disable mallocTrim

2026-06-05 09:46:53 +00:00 · 2026-06-03 19:12:09 +01:00
28 changed files with 692 additions and 676 deletions
--- a/.github/actions/build-deps/action.yml
+++ b/.github/actions/build-deps/action.yml
@@ -35,8 +35,9 @@ runs:
        LOG_VERBOSITY: ${{ inputs.log_verbosity }}
        SANITIZERS: ${{ inputs.sanitizers }}
      run: |
+        echo 'Installing dependencies.'
        conan install \
-            --profile:all ci \
+            --profile ci \
            --build="${BUILD_OPTION}" \
            --options:host='&:tests=True' \
            --options:host='&:xrpld=True' \
--- a/.github/actions/set-compiler-env/action.yml
+++ b/.github/actions/set-compiler-env/action.yml
@@ -1,34 +0,0 @@
-name: Set compiler environment
-description: "Set CC and CXX environment variables for the given compiler."
-
-inputs:
-  compiler:
-    description: 'The compiler to use ("gcc" or "clang").'
-    required: true
-
-runs:
-  using: composite
-
-  steps:
-    - name: Set CC and CXX for gcc
-      if: ${{ inputs.compiler == 'gcc' }}
-      shell: bash
-      run: |
-        echo "CC=gcc" >>"${GITHUB_ENV}"
-        echo "CXX=g++" >>"${GITHUB_ENV}"
-
-    - name: Set CC and CXX for clang
-      if: ${{ inputs.compiler == 'clang' }}
-      shell: bash
-      run: |
-        echo "CC=clang" >>"${GITHUB_ENV}"
-        echo "CXX=clang++" >>"${GITHUB_ENV}"
-
-    - name: Fail on unknown compiler
-      if: ${{ inputs.compiler != 'gcc' && inputs.compiler != 'clang' }}
-      shell: bash
-      env:
-        COMPILER: ${{ inputs.compiler }}
-      run: |
-        echo "Unknown compiler: $COMPILER" >&2
-        exit 1
--- a/.github/actions/setup-conan/action.yml
+++ b/.github/actions/setup-conan/action.yml
@@ -15,35 +15,32 @@ runs:
  using: composite

  steps:
-    - name: Apply custom configuration to global.conf
+    - name: Set up Conan configuration
      shell: bash
      run: |
+        echo 'Installing configuration.'
        cat conan/global.conf ${{ runner.os == 'Linux' && '>>' || '>' }} $(conan config home)/global.conf

-    - name: Show global configuration
-      shell: bash
-      run: |
+        echo 'Conan configuration:'
        conan config show '*'

-    - name: Install profiles
+    - name: Set up Conan profile
      shell: bash
      run: |
+        echo 'Installing profile.'
        conan config install conan/profiles/ -tf $(conan config home)/profiles/

-    - name: Show CI profile
-      shell: bash
-      run: |
+        echo 'Conan profile:'
        conan profile show --profile ci

-    - name: Add a remote
+    - name: Set up Conan remote
      shell: bash
      env:
        REMOTE_NAME: ${{ inputs.remote_name }}
        REMOTE_URL: ${{ inputs.remote_url }}
      run: |
+        echo "Adding Conan remote '${REMOTE_NAME}' at '${REMOTE_URL}'."
        conan remote add --index 0 --force "${REMOTE_NAME}" "${REMOTE_URL}"

-    - name: List remotes
-      shell: bash
-      run: |
+        echo 'Listing Conan remotes.'
        conan remote list
--- a/.github/scripts/strategy-matrix/generate.py
+++ b/.github/scripts/strategy-matrix/generate.py
@@ -1,281 +1,384 @@
 #!/usr/bin/env python3
 import argparse
-import dataclasses
 import itertools
 import json
+from dataclasses import dataclass
 from pathlib import Path

 THIS_DIR = Path(__file__).parent.resolve()

-_BASE_CMAKE_ARGS = ["-Dtests=ON", "-Dwerr=ON", "-Dxrpld=ON", "-Dwextra=ON"]

-# Maps sanitizer names (as used in cmake) to short config-name suffixes.
-_SANITIZER_SUFFIX: dict[str, str] = {
-    "address": "asan",
-    "undefinedbehavior": "ubsan",
-    "thread": "tsan",
-}
-
-
-def get_cmake_args(build_type: str, extra_args: str) -> str:
-    """Get the full list of CMake arguments for a config."""
-    args = _BASE_CMAKE_ARGS.copy()
-    if build_type == "Release":
-        args.append("-Dassert=ON")
-    if extra_args:
-        args.extend(extra_args.split())
-    return " ".join(args)
-
-
-# ---------------------------------------------------------------------------
-# Input types — shapes of the JSON config files
-# ---------------------------------------------------------------------------
-
-
-@dataclasses.dataclass
-class LinuxConfig:
-    """One entry in linux.json's 'configs' or 'package_configs' arrays."""
-
-    compiler: list[str]
+@dataclass
+class Config:
+    architecture: list[dict]
+    os: list[dict]
    build_type: list[str]
-    arch: list[str]
-    sanitizers: list[str] = dataclasses.field(default_factory=list)
-    suffix: str = ""
-    extra_cmake_args: str = ""
-    image: str = ""  # only used by package_configs entries
+    cmake_args: list[str]


-@dataclasses.dataclass
-class LinuxFile:
-    """Shape of linux.json."""
+"""
+Generate a strategy matrix for GitHub Actions CI.

