Enable supported release hardening options

[Copilot]

• Review new comment requesting target/package/hardening table
• Audit target definitions and install/package inclusion
• Verify current hardening coverage from CMake helpers and explicit calls
• Reply to the PR comment with the requested table
• Run final validation if changes are made

[achamayou]

@copilot please enable this CMake flag in the release pipeline, and where the option is defined in CMake, add a comment paragraph describing the various options, a summary of their effect, and a link to their documentation page, wherever it lives.

[Copilot]

@copilot please enable this CMake flag in the release pipeline, and where the option is defined in CMake, add a comment paragraph describing the various options, a summary of their effect, and a link ...

Addressed in 66512af: the release and RPM reproduction CMake invocations now explicitly set CCF_ENABLE_RELEASE_HARDENING=ON, and the CMake option has a documentation comment covering the hardening flags and references.

[Copilot]

Pull request overview

This PR introduces an opt-in (default ON) CMake toggle to apply supported compiler/linker hardening flags to optimized “release” configurations, and ensures the release/repro pipelines explicitly enable it for reproducible packaging.

Changes:

• Adds CCF_ENABLE_RELEASE_HARDENING (default ON) and conditionally enables supported hardening compile/link options for Release, RelWithDebInfo, and MinSizeRel.
• Updates the release GitHub Actions workflow and RPM reproduction script to explicitly set -DCCF_ENABLE_RELEASE_HARDENING=ON for Release builds.
• Improves RPM reproduction script robustness by enabling pipefail.

Custom instructions used:

• .github/copilot-instructions.md
• .github/instructions/reviewing.instructions.md

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
reproduce/reproduce_rpm.sh	Enables pipefail and explicitly turns on release hardening during RPM reproduction builds.
CMakeLists.txt	Adds CCF_ENABLE_RELEASE_HARDENING and applies supported hardening flags via CMake feature checks for release configurations.
.github/workflows/release.yml	Explicitly enables release hardening in the release build and RPM packaging workflow.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

[achamayou]

@copilot the hardening must be done by target, using target_compile_options etc, see how it's done for SAN/TSAN for an example. Have a function that does this, called add_hardening(), containing the switch, and apply it to all the relevant targets (i.e. anything that goes in the release package).

[Copilot]

@copilot the hardening must be done by target, using target_compile_options etc, see how it's done for SAN/TSAN for an example. Have a function that does this, called add_hardening(), containing the s...

Implemented in c928faa: hardening now uses a per-target add_hardening() helper with target_compile_options/target_link_options, applied to the packaged CCF targets while avoiding global options on snmalloc.

[achamayou]

@copilot make a table of all targets, and for each list whether they are included in the release package, whether you enabled hardening or not, and your justification for your choice.

[Copilot]

@copilot make a table of all targets, and for each list whether they are included in the release package, whether you enabled hardening or not, and your justification for your choice.

Audited the top-level CMake targets from a RelWithDebInfo configure with release hardening enabled. “Hardened” means add_hardening() applies compile flags, and link flags for targets with a link step.

