Copilot-enabled and faster CI checks (#7738)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: achamayou

.gitignore

@@ -45,4 +45,5 @@ tests/perf-system/analyzer/*.png
 **/*.ipynb*
 scripts/azure_deployment/.env
 .env
-python/src/ccf/version.py
+python/src/ccf/version.py
+scripts/env-*

scripts/ci-checks.sh

@@ -2,164 +2,104 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the Apache 2.0 License.
 
-if [ "$1" == "-f" ]; then
-  FIX=1
+if [ "${1:-}" == "-f" ]; then
+  FIX_ARG="-f"
 else
-  FIX=0
+  FIX_ARG=""
 fi
 
-# Replace numeric flag with list of failed groups
-FAIL=""
-
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
 ROOT_DIR=$( dirname "$SCRIPT_DIR" )
 pushd "$ROOT_DIR" > /dev/null || exit 1
 
 # GitHub actions workflow commands: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
 function group(){
-    # Track current group name
-    CURRENT_GROUP="$1"
-    # Only do this in GitHub actions, where CI is defined according to
-    # https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-    if [[ ${CI} ]]; then
+    if [[ ${CI:-} ]]; then
       echo "::group::$1"
     else
       echo "-=[ $1 ]=-"
     fi
 }
 function endgroup() {
-    if [[ ${CI} ]]; then
+    if [[ ${CI:-} ]]; then
       echo "::endgroup::"
     fi
 }
 
