Refactoring CI workflows to run in containers

[danielinux]

Let's not rely any more on updating packages at each workflow, and instead pull the right container with the correct toolchains.

• minor fixes:
  • cppcheck 2.20 new findings: fixes in code and loosened checks to match previous scans
  • x86_64_efi format: using more portable object types for executables

[Copilot]

Pull request overview

Refactors GitHub Actions CI workflows to run inside prebuilt GHCR containers so toolchains/dependencies don’t need to be installed during each workflow run.

Changes:

• Adds container.image to many CI jobs (ARM vs simulator images).
• Removes most apt-get update/install and sources.list workaround steps in favor of container-provided tooling.
• Adds a “Trust workspace” git safe.directory step for containerized checkout/builds.

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/test-wolfhsm-simulator.yml	Runs simulator tests in wolfboot-ci-sim container; removes apt mirroring workaround; adds safe.directory.
.github/workflows/test-vscode.yml	Runs VSCode workspace validation in wolfboot-ci-arm container; removes runtime dependency installs.
.github/workflows/test-units.yml	Runs unit tests in wolfboot-ci-sim container; removes libcheck install; adds safe.directory.
.github/workflows/test-sunnyday-simulator.yml	Runs simulator tests in container; removes apt mirroring + 32-bit libc install steps; adds safe.directory.
.github/workflows/test-sim-self-update.yml	Runs self-update test in container; removes apt mirroring workaround; adds safe.directory.
.github/workflows/test-powerfail-simulator.yml	Runs powerfail simulator tests in container; adds safe.directory.
.github/workflows/test-parse-tools.yml	Runs parse-tools build in wolfboot-ci-arm container; removes cross-compiler installs; adds safe.directory.
.github/workflows/test-library.yml	Runs library tests in wolfboot-ci-sim container; adds safe.directory; removes runner pinning commentary.
.github/workflows/test-keytools.yml	Runs keytools build in wolfboot-ci-sim container; adds safe.directory.
.github/workflows/test-hooks-simulator.yml	Runs hooks simulator tests in container; removes apt mirroring workaround; adds safe.directory.
.github/workflows/test-filesystem.yml	Runs filesystem example build in container; removes build-essential install; adds safe.directory.
.github/workflows/test-external-library-paths.yml	Runs external library paths tests in container; changes libcheck step to no-op echo; adds safe.directory.
.github/workflows/test-elf-scattered.yml	Runs elf scattered test in container; adds safe.directory.
.github/workflows/test-custom-tlv-simulator.yml	Runs custom TLV simulator tests in container; adds safe.directory.
.github/workflows/test-cppcheck.yml	Runs cppcheck in wolfboot-ci-arm container; removes package install step.
.github/workflows/test-build.yml	Runs build in wolfboot-ci-arm container; switches runner to ubuntu-latest; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-stm32cube.yml	Runs STM32Cube build in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-psoc6.yml	Runs PSoC6 build in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-pico-sdk.yml	Runs Pico SDK build in container; updates checkout to v4; removes apt steps; adds safe.directory (incl. pico-sdk).
.github/workflows/test-build-mcux-sdk.yml	Runs MCUX SDK build in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-mcux-sdk-manifests.yml	Runs MCUX manifests build in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-lms.yml	Runs LMS build in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-cmake.yml	Runs CMake build in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-cmake-script.yml	Runs CMake script test in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/test-build-cmake-presets.yml	Runs CMake presets build in container; removes toolchain install step; adds safe.directory.
.github/workflows/test-build-cmake-dot-config.yml	Runs dot-config tests in container; removes apt workaround/installs; adds safe.directory.
.github/workflows/footprint.yml	Runs footprint test in wolfboot-ci-arm container; switches runner to ubuntu-latest; removes package installs; adds safe.directory.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 35 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (4)

src/boot_x86_fsp.c:1

• Casting and subtracting end - start as unsigned (uintptr_t) can underflow silently if the symbols are reversed (or equal/overlapping unexpectedly), producing a huge size_t and cascading into oversized memcpy/memset lengths. Consider making linker_range_size defensively handle end < start (e.g., return 0 or fail fast) and/or adding an explicit check at call sites that the computed size is within expected bounds.
  src/boot_x86_fsp.c:1
• Narrowing linker_range_size(...) to uint32_t risks truncation if the linker range exceeds 4GiB (or if an underflow occurred and produced a large size_t), which would make wb_end incorrect and could break the overlap checks. If 32-bit sizes are a hard requirement here, add an explicit bounds check before casting (e.g., verify the size fits in uint32_t) and treat violations as an error.
  hal/va416x0.c:1
• Zero-initializing a WOLFBOOT_SECTOR_SIZE stack buffer forces the compiler to emit a full memset on every call, which can be expensive for large sector sizes. If only a portion is used (or it gets fully overwritten before use), prefer initializing only the needed bytes (explicit memset right before first read) or refactoring to avoid unnecessary clearing.
  Makefile:1
• The cppcheck target now suppresses several high-signal categories globally (e.g., bufferAccessOutOfBounds, uninitvar, zerodiv, plus parse-related syntaxError/internalAstError). This makes it harder to trust cppcheck results and can mask real regressions. Recommend scoping suppressions to specific files/line ranges (via a suppressions list with paths), and avoiding global suppression of runtime-safety issues unless there’s a clearly documented reason tied to specific false positives.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.