Target	In release package?	Hardened?	Justification
base64_test	No	No	Unit test only; not installed.
basic	No	Yes	Sample app target uses add_ccf_app(), so it is hardened consistently, but not installed.
cargo-build_cose_rs	Byproduct yes	N/A	Custom Rust build; installs libcose_rs.a, but CMake C/C++ target flags do not apply.
cbor_test	No	No	Unit test only; not installed.
ccf	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccf_endpoints	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccf_js	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccf_kv	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccf_launcher	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccf_pal	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccf_tasks	Yes	Yes	Installed static library; compile hardening applies, no link step.
ccfcrypto	Yes	Yes	Installed static library; compile hardening applies, no link step.
channels_test	No	No	Unit test only; not installed.
cose_bench	No	No	Benchmark target only; not installed.
cose_ffi_test	No	No	Unit test only; not installed.
cose_test	No	No	Unit test only; not installed.
crypto_bench	No	No	Benchmark target only; not installed.
crypto_test	No	No	Unit test only; not installed.
curl_test	No	No	Test binary only; not installed.
ds_test	No	No	Unit test only; not installed.
encryptor_test	No	No	Unit test only; not installed.
endorsements_test	No	No	Unit test only; not installed.
endpoint_registry_test	No	No	Unit test only; not installed.
env_test	No	No	Unit test only; not installed.
evercbor	Yes	Yes	Installed static library; compile hardening applies, no link step.
files_cleanup_test	No	No	Unit test only; not installed.
frontend_test	No	No	Unit test only; not installed.
hash_bench	No	No	Benchmark target only; not installed.
historical_queries_test	No	No	Unit test only; not installed.
history_bench	No	No	Benchmark target only; not installed.
history_test	No	No	Unit test only; not installed.
http_etag_test	No	No	Unit test only; not installed.
http_parser	Yes	Yes	Installed static library; compile hardening applies, no link step.
http_test	No	No	Unit test only; not installed.
indexing_test	No	No	Unit test only; not installed.
internal_tables_access_test	No	No	Unit test only; not installed.
js_generic	Yes	Yes	Installed app executable; compile and link hardening apply.
js_policy_test	No	No	Unit test only; not installed.
js_test	No	No	Unit test only; not installed.
json_bench	No	No	Benchmark target only; not installed.
json_schema	No	No	Unit test only; not installed.
jwt_auth_test	No	No	Unit test only; not installed.
key_exchange_test	No	No	Unit test only; not installed.
kp_cert_test	No	No	Unit test only; not installed.
kv_bench	No	No	Benchmark target only; not installed.
kv_test	No	No	Unit test only; not installed.
ledger_test	No	No	Unit test only; not installed.
logger_bench	No	No	Benchmark target only; not installed.
logger_json_test	No	No	Unit test only; not installed.
logger_test	No	No	Unit test only; not installed.
logging	No	Yes	Sample app target uses add_ccf_app(), so it is hardened consistently, but not installed.
logging_cose_only	No	Yes	Sample app target uses add_ccf_app(), so it is hardened consistently, but not installed.
logging_cose_only_allow_join_dual	No	Yes	Sample app target uses add_ccf_app(), so it is hardened consistently, but not installed.
map_bench	No	No	Benchmark target only; not installed.
map_test	No	No	Unit test only; not installed.
merkle_bench	No	No	Benchmark target only; not installed.
merkle_mem	No	No	Test helper executable only; not installed.
merkle_test	No	No	Unit test only; not installed.
nobuiltins	No	Yes	Sample app target uses add_ccf_app(), so it is hardened consistently, but not installed.
node_frontend_test	No	No	Unit test only; not installed.
node_info_json_test	No	No	Unit test only; not installed.
openapi_test	No	No	Unit test only; not installed.
parse_json_safe_test	No	No	Unit test only; not installed.
pem_test	No	No	Unit test only; not installed.
programmability	No	Yes	Sample app target uses add_ccf_app(), so it is hardened consistently, but not installed.
quickjs	Yes	Yes	Installed static library; compile hardening applies, no link step.
raft_driver	No	No	Test driver only; not installed.
raft_enclave_test	No	No	Unit test only; not installed.
raft_test	No	No	Unit test only; not installed.
ring_buffer_bench	No	No	Benchmark target only; not installed.
sharing_test	No	No	Unit test only; not installed.
snapshot_test	No	No	Unit test only; not installed.
snapshotter_test	No	No	Unit test only; not installed.
snmalloc-minimal	No	No	Third-party snmalloc helper target; not installed in CCF package and deliberately not hardened.
snmalloc-new-override	No	No	Third-party snmalloc helper target; not installed in CCF package and deliberately not hardened.
snmallocshim	No	No	Third-party snmalloc helper target; not installed in CCF package and deliberately not hardened.
snmallocshim-checks	No	No	Third-party snmalloc helper target; not installed in CCF package and deliberately not hardened.
snmallocshim-checks-memcpy-only	No	No	Third-party snmalloc helper target; not installed in CCF package and deliberately not hardened.
snmallocshim-static	Yes	No	Installed third-party snmalloc shim; excluded because _FORTIFY_SOURCE can interfere with snmalloc memcpy overriding.
snp_attestation_test	No	No	Unit test only; not installed.
snp_ioctl_test	No	No	Unit test only; not installed.
submit	Yes	Yes	Installed perf submitter executable; compile and link hardening apply.
task_bench	No	No	Benchmark target only; not installed.
task_system_demo	No	No	Demo/test target only; not installed.
task_system_test	No	No	Unit test only; not installed.
tls_test	No	No	Unit test only; not installed.
tx_status_test	No	No	Unit test only; not installed.
verify_attestation	Yes	Yes	Installed verification executable; compile and link hardening apply.
verify_uvm_attestation_and_endorsements	Yes	Yes	Installed verification executable; compile and link hardening apply.

Conditional/standalone targets not in that default top-level target list: cbor_fuzz_test and snmalloc’s fuzzer targets are fuzz/test-only and not release-packaged, so I would not harden them; tests/ccfapp is explicitly standalone package-consumer test CMake and uses add_ccf_app(), so it can receive the same hardening behavior when configured with CCF_ENABLE_RELEASE_HARDENING=ON.