-    image_tag: str
-    configs: dict[str, list[LinuxConfig]]  # distro → configs
-    package_configs: dict[str, list[LinuxConfig]]  # distro → packaging configs
+On each PR commit we will build a selection of Debian, RHEL, Ubuntu, MacOS, and
+Windows configurations, while upon merge into the develop or release branches,
+we will build all configurations, and test most of them.

-    @classmethod
-    def load(cls, path: Path) -> "LinuxFile":
-        data = json.loads(path.read_text())
-
-        def parse(section: dict) -> dict[str, list[LinuxConfig]]:
-            return {
-                distro: [LinuxConfig(**c) for c in cfgs]
-                for distro, cfgs in section.items()
-            }
-
-        return cls(
-            image_tag=data["image_tag"],
-            configs=parse(data["configs"]),
-            package_configs=parse(data.get("package_configs", {})),
-        )
+We will further set additional CMake arguments as follows:
+- All builds will have the `tests`, `werr`, and `xrpld` options.
+- All builds will have the `wextra` option except for GCC 12 and Clang 16.
+- All release builds will have the `assert` option.
+- Certain Debian Bookworm configurations will change the reference fee, enable
+  codecov, and enable voidstar in PRs.
+"""


-@dataclasses.dataclass
-class PlatformConfig:
-    """One entry in macos.json's or windows.json's 'configs' array."""
-
-    build_type: list[str]
-    build_only: bool = False  # if true, skip tests (e.g. macos/Windows Debug)
-    extra_cmake_args: str = ""
-
-    def __post_init__(self) -> None:
-        if isinstance(self.build_type, str):
-            self.build_type = [self.build_type]
+def build_config_name(os_entry: dict[str, str], platform: str, build_type: str) -> str:
+    parts = [os_entry["distro_name"]]
+    for key in ("distro_version", "compiler_name", "compiler_version"):
+        if value := os_entry[key]:
+            parts.append(value)
+    parts.append("arm64" if "arm64" in platform else "amd64")
+    parts.append(build_type.lower())
+    return "-".join(parts)


-@dataclasses.dataclass
-class PlatformFile:
-    """Shape of macos.json and windows.json."""
-
-    platform: str  # e.g. "macos/arm64" or "windows/amd64"
-    runner: list[str]  # GitHub Actions runner labels
-    configs: list[PlatformConfig]
-
-    @classmethod
-    def load(cls, path: Path) -> "PlatformFile":
-        data = json.loads(path.read_text())
-        return cls(
-            platform=data["platform"],
-            runner=data["runner"],
-            configs=[PlatformConfig(**c) for c in data["configs"]],
-        )
-
-
-# ---------------------------------------------------------------------------
-# Output types — shapes of the generated GitHub Actions matrix entries
-# ---------------------------------------------------------------------------
-
-
-@dataclasses.dataclass
-class Architecture:
-    platform: str
-    runner: list[str]
-
-
-@dataclasses.dataclass
-class MatrixEntry:
-    """One entry in the generated build/test strategy matrix."""
-
-    config_name: str
-    cmake_args: str
-    cmake_target: str
-    build_only: bool
-    build_type: str
-    architecture: Architecture
-    sanitizers: str
-    image: str = ""  # container image; empty for macOS/Windows (runs natively)
-    compiler: str = ""  # compiler name ("gcc" or "clang"); empty for macOS/Windows
-
-
-@dataclasses.dataclass
-class PackagingEntry:
-    """One entry in the generated packaging strategy matrix."""
-
-    artifact_name: str
-    image: str
-    distro: str  # e.g. "debian" or "rhel"; drives package-format-specific steps
-
-
-# ---------------------------------------------------------------------------
-# Matrix expansion
-# ---------------------------------------------------------------------------
-
-_ARCHS: dict[str, Architecture] = {
-    "amd64": Architecture(
-        platform="linux/amd64", runner=["self-hosted", "Linux", "X64", "heavy"]
-    ),
-    "arm64": Architecture(
-        platform="linux/arm64",
-        runner=["self-hosted", "Linux", "ARM64", "heavy-arm64"],
-    ),
-}
-
-
-def expand_linux_matrix(linux: LinuxFile) -> list[MatrixEntry]:
-    """Expand a LinuxFile into a flat list of matrix entries.
-
-    Each config entry is expanded over the cross-product of its
-    compiler, build_type, sanitizers, and architecture lists.
+def generate_packaging_matrix(config: Config) -> list[dict]:
+    """Emit one entry per os entry with `package: true`. Architecture is
+    hardcoded to linux/amd64 here (and the runner is hardcoded at the
+    workflow level) until arm64 packaging is ready.
    """
-    entries: list[MatrixEntry] = []
+    return [
+        {
+            "artifact_name": f"xrpld-{build_config_name(os, 'linux/amd64', 'Release')}",
+            "os": os,
+        }
+        for os in config.os
+        if os.get("package", False)
+    ]

-    for distro, configs in linux.configs.items():
-        for cfg in configs:
-            # An empty sanitizers list means "one entry with no sanