label workflow governance.
Debug iccDEV vcpkg, install/export, uninstall, and packaged consumer failures, especially Windows static CRT and path quoting regressions.
Review and edit iccDEV documentation for signal, accuracy, canonical ownership, and low-noise handoff.
| name | maintainer-ci-ctest |
| description | Maintainer workflow for scoping and updating iccDEV CI, CTest, CPack, sanitizer, workflow, and release-gate infrastructure. |
| allowed-tools | ["bash","read","grep","glob","shell(git:*)","shell(gh:*)"] |
Use this skill only for iccDEV maintainer-owned infrastructure changes:
.github/**, Dockerfile*, CTest registration, CPack and release packaging,
sanitizer helper policy, CodeQL/workflow governance, vcpkg release verification,
and security automation.
General contributor requests should be redirected to issue or PR descriptions unless an iccDEV maintainer explicitly approved the infrastructure change.
Choose the smallest maintainer-owned surface that proves the behavior:
| Change | Primary location | Required docs |
|---|---|---|
| Add profile input | Testing/CreateAllProfiles.* | docs/ctest.md if counts change |
| Add profile validation | Testing/RunTests.* | docs/ctest.md if CTest coverage changes |
| Add focused Linux regression | .github/scripts/*.sh | .github/ci/regression/README.md or docs/ctest.md |
| Register CTest suite | Build/Cmake/Testing/CMakeLists.txt | docs/ctest.md |
| Change workflow gate | .github/workflows/*.yml | docs/regression-workflow-governance.md |
| Change maintainer Dockerfile | Dockerfile* | docs/build.md and docs/regression-workflow-governance.md |
| Change sanitizer policy | Build/Cmake/CMakeLists.txt, .github/scripts/sanitize-* | .github/instructions/* |
| Change CPack/release packaging | Build/Cmake/**, release workflows | docs/build.md or release docs |
| Change vcpkg release verification | ports/iccdev/**, vcpkg workflows | vcpkg skill/docs |
Keep contributor code changes separate from maintainer infrastructure commits when practical.
check must exist on every platform.check and workflow CTest execution must use --no-tests=error.iccdev-tool-coverage-baseline.sh does not change that
count; validate the direct script and ctest -R '^iccdev\.tool-coverage$'.Build/Cmake/wasm-package/regression.js; the packaged script is the fallback
source used by local and release parity runs.Testing/ directory.Build/Cmake/Testing/WindowsRuntimePaths.cmake; do not rely on a developer or
runner shell PATH for vcpkg or MinGW runtime DLLs.bin on the invoking shell PATH because GCC
subprocesses such as cc1plus.exe depend on MSYS2 runtime DLLs during build..github/instructions/workflow-governance.instructions.md.|| true around profile generation, CTest discovery, regression
execution, sanitizer checks, or packaging verification.GITHUB_STEP_SUMMARY and GITHUB_OUTPUT writes.ci-pr-action for normal maintainer validation and
ci-regression-checks through that orchestrator for ASAN/UBSAN CTest coverage.file <changed-files>
git diff --check
cmake -S Build/Cmake -B build -DENABLE_TOOLS=ON -DENABLE_TESTS=ON -DENABLE_WXWIDGETS=OFF
cmake --build build --parallel "$(nproc)"
ctest --test-dir build -N --no-tests=error
ctest --test-dir build --output-on-failure --no-tests=error
For tool coverage script changes:
ICCDEV_TOOLS_DIR=$PWD/build/Tools \
ICCDEV_TESTING_DIR=$PWD/Testing \
ICCDEV_TEST_OUTDIR=/tmp/iccdev-tool-output \
.github/scripts/iccdev-tool-coverage-baseline.sh --asan --quick
ctest --test-dir build -R '^iccdev\.tool-coverage$' --output-on-failure
For workflow YAML:
python3 -c "import yaml; [yaml.safe_load(open(p)) for p in ['.github/workflows/<workflow>.yml']]; print('YAML parse OK')"
actionlint -no-color .github/workflows/<workflow>.yml
For CPack, install/export, vcpkg, or release packaging changes, run the nearest packaging smoke test and inspect logs for missing files, duplicate install manifest entries, CRT mismatch warnings, and skipped smoke coverage.
For Dockerfile* changes:
docker build -t iccdev-container-check -f <Dockerfile> .
docker run --rm iccdev-container-check <smoke-command>
For Dockerfile.ci-regression, also run a no-cache build and smoke
clang-18, clang++-18, cmake, and /usr/bin/time. Publishing requires the
ghcr-publish environment branch policy to allow the branch before deployment
approval, followed by pinning the new digest in ci-iccdev-tool-tests.yml.
After pushing, trigger only the workflows affected by the change:
gh workflow run "ci-pr-action" --repo InternationalColorConsortium/iccDEV --ref <branch> -f ci_scope=full
gh workflow run "ci-risk-analysis" --repo InternationalColorConsortium/iccDEV --ref <branch> \
-f analysis_target="Specific git ref" -f git_ref=<full-sha> -f severity_threshold=HIGH -f fail_on_findings=true
Wait for shared-concurrency workflows one at a time. Capture run IDs, head SHA,
job conclusions, artifact names, and key sentinel lines such as Total Tests,
100% tests passed, generated-profile counts, and sanitizer summaries.
Report:
../../../docs/ctest.md../../../docs/regression-workflow-governance.md../../../docs/documentation-maintenance.md../../instructions/workflow-governance.instructions.md../../instructions/testing.instructions.md../../instructions/build-system.instructions.md../../prompts/maintainer-ci-ctest.prompt.md