Add Windows CI and CodeQL coverage

Author: ktsaou

.agents/sow/current/SOW-0014-20260603-maintainability-hotspots.md

@@ -879,6 +879,47 @@ Sensitive data gate:
 
 Raw cache, Go typed-facade, apps lookup builder, cgroups lookup builder, apps lookup semantic validation, five Go code-scanning findings, C lookup builder function-level complexity, and C POSIX/Windows service helper duplication are locally remediated; the overall maintainability SOW remains in progress pending the next selected maintainability target and Codacy metric re-check after push.
 
+### 2026-06-04 Windows CI And CodeQL Coverage
+
+- User decision: add Windows CI coverage after discovering that current CodeQL coverage is Linux-shaped, not a CodeQL product limit.
+- Purpose: make Windows runtime and Windows static-analysis coverage first-class CI signals for this cross-platform SDK.
+- Evidence:
+  - `.github/workflows/codeql.yml` currently runs every matrix entry on `ubuntu-latest`.
+  - The C/C++ CodeQL job currently builds only POSIX targets: `netipc_protocol`, `netipc_uds`, `netipc_shm`, and `netipc_service`.
+  - The Go CodeQL job currently runs `go test ./...` on Linux, so Windows-only Go files guarded by `//go:build windows` are not extracted.
+  - `CMakeLists.txt` already has Windows runtime targets guarded by `NETIPC_WINDOWS_RUNTIME`.
+  - Existing Windows validation scripts and local validation use MSYS2/MinGW, not MSVC.
+- Decision:
+  - Add GitHub-hosted Windows CI on `windows-latest`.
+  - Use MSYS2/MinGW for the Windows runtime build because it matches the existing tested Windows scripts.
+  - Keep heavyweight Windows coverage and benchmark jobs out of push/PR CI for now; they remain explicit scripts.
+  - Add Windows CodeQL jobs for C/C++ and Go so Windows-only sources are extracted.
+- Risk:
+  - Windows hosted runners may expose timing flakiness in named-pipe/SHM tests.
+  - Adding MSYS2 introduces another pinned CI action and package-install surface.
+  - CodeQL Windows jobs increase CI time and may surface a new backlog of valid Windows-only findings.
+- Validation plan:
+  - Run local action/workflow linting.
+  - Run relevant local CMake/Go validation.
+  - Push and verify GitHub Windows runtime and CodeQL jobs.
+- Implemented:
+  - Added a `windows-latest` MSYS2/MinGW runtime job to `.github/workflows/runtime-safety.yml`.
+  - Expanded CodeQL into distinct POSIX and Windows categories for C/C++ and Go.
+  - Expanded POSIX C/C++ CodeQL build targets so test, interop, cache, stress, hardening, and benchmark C sources are compiled during extraction.
+  - Added Windows C/C++ CodeQL build targets for named pipe, Windows SHM, Windows service, Windows interop, guard, stress, and benchmark C sources.
+  - Added Windows Go CodeQL build execution so Windows build-tagged Go packages are extracted.
+- Local validation:
+  - YAML parsing passed for `.github/workflows/codeql.yml` and `.github/workflows/runtime-safety.yml`.
+  - `actionlint .github/workflows/codeql.yml .github/workflows/runtime-safety.yml` passed.
+  - POSIX expanded C/C++ CodeQL target list built locally with `cmake --build build`.
+  - Windows/MSYS runtime build command passed on the Windows validation host.
+  - Windows/MSYS runtime CTest slice passed on the Windows validation host: 12/12 targeted Windows tests.
+  - Windows Go CodeQL build command passed on the Windows validation host for `src/go`, `tests/fixtures/go`, and `bench/drivers/go`.
+  - Windows C/C++ CodeQL-only `bench_windows_c` target built on the Windows validation host.
+  - `git diff --check` passed.
+  - `bash .agents/sow/audit.sh` passed.
+  - `codacy-analysis analyze --output-format json` passed with 0 issues and 0 errors across Checkov, Opengrep/Semgrep, Trivy, cppcheck, ShellCheck, and Spectral.
+
 ## Lessons Extracted
 
 Pending.

.github/workflows/codeql.yml

@@ -21,7 +21,7 @@ concurrency:
 jobs:
   analyze:
     name: Analyze ${{ matrix.name }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
 
