CI: Align workflow with configure.ac (recursive submodules, v2 Linux job, drop x32)

[Easton97-Jens]

Summary

This PR introduces a new separate CI workflow (ci_new.yml).
The existing workflow remains unchanged.

The primary goal is to align CI behavior with the expectations defined in configure.ac, while modernizing the Linux environment and simplifying architecture handling.

---

1. Alignment with configure.ac

The build system assumes that required components provided via git submodules are fully and recursively initialized.

configure.ac explicitly documents this expectation (e.g., requiring recursive submodule initialization for bundled modules).

To ensure CI matches this requirement, the new workflow:

Upgrades actions/checkout from v4 to v6

Explicitly runs:

git submodule update --init --recursive

This guarantees:

• Deterministic submodule state
• Full availability of bundled modules
• Consistency with configure.ac
• Reduced risk for upcoming submodule updates (including the pending Mbed TLS update PR)

This is the primary structural change introduced by this workflow.

---

2. Integration of v2 Linux Static Analysis Flow

The workflow adds a dedicated Linux cppcheck job using a debian:sid container.

This structure is derived from the previous v2 CI logic and restores Linux-based static analysis in addition to the macOS job.

Benefits:

• Closer alignment with the Linux target environment
• Broader static analysis coverage
• Continuity with earlier CI design

---

3. Removal of x32 (i386)

The new workflow drops 32-bit (x32/i386) builds:

Ubuntu upgraded from 22.04 to 24.04

Ubuntu 24.04 no longer provides native i386 runner support

Removes multilib setup and architecture-specific dependency branches

Simplifies the matrix and dependency logic

This reduces CI complexity and aligns the build matrix with current runner support.

Additional Updates

macOS 14 → macOS 15

Windows 2022 → Windows 2025

Minor matrix cleanup and clearer job structure

---

Rationale for Separate Workflow

The existing workflow is intentionally preserved to:

• Avoid disrupting the current CI baseline
• Allow isolated validation of structural changes
• Enable safe comparison before potential consolidation
• Reduce migration risk

---

[airween]

Hi @Easton97-Jens,

many thanks for this PR.

The only one thing that I've done that a bit reformatted your description for the better visibility. Please take a look at that, I hope I put lines (lists, headings) to the right place.

If you think everything is okay, just let me know, or feel free to correct the description. I can merge this one soon.

Beside of that, I like this PR. If everything will be okay, we can remove the existing one later - what do you think?

[Easton97-Jens]

You can go ahead and merge the PR.
I’ll leave it up to you when to remove the old CI workflow – we can keep it for a short observation period if you prefer.

[Copilot]

Pull request overview

This PR introduces a new, parallel CI workflow (ci_new.yml) alongside the existing ci.yml. Its primary goals are: aligning the CI environment with what configure.ac requires (recursive submodule initialization), upgrading runner environments (Ubuntu 24.04, macOS 15, Windows 2025), dropping x32/i386 support, and adding a Linux-based static analysis job using a debian:sid container.

Changes:

• Adds a new ci_new.yml workflow with updated runner versions (Ubuntu 24.04, macOS 15, Windows 2025) and explicit recursive submodule initialization.
• Introduces a new cppcheck-linux static analysis job using a debian:sid container.
• Drops x32/i386 matrix entries from the Linux build.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[airween]

Please see my comments.

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots

See analysis details on SonarQube Cloud

[airween]

@Easton97-Jens,

just a quick and interesting note: look at those two cppcheck jobs.

Here is the failed one's result which uses cppcheck-2.20.0

2026-03-07T11:20:25.3147910Z warning: src/variables/variable.h,157,style,functionConst,Unless it overrides a base class member, the member function 'modsecurity::variables::KeyExclusions::toOmit' can be made a const function. Making this function 'const' should not cause compiler errors. Even though the function can be made const function technically it may not make sense conceptually. Think about your design and the task of the function first - is it a function that must not change object internal state?

And here is the success one which uses cppcheck-2.19.0. This version of cppcheck can't find the issue that the newer found.

This is why it's important to use the latest release.

(Please do not misunderstand this, I know this issue did not caused by your PR)

[Easton97-Jens]

Thanks for the clarification! Do you think the PR is good to merge now, or is there anything else I should adjust?

[airween]

Thanks for the clarification! Do you think the PR is good to merge now, or is there anything else I should adjust?

There is only one thing as I see - please check the reviews.

[Easton97-Jens]

Thanks again for the review! The change has already been included in my latest update and is part of the commits from March 6, 2026. I also updated the submodules checkout configuration. Could you please take another look at the file, especially around lines 230–237?

[airween]

Thanks again for the review! The change has already been included in my latest update and is part of the commits from March 6, 2026. I also updated the submodules checkout configuration. Could you please take another look at the file, especially around lines 230–237?

Sorry, I just checked the modified file and there Copilot still mentioned that.

Thank you for this PR, I'm going to merge it.