Add CI for Linux

[AR-DEV-1]

• Add CI for Linux which builds Draco, caches the build objects, uploads a build artifact & runs unit tests

Note

Contributed by 2LazyDevs.

Summary by CodeRabbit

• Chores
  • Added continuous integration workflow for Linux that automatically builds the project, runs tests, and uploads build artifacts on each commit and pull request.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request introduces a new GitHub Actions workflow for Linux builds. The workflow runs on ubuntu-24.04 on every push and pull request, installs Clang 20 and CMake 4.3.0, sets up system dependencies, configures ccache for build caching, compiles the project using CMake with a debug preset, runs tests, and uploads the build artifact.

Changes

Linux CI Workflow

Layer / File(s)	Summary
Workflow initialization and toolchain setup .github/workflows/linux_build.yml	Defines the build-linux workflow triggered on push/pull request for all branches, runs on ubuntu-24.04, checks out the repository with recursive submodules, installs Clang 20, downloads and extracts CMake 4.3.0, installs required apt dependencies (Ninja, ccache, LLVM 20, libc++/libc++abi, Mesa, EGL, Wayland, X11, and audio libraries), updates PATH for CMake and LLVM tools, and verifies clang, clang++, and clang-scan-deps are available.
Build caching and CMake configuration .github/workflows/linux_build.yml	Configures ccache using hendrikmuhs/ccache-action@v1.2 with a cache key derived from hashes of **/CMakeLists.txt and **/*.cmake, then runs cmake --preset debug into build/debug with ccache as the C and C++ compiler launcher and install RPATH set to $ORIGIN and $ORIGIN/engine/native.
Build, test, and artifact upload .github/workflows/linux_build.yml	Compiles the project with cmake --build build/debug in parallel, executes unit tests via ctest --output-on-failure in parallel, and uploads build/debug/ as the linux_debug artifact with 7-day retention and failure if no files are found.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A Linux build takes flight,
Clang twenty shines so bright,
CMake configures with care,
Tests run, caches compare,
Artifacts bundled—all right! 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add CI for Linux' directly corresponds to the main change—a new Linux CI workflow that builds the project, caches builds, uploads artifacts, and runs tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/linux_build.yml:
- Around line 19-24: Replace mutable tag refs with pinned commit SHAs for each
GitHub Action used: change actions/checkout@v4, egor-tensin/setup-clang@v1,
actions/cache@v4, and actions/upload-artifact@v4 to their corresponding full
commit SHAs; keep the human-friendly tag in a trailing comment (e.g., "# v4")
for maintainability. Update the workflow entries for the actions named
actions/checkout, egor-tensin/setup-clang, actions/cache, and
actions/upload-artifact to use the SHA strings instead of tag refs and add the
version tag comment immediately after each SHA.
- Line 3: The workflow contains an unsupported top-level key "description";
remove this key and its value from the workflow root so the file only uses valid
top-level keys (e.g., name, on, permissions, env, defaults, jobs, concurrency,
run-name); simply delete the line `description: Build Draconic Engine on Linux
using Clang 20 and CMake with Ninja` so the workflow validates against the
GitHub Actions schema.
- Around line 30-32: The workflow currently uses wget/tar/echo to download and
add CMake but lacks integrity checks; update the block that runs wget, tar, and
echo to also download or embed the official SHA256, verify the downloaded
cmake-4.3.0-linux-x86_64.tar.gz with sha256sum (or shasum -a 256) and fail the
job on mismatch before extracting; specifically add a variable or file
containing the expected checksum for cmake-4.3.0-linux-x86_64.tar.gz, run
sha256sum -c (or compare computed hash) against that expected value and exit
non‑zero if verification fails, then only proceed to tar -xzf and echo the bin
path to $GITHUB_PATH on success.
- Around line 14-22: The workflow currently leaves default permissions and
persists git credentials; update the build-linux job to enforce least-privilege
and disable persisted credentials: add an explicit permissions map (e.g.,
permissions: contents: read, id-token: write if needed or set other scopes to
none) at the job or workflow level and set the actions/checkout@v4 step option
persist-credentials: false so no token is stored in the checked-out repo; modify
the "build-linux" job and the "uses: actions/checkout@v4" step accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5aa5bd30-8b5a-4ae8-beda-2593b7cbc264

📥 Commits

Reviewing files that changed from the base of the PR and between fdb254d and c76faee.

📒 Files selected for processing (2)

• .github/workflows/linux_build.yml
• engine/native/core/math/constants.cppm

[OldDev78]

The presets are there to streamline CI build, so it should be able to rely on them.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/linux_build.yml (1)

69-69: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin action to commit SHA.

hendrikmuhs/ccache-action@v1.2 uses a mutable tag reference. Pin it to a specific commit SHA for supply chain security, consistent with the existing comment about pinning other actions in this workflow.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml at line 69, The workflow uses a mutable
tag reference "uses: hendrikmuhs/ccache-action@v1.2"; update this to pin the
action to a specific commit SHA by replacing the tag with the full commit ref
(e.g., uses: hendrikmuhs/ccache-action@<commit-sha>) so the ccache action is
immutably referenced and consistent with the other pinned actions in the
workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/linux_build.yml:
- Line 69: The workflow uses a mutable tag reference "uses:
hendrikmuhs/ccache-action@v1.2"; update this to pin the action to a specific
commit SHA by replacing the tag with the full commit ref (e.g., uses:
hendrikmuhs/ccache-action@<commit-sha>) so the ccache action is immutably
referenced and consistent with the other pinned actions in the workflow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9981a8a0-2020-4703-9408-f7a15e8d03e2

📥 Commits

Reviewing files that changed from the base of the PR and between 6bc20c3 and bfa75e4.

📒 Files selected for processing (1)

• .github/workflows/linux_build.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/linux_build.yml (1)

67-67: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin hendrikmuhs/ccache-action to a full commit SHA.

Line 67 uses a mutable tag (@v1.2), which weakens workflow supply-chain guarantees. Please pin this action to a commit SHA and keep the tag as a trailing comment for readability.

Suggested fix

-      - name: Cache Build Artifacts
-        uses: hendrikmuhs/ccache-action@v1.2
+      - name: Cache Build Artifacts
+        uses: hendrikmuhs/ccache-action@<full_commit_sha> # v1.2

#!/bin/bash
# Resolve the commit SHA currently referenced by tag v1.2
curl -s https://api.github.com/repos/hendrikmuhs/ccache-action/git/ref/tags/v1.2 | jq -r '.object.sha'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml at line 67, Replace the mutable reference
"uses: hendrikmuhs/ccache-action@v1.2" with a pinned commit SHA for the
hendrikmuhs/ccache-action action; fetch the current commit SHA for tag v1.2 and
use "uses: hendrikmuhs/ccache-action@<commit-sha>" and keep the human-readable
tag (e.g., "`@v1.2`") as an inline trailing comment for readability so the
workflow is pinned but still shows the original tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/linux_build.yml:
- Line 67: Replace the mutable reference "uses: hendrikmuhs/ccache-action@v1.2"
with a pinned commit SHA for the hendrikmuhs/ccache-action action; fetch the
current commit SHA for tag v1.2 and use "uses:
hendrikmuhs/ccache-action@<commit-sha>" and keep the human-readable tag (e.g.,
"`@v1.2`") as an inline trailing comment for readability so the workflow is pinned
but still shows the original tag.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c5644fd1-c8e4-4aea-bb2b-4ac6d12b0e9a

📥 Commits

Reviewing files that changed from the base of the PR and between bfa75e4 and 8d5f3af.

📒 Files selected for processing (1)

• .github/workflows/linux_build.yml

[coderabbitai]

♻️ Duplicate comments (6)

.github/workflows/linux_build.yml (6)

16-19: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Security: persist-credentials not disabled in checkout.

The checkout step does not set persist-credentials: false, which could leak credentials through artifacts. This was flagged in a previous review as addressed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 16 - 19, The checkout step
("Checkout Source Code") uses actions/checkout@v4 without disabling persisted
credentials; update that step in the workflow to include the input
persist-credentials: false so that the action does not leave repo credentials
available to later steps or artifacts. Locate the step that references uses:
actions/checkout@v4 and add the persist-credentials: false key alongside
existing inputs (e.g., submodules: recursive) to ensure credentials are not
persisted.

---

21-24: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unpinned action reference (setup-clang).

The action egor-tensin/setup-clang@v1 uses a mutable tag reference instead of a commit SHA, weakening supply-chain security guarantees. This was flagged in a previous review.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 21 - 24, The workflow step
"Set up Clang Compiler" currently uses the mutable tag
egor-tensin/setup-clang@v1; replace that mutable tag with an immutable commit
SHA for the egor-tensin/setup-clang action (uses:
egor-tensin/setup-clang@<commit-sha>) to pin the dependency and improve
supply-chain security, locating the correct commit SHA from the action's
repository and updating the uses line in the workflow accordingly.

---

91-97: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unpinned action reference (upload-artifact).

The action actions/upload-artifact@v4 uses a mutable tag reference instead of a commit SHA. This was flagged in a previous review.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 91 - 97, The workflow step
"Upload Engine Artifact" currently references actions/upload-artifact@v4 (a
mutable tag); replace that mutable tag with the corresponding immutable commit
SHA for the actions/upload-artifact action (pin the action to a specific commit
SHA) so the step uses a fixed reference instead of `@v4`; update the uses line for
"Upload Engine Artifact" to use the verified commit SHA for the v4 release of
actions/upload-artifact.

---

66-72: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unpinned action reference (ccache-action).

The action hendrikmuhs/ccache-action@v1.2 uses a mutable tag reference instead of a commit SHA. This was flagged in a previous review.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 66 - 72, The workflow uses a
mutable tag for the ccache action (hendrikmuhs/ccache-action@v1.2); replace the
tag with a pinned commit SHA (or an exact release tag) to avoid mutable
references — update the action reference in the "Cache Build Artifacts" step
(hendrikmuhs/ccache-action@v1.2) to the specific commit SHA from that repo's
tag/commit and commit the change so the workflow uses an immutable, reproducible
action version.

---

11-14: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing explicit permissions block.

The workflow lacks an explicit permissions: block, leaving the GITHUB_TOKEN with default (overly broad) permissions. This was flagged in a previous review as addressed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 11 - 14, Add an explicit
top-level permissions block to the workflow to restrict the GITHUB_TOKEN instead
of relying on defaults: update the workflow that defines the job build-linux
(runs-on: ubuntu-24.04) to include a permissions: block (for example:
permissions: contents: read) and adjust/add any additional minimal scopes your
CI needs; place it at the top-level of the workflow YAML so the job build-linux
inherits the restricted token.

---

26-30: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing integrity check for CMake download.

The CMake tarball is downloaded without SHA256 verification, creating a supply-chain security risk. This was flagged in a previous review as addressed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 26 - 30, Update the "Install
System Dependencies" workflow step that downloads
cmake-4.3.0-linux-x86_64.tar.gz to verify the tarball integrity: fetch the
official SHA256 for cmake-4.3.0-linux-x86_64.tar.gz from the CMake release
assets (or hard-code the expected hash), compute the downloaded file's sha256
(using sha256sum) and compare it to the expected value, and fail the step if the
checksum does not match before running tar -xzf; keep the tarball name
cmake-4.3.0-linux-x86_64.tar.gz and the existing GITHUB_PATH update but insert
this checksum download/verify-and-fail logic in the "Install System
Dependencies" step.

🧹 Nitpick comments (1)

.github/workflows/linux_build.yml (1)

74-81: 💤 Low value

Redundant binary directory specification.

The -B build/debug argument is redundant since the "debug" preset already defines binaryDir as ${sourceDir}/build/debug. The preset configuration will be used regardless of this flag.