     permissions:
       actions: read
@@ -32,22 +32,93 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - name: C/C++
+          - name: C/C++ POSIX
             language: c-cpp
+            runner: ubuntu-latest
             build_mode: manual
+            category: /language:c-cpp-posix
             build_command: |
-              cmake -S . -B build-codeql -DCMAKE_BUILD_TYPE=Debug
-              cmake --build build-codeql --parallel --target netipc_protocol netipc_uds netipc_shm netipc_service
-          - name: Go
+              cmake -S . -B build-codeql-posix -DCMAKE_BUILD_TYPE=Debug
+              cmake --build build-codeql-posix --parallel --target \
+                netipc_protocol \
+                netipc_uds \
+                netipc_shm \
+                netipc_service \
+                test_protocol \
+                interop_codec_c \
+                fuzz_protocol \
+                test_uds \
+                interop_uds_c \
+                test_shm \
+                interop_shm_c \
+                test_service \
+                test_service_extra \
+                test_service_payload_limits \
+                test_service_method_limits \
+                test_multi_server \
+                interop_service_c \
+                test_stress \
+                test_ping_pong \
+                test_chaos \
+                test_hardening \
+                test_cache \
+                interop_cache_c \
+                bench_posix_c
+          - name: C/C++ Windows
+            language: c-cpp
+            runner: windows-latest
+            build_mode: manual
+            category: /language:c-cpp-windows
+            msys2: true
+            build_command: |
+              cmake -S . -B build-codeql-windows -G Ninja \
+                -DCMAKE_BUILD_TYPE=Debug \
+                -DCMAKE_C_COMPILER=/usr/bin/gcc \
+                -DCMAKE_CXX_COMPILER=/usr/bin/g++
+              cmake --build build-codeql-windows \
+                --parallel "$(getconf _NPROCESSORS_ONLN 2>/dev/null || echo 4)" \
+                --target \
+                netipc_protocol \
+                netipc_named_pipe \
+                netipc_win_shm \
+                netipc_service_win \
+                test_named_pipe \
+                interop_named_pipe_c \
+                test_win_shm \
+                test_win_service \
+                test_win_service_extra \
+                test_win_service_payload_limits \
+                test_win_service_guards \
+                test_win_service_guards_extra \
+                test_win_stress \
+                interop_win_shm_c \
+                interop_service_win_c \
+                interop_cache_win_c \
+                bench_windows_c
+          - name: Go POSIX
             language: go
+            runner: ubuntu-latest
             build_mode: manual
+            category: /language:go-posix
             build_command: |
               for module in src/go tests/fixtures/go bench/drivers/go; do
                 (cd "$module" && go test ./...)
               done
+          - name: Go Windows
+            language: go
+            runner: windows-latest
+            build_mode: manual
+            category: /language:go-windows
+            msys2: true
+            build_command: |
+              for module in src/go tests/fixtures/go bench/drivers/go; do
+                (cd "$module" && CGO_ENABLED=0 go test ./...)
+              done
           - name: Rust
             language: rust
+            runner: ubuntu-latest
             build_mode: none
+            category: /language:rust
             build_command: ":"
 
     steps:
@@ -63,6 +134,20 @@ jobs:
           go-version-file: src/go/go.mod
           cache: false
 
+      - name: Set up MSYS2
+        if: matrix.msys2 == true
+        uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2
+        with:
+          msystem: MSYS
+          update: true
+          path-type: inherit
+          install: >-
+            base-devel
+            gcc
+            cmake
+            ninja
+            git
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
@@ -71,10 +156,15 @@ jobs:
           config-file: ./.github/codeql.yml
 
       - name: Build for CodeQL
-        if: matrix.build_mode == 'manual'
+        if: matrix.build_mode == 'manual' && matrix.msys2 != true
+        run: ${{ matrix.build_command }}
+
+      - name: Build for CodeQL on MSYS2
+        if: matrix.build_mode == 'manual' && matrix.msys2 == true
+        shell: msys2 {0}
         run: ${{ matrix.build_command }}
 
       - name: Analyze
         uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
-          category: /language:${{ matrix.language }}
+          category: ${{ matrix.category }}

.github/workflows/runtime-safety.yml

@@ -96,3 +96,77 @@ jobs:
 
       - name: Run Go race detector
         run: bash tests/run-go-race.sh
+
+  windows-msys:
+    name: Windows MSYS2 Runtime
+    runs-on: windows-latest
+    timeout-minutes: 45
+
+    defaults:
+      run:
+        shell: msys2 {0}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: src/go/go.mod
+          cache: false
+
+      - name: Set up MSYS2
+        uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2
+        with:
+          msystem: MSYS
+          update: true
+          path-type: inherit
+          install: >-
+            base-devel
+            gcc
+            cmake
+            ninja
+            git
+
+      - name: Build Windows runtime targets
+        run: |
+          set -euo pipefail
+          windows_cargo_home="${CARGO_HOME:-}"
+          if [[ -z "$windows_cargo_home" && -n "${USERPROFILE:-}" ]]; then
+            windows_cargo_home="$(cygpath -u "$USERPROFILE")/.cargo"
+          fi
+          windows_cargo_home="${windows_cargo_home:-$HOME/.cargo}"
+          export PATH="$windows_cargo_home/bin:$PATH"
+          cmake -S . -B build-windows -G Ninja \
+            -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+            -DCMAKE_C_COMPILER=/usr/bin/gcc \
+            -DCMAKE_CXX_COMPILER=/usr/bin/g++
+          cmake --build build-windows \
+            --parallel "$(getconf _NPROCESSORS_ONLN 2>/dev/null || echo 4)" \
+            --target \
+            test_named_pipe \
+            test_win_shm \
+            test_win_service \
+            test_win_service_payload_limits \
+            test_win_service_extra \
+            test_win_stress \
+            interop_named_pipe_c \
+            interop_named_pipe_rs \
+            interop_named_pipe_go \
+            interop_win_shm_c \
+            interop_win_shm_rs \
+            interop_win_shm_go \
+            interop_service_win_c \
+            interop_service_win_rs \
+            interop_service_win_go \
+            interop_cache_win_c \
+            interop_cache_win_rs \
+            interop_cache_win_go
+
+      - name: Run Windows runtime tests
+        run: |
+          set -euo pipefail
+          ctest --test-dir build-windows --output-on-failure -j1 -R "^(test_named_pipe|test_win_shm|test_win_service|test_win_service_payload_limits|test_win_service_extra|test_named_pipe_interop|test_win_shm_interop|test_service_win_interop|test_service_win_shm_interop|test_cache_win_interop|test_cache_win_shm_interop|test_win_stress)$"