-# Helper to record a failing group
-function fail() {
-  if [[ -z "$FAIL" ]]; then
-    FAIL="$CURRENT_GROUP"
+# --- Concurrent execution of all checks ---
+# Each check runs as a background job with output captured to a temp file.
+# After all jobs complete, outputs are printed in order with CI group annotations.
+
+TMPDIR_CHECKS=$(mktemp -d) || { echo "Failed to create temporary directory for ci-checks" >&2; exit 1; }
+trap 'rm -rf "$TMPDIR_CHECKS"' EXIT
+
+# Declare the checks: "group_name:script_name"
+CHECKS=(
+  "Shell scripts:shellcheck-checks.sh"
+  "TODOs:todo-checks.sh"
+  "Includes:includes-checks.sh"
+  "Release notes:release-notes-checks.sh"
+  "C/C++ format:cpp-format-checks.sh"
+  "TypeScript, JavaScript, Markdown, TypeSpec, YAML and JSON format:prettier-checks.sh"
+  "OpenAPI:openapi-checks.sh"
+  "Copyright notice headers:copyright-checks.sh"
+  "CMake format:cmake-format-checks.sh"
+  "Python format:python-format-checks.sh"
+  "Python lint:python-lint-checks.sh"
+  "Python types:python-types-checks.sh"
+)
+
+PIDS=()
+for i in "${!CHECKS[@]}"; do
+  IFS=: read -r _name script <<< "${CHECKS[$i]}"
+  (
+    start=$SECONDS
+    # shellcheck disable=SC2086
+    "$SCRIPT_DIR"/$script $FIX_ARG
+    echo $? > "$TMPDIR_CHECKS/$i.rc"
+    echo $((SECONDS - start)) > "$TMPDIR_CHECKS/$i.time"
+  ) > "$TMPDIR_CHECKS/$i.out" 2>&1 &
+  PIDS+=($!)
+done
+
+# Wait for all background jobs
+for pid in "${PIDS[@]}"; do
+  wait "$pid" 2>/dev/null || true
+done
+
+# Print results in order, track failures
+FAIL=""
+for i in "${!CHECKS[@]}"; do
+  IFS=: read -r name _script <<< "${CHECKS[$i]}"
+  rc=$(cat "$TMPDIR_CHECKS/$i.rc")
+
+  group "$name"
+  cat "$TMPDIR_CHECKS/$i.out"
+  if [ "$rc" != "0" ]; then
+    if [ -z "$FAIL" ]; then
+      FAIL="$name"
+    else
+      FAIL="$FAIL;$name"
+    fi
+  fi
+  endgroup
+done
+
+group "Timing"
+printf "%-70s %6s  %s\n" "Check" "Time" "Status"
+printf "%-70s %6s  %s\n" "-----" "----" "------"
+for i in "${!CHECKS[@]}"; do
+  IFS=: read -r name _script <<< "${CHECKS[$i]}"
+  rc=$(cat "$TMPDIR_CHECKS/$i.rc")
+  elapsed=$(cat "$TMPDIR_CHECKS/$i.time")
+  if [ "$rc" = "0" ]; then
+    status="OK"
   else
-    FAIL="$FAIL;$CURRENT_GROUP"
+    status="FAIL"
   fi
-  return 0
-}
-
-group "Shell scripts"
-git ls-files | grep -e '\.sh$' | grep -E -v "^3rdparty" | xargs shellcheck -S warning -s bash || fail
-endgroup
-
-# No inline TODOs in the codebase, use tickets, with a pointer to the code if necessary.
-group "TODOs"
-"$SCRIPT_DIR"/check-todo.sh . || fail
-endgroup
-
-group "Public includes"
-# Enforce that no private headers are included from public header files
-violations=$(find "$ROOT_DIR/include/ccf" -type f -print0 | xargs --null grep -e "#include \"" | grep -v "#include \"ccf" | sort)
-if [[ -n "$violations" ]]; then
-  echo "Public headers include private implementation files:"
-  echo "$violations"
-  fail
-else
-  echo "No public-private include violations"
-fi
-endgroup
-
-group "Public header namespaces"
-# Enforce that all public headers namespace their exports
-# NB: This only greps for a namespace definition in each file, doesn't precisely enforce that no types escape that namespace - mistakes are possible
-violations=$(find "$ROOT_DIR/include/ccf" -type f -name "*.h" -print0 | xargs --null grep -L "namespace ccf" | sort || true)
-if [[ -n "$violations" ]]; then
-  echo "Public headers missing ccf namespace:"
-  echo "$violations"
-  fail
-else
-  echo "No public header namespace violations"
-fi
-endgroup
-
-group "Release notes"
-if [ $FIX -ne 0 ]; then
-  "$SCRIPT_DIR"/extract-release-notes.py -f || fail
-else
-  "$SCRIPT_DIR"/extract-release-notes.py || fail
-fi
-endgroup
-
-group "C/C++ format"
-if [ $FIX -ne 0 ]; then
-  "$SCRIPT_DIR"/check-format.sh -f include src samples || fail
-else
-  "$SCRIPT_DIR"/check-format.sh include src samples || fail
-fi
-endgroup
-
-group "Headers are included"
-"$SCRIPT_DIR"/headers-are-included.sh || fail
-endgroup
-
-group "TypeScript, JavaScript, Markdown, TypeSpec, YAML and JSON format"
-npm install --loglevel=error --no-save prettier @typespec/prettier-plugin-typespec 1>/dev/null || fail
-if [ $FIX -ne 0 ]; then
-  git ls-files | grep -e '\.ts$' -e '\.js$' -e '\.md$' -e '\.yaml$' -e '\.yml$' -e '\.json$' | grep -v -e 'tests/sandbox/' | xargs npx prettier --write || fail
-else
-  git ls-files | grep -e '\.ts$' -e '\.js$' -e '\.md$' -e '\.yaml$' -e '\.yml$' -e '\.json$' | grep -v -e 'tests/sandbox/' | xargs npx prettier --check || fail
-fi
-endgroup
-
-group "OpenAPI"
-npm install --loglevel=error --no-save @apidevtools/swagger-cli 1>/dev/null || fail
-find doc/schemas/*.json -exec npx swagger-cli validate {} \; || fail
-find doc/schemas/gov/*/*.json -exec npx swagger-cli validate {} \; || fail
-endgroup
-
-group "Copyright notice headers"
-python3 "$SCRIPT_DIR"/notice-check.py || fail
-endgroup
-
-group "CMake format"
-if [ $FIX -ne 0 ]; then
-  "$SCRIPT_DIR"/check-cmake-format.sh -f cmake samples src tests CMakeLists.txt || fail
-else
-  "$SCRIPT_DIR"/check-cmake-format.sh cmake samples src tests CMakeLists.txt || fail
-fi
-endgroup
-
-group "Python dependencies"
-# Virtual Environment w/ dependencies for Python steps
-if [ ! -f "scripts/env/bin/activate" ]
-    then
-        python3 -m venv scripts/env
-fi
-
-source scripts/env/bin/activate
-pip install -U pip || fail
-pip install -U wheel black pytest-mypy mypy ruff 1>/dev/null || fail
-endgroup
-
-group "Python format"
-if [ $FIX -ne 0 ]; then
-  git ls-files tests/ python/ scripts/ tla/ .cmake-format.py | grep -e '\.py$' | xargs black || fail
-else
-  git ls-files tests/ python/ scripts/ tla/ .cmake-format.py | grep -e '\.py$' | xargs black --check || fail
-fi
-endgroup
-
-group "Python lint dependencies"
-pip install -U -r tests/requirements.txt 1>/dev/null || fail
-pip install -U -e python 1>/dev/null || fail
-endgroup
-
-group "Python lint"
-if [ $FIX -ne 0 ]; then
-  ruff check --fix python/ tests/ || fail
-else
-  ruff check python/ tests/ || fail
-fi
-endgroup
-
-group "Python types"
-git ls-files python/ | grep -e '\.py$' | xargs mypy || fail
+  printf "%-70s %5ds  %s\n" "$name" "$elapsed" "$status"
+done
 endgroup
 