♻️ Suggested simplification

-        cmake --preset debug \
-          -B build/debug \
+        cmake --preset debug \
           -DCMAKE_C_COMPILER_LAUNCHER=ccache \
           -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux_build.yml around lines 74 - 81, Remove the redundant
explicit binary directory flag from the cmake invocation: when using "cmake
--preset debug" the preset's binaryDir (named "binaryDir" in the preset) already
points to build/debug, so drop the "-B build/debug" argument from the "cmake
--preset debug" command to let the preset control the output directory; keep the
remaining flags like -DCMAKE_C_COMPILER_LAUNCHER, -DCMAKE_CXX_COMPILER_LAUNCHER,
-DCMAKE_BUILD_WITH_INSTALL_RPATH and -DCMAKE_INSTALL_RPATH unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/linux_build.yml:
- Around line 16-19: The checkout step ("Checkout Source Code") uses
actions/checkout@v4 without disabling persisted credentials; update that step in
the workflow to include the input persist-credentials: false so that the action
does not leave repo credentials available to later steps or artifacts. Locate
the step that references uses: actions/checkout@v4 and add the
persist-credentials: false key alongside existing inputs (e.g., submodules:
recursive) to ensure credentials are not persisted.
- Around line 21-24: The workflow step "Set up Clang Compiler" currently uses
the mutable tag egor-tensin/setup-clang@v1; replace that mutable tag with an
immutable commit SHA for the egor-tensin/setup-clang action (uses:
egor-tensin/setup-clang@<commit-sha>) to pin the dependency and improve
supply-chain security, locating the correct commit SHA from the action's
repository and updating the uses line in the workflow accordingly.
- Around line 91-97: The workflow step "Upload Engine Artifact" currently
references actions/upload-artifact@v4 (a mutable tag); replace that mutable tag
with the corresponding immutable commit SHA for the actions/upload-artifact
action (pin the action to a specific commit SHA) so the step uses a fixed
reference instead of `@v4`; update the uses line for "Upload Engine Artifact" to
use the verified commit SHA for the v4 release of actions/upload-artifact.
- Around line 66-72: The workflow uses a mutable tag for the ccache action
(hendrikmuhs/ccache-action@v1.2); replace the tag with a pinned commit SHA (or
an exact release tag) to avoid mutable references — update the action reference
in the "Cache Build Artifacts" step (hendrikmuhs/ccache-action@v1.2) to the
specific commit SHA from that repo's tag/commit and commit the change so the
workflow uses an immutable, reproducible action version.
- Around line 11-14: Add an explicit top-level permissions block to the workflow
to restrict the GITHUB_TOKEN instead of relying on defaults: update the workflow
that defines the job build-linux (runs-on: ubuntu-24.04) to include a
permissions: block (for example: permissions: contents: read) and adjust/add any
additional minimal scopes your CI needs; place it at the top-level of the
workflow YAML so the job build-linux inherits the restricted token.
- Around line 26-30: Update the "Install System Dependencies" workflow step that
downloads cmake-4.3.0-linux-x86_64.tar.gz to verify the tarball integrity: fetch
the official SHA256 for cmake-4.3.0-linux-x86_64.tar.gz from the CMake release
assets (or hard-code the expected hash), compute the downloaded file's sha256
(using sha256sum) and compare it to the expected value, and fail the step if the
checksum does not match before running tar -xzf; keep the tarball name
cmake-4.3.0-linux-x86_64.tar.gz and the existing GITHUB_PATH update but insert
this checksum download/verify-and-fail logic in the "Install System
Dependencies" step.

---

Nitpick comments:
In @.github/workflows/linux_build.yml:
- Around line 74-81: Remove the redundant explicit binary directory flag from
the cmake invocation: when using "cmake --preset debug" the preset's binaryDir
(named "binaryDir" in the preset) already points to build/debug, so drop the "-B
build/debug" argument from the "cmake --preset debug" command to let the preset
control the output directory; keep the remaining flags like
-DCMAKE_C_COMPILER_LAUNCHER, -DCMAKE_CXX_COMPILER_LAUNCHER,
-DCMAKE_BUILD_WITH_INSTALL_RPATH and -DCMAKE_INSTALL_RPATH unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 36216a18-647e-49b5-b089-1343172cbe91

📥 Commits

Reviewing files that changed from the base of the PR and between 8d5f3af and 4fd88bc.

📒 Files selected for processing (1)

• .github/workflows/linux_build.yml