9 files changed, 56 insertions, 30 deletions

diff --git a/.github/workflows/alpine_builds.yml b/.github/workflows/alpine_builds.yml
index 6f160c4b8041..874f7104539f 100644
--- a/.github/workflows/alpine_builds.yml
+++ b/.github/workflows/alpine_builds.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022-2023 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -16,7 +16,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     container: alpine:latest
     strategy:
       fail-fast: false
diff --git a/.github/workflows/bsd_builds.yml b/.github/workflows/bsd_builds.yml
index 3a1285dd2122..a4dcf0073251 100644
--- a/.github/workflows/bsd_builds.yml
+++ b/.github/workflows/bsd_builds.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -14,13 +14,13 @@ on:
 jobs:
   build:
     if: github.repository == 'Yubico/libfido2'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         include:
           - { image: freebsd/14.x }
-          - { image: openbsd/7.4, llvm_version: 16 }
+          - { image: openbsd/7.6, llvm_version: 16 }
     steps:
     - uses: actions/checkout@v4
     - name: dependencies
diff --git a/.github/workflows/cifuzz_oss.yml b/.github/workflows/cifuzz_oss.yml
index 5835bb1fc8d9..7d621c644786 100644
--- a/.github/workflows/cifuzz_oss.yml
+++ b/.github/workflows/cifuzz_oss.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -17,7 +17,7 @@ on:
 jobs:
   fuzzing:
     if: github.repository == 'Yubico/libfido2'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -39,7 +39,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: upload crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure()
       with:
         name: ${{ matrix.sanitizer }}-artifacts
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a3a8d54d2daa..486dd900e5bc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -22,14 +22,14 @@ permissions:
 jobs:
   codeql-build:
     if: github.repository == 'Yubico/libfido2'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: checkout
       uses: actions/checkout@v4
       with:
         fetch-depth: 2
     - name: init codeql
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
     - name: build
       env:
         CC: gcc
@@ -39,4 +39,4 @@ jobs:
          libpcsclite-dev
         ./.actions/build-linux-gcc
     - name: perform codeql analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/linux_builds.yml b/.github/workflows/linux_builds.yml
index 2ed553a7b5c5..a1e007daf404 100644
--- a/.github/workflows/linux_builds.yml
+++ b/.github/workflows/linux_builds.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -21,17 +21,16 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - { os: ubuntu-20.04, cc: gcc-8 }
-          - { os: ubuntu-22.04, cc: gcc-9 }
           - { os: ubuntu-22.04, cc: gcc-10 }
           - { os: ubuntu-22.04, cc: gcc-11 }
-          - { os: ubuntu-22.04, cc: gcc-12 }
-          - { os: ubuntu-22.04, cc: clang-15 }
+          - { os: ubuntu-24.04, cc: gcc-12 }
+          - { os: ubuntu-24.04, cc: gcc-13 }
           - { os: ubuntu-22.04, cc: clang-16 }
           - { os: ubuntu-22.04, cc: clang-17 }
-          - { os: ubuntu-22.04, cc: clang-18 }
-          - { os: ubuntu-20.04, cc: i686-w64-mingw32-gcc-9 }
+          - { os: ubuntu-24.04, cc: clang-18 }
+          - { os: ubuntu-24.04, cc: clang-19 }
           - { os: ubuntu-22.04, cc: i686-w64-mingw32-gcc-10 }
+          - { os: ubuntu-24.04, cc: i686-w64-mingw32-gcc-11 }
     steps:
     - uses: actions/checkout@v4
     - name: dependencies
diff --git a/.github/workflows/linux_fuzz.yml b/.github/workflows/linux_fuzz.yml
index f98cac7aff2e..ea2d3833dca2 100644
--- a/.github/workflows/linux_fuzz.yml
+++ b/.github/workflows/linux_fuzz.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -20,8 +20,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-22.04 ]
-        cc: [ clang-18 ]
+        os: [ ubuntu-24.04 ]
+        cc: [ clang-19 ]
         sanitizer: [ asan, msan ]
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/macos_builds.yml b/.github/workflows/macos_builds.yml
index a278c942a0a2..90466550ee69 100644
--- a/.github/workflows/macos_builds.yml
+++ b/.github/workflows/macos_builds.yml
@@ -20,7 +20,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ macos-14, macos-13, macos-12 ]
+        os: [ macos-15, macos-14, macos-13 ]
         cc: [ clang ]
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/openssl3.yml b/.github/workflows/openssl3.yml
index 32b6d3f50df9..b51685dff102 100644
--- a/.github/workflows/openssl3.yml
+++ b/.github/workflows/openssl3.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Yubico AB. All rights reserved.
+# Copyright (c) 2022-2024 Yubico AB. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 # SPDX-License-Identifier: BSD-2-Clause
@@ -21,12 +21,12 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-22.04
-            cc: gcc-12
-          - os: ubuntu-22.04
-            cc: clang-18
-          - os: ubuntu-22.04
-            cc: i686-w64-mingw32-gcc-10
+          - os: ubuntu-24.04
+            cc: gcc-13
+          - os: ubuntu-24.04
+            cc: clang-19
+          - os: ubuntu-24.04
+            cc: i686-w64-mingw32-gcc-11
     steps:
     - uses: actions/checkout@v4
     - name: dependencies
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
new file mode 100644
index 000000000000..cdda760ae2b6
--- /dev/null
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,27 @@
+# Copyright (c) 2024 Google LLC. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+# SPDX-License-Identifier: BSD-2-Clause
+
+name: shellcheck
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    - '*-ci'
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: dependencies
+      run: |
+        sudo apt -q update
+        sudo apt install -q -y shellcheck
+    - name: build
+      run: ./.actions/run-shellcheck