 group "Summary"

scripts/cmake-format-checks.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+# Checks (and optionally fixes) CMake file formatting.
+# Pass -f to auto-fix formatting issues.
+
+set -uo pipefail
+
+if [ "${1:-}" == "-f" ]; then
+  FIX=1
+else
+  FIX=0
+fi
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+ROOT_DIR=$( dirname "$SCRIPT_DIR" )
+cd "$ROOT_DIR" || exit 1
+
+if [ $FIX -ne 0 ]; then
+  "$SCRIPT_DIR"/check-cmake-format.sh -f cmake samples src tests CMakeLists.txt
+else
+  "$SCRIPT_DIR"/check-cmake-format.sh cmake samples src tests CMakeLists.txt
+fi

scripts/copyright-checks.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+# Checks that all source files have the correct copyright notice headers.
+# Accepts -f for interface consistency, but no auto-fix is available.
+
+set -uo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+ROOT_DIR=$( dirname "$SCRIPT_DIR" )
+cd "$ROOT_DIR" || exit 1
+
+python3 "$SCRIPT_DIR"/notice-check.py

scripts/cpp-format-checks.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+# Checks (and optionally fixes) C/C++ formatting via clang-format.
+# Pass -f to auto-fix formatting issues.
+
+set -uo pipefail
+
+if [ "${1:-}" == "-f" ]; then
+  FIX=1
+else
+  FIX=0
+fi
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+ROOT_DIR=$( dirname "$SCRIPT_DIR" )
+cd "$ROOT_DIR" || exit 1
+
+if [ $FIX -ne 0 ]; then
+  "$SCRIPT_DIR"/check-format.sh -f include src samples
+else
+  "$SCRIPT_DIR"/check-format.sh include src samples
+fi

scripts/includes-checks.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+# Validates public C++ headers:
+#   1. No private headers included from public headers
+#   2. All public headers declare a ccf namespace
+#   3. All exported headers are actually included somewhere
+# Accepts -f for interface consistency, but no auto-fix is available.
+
+set -uo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+ROOT_DIR=$( dirname "$SCRIPT_DIR" )
+cd "$ROOT_DIR" || exit 1
+
+STATUS=0
+
+# 1. Public includes: no private headers included from public header files
+echo "Checking public includes..."
+violations=$(find "$ROOT_DIR/include/ccf" -type f -print0 | xargs --null grep -e "#include \"" | grep -v "#include \"ccf" | sort)
+if [[ -n "$violations" ]]; then
+  echo "Public headers include private implementation files:"
+  echo "$violations"
+  STATUS=1
+else
+  echo "No public-private include violations"
+fi
+
+# 2. Public header namespaces: all public headers namespace their exports
+echo "Checking public header namespaces..."
+violations=$(find "$ROOT_DIR/include/ccf" -type f -name "*.h" -print0 | xargs --null grep -L "namespace ccf" | sort || true)
+if [[ -n "$violations" ]]; then
+  echo "Public headers missing ccf namespace:"
+  echo "$violations"
+  STATUS=1
+else
+  echo "No public header namespace violations"
+fi
+
+# 3. Headers are included: all exported headers are actually included somewhere
+echo "Checking headers are included..."
+"$SCRIPT_DIR"/headers-are-included.sh || STATUS=1
+
+exit $STATUS

scripts/openapi-checks.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+# Validates OpenAPI schema files via swagger-cli.
+# Accepts -f for interface consistency, but no auto-fix is available.
+
+set -uo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+ROOT_DIR=$( dirname "$SCRIPT_DIR" )
+cd "$ROOT_DIR" || exit 1
+
+NPM_DIR=$(mktemp -d) || exit 1
+trap 'rm -rf "$NPM_DIR"' EXIT
+npm install --loglevel=error --no-save --prefix "$NPM_DIR" @apidevtools/swagger-cli 1>/dev/null || exit 1
+
+find doc/schemas/*.json -exec npx --prefix "$NPM_DIR" swagger-cli validate {} \; || exit 1
+find doc/schemas/gov/*/*.json -exec npx --prefix "$NPM_DIR" swagger-cli validate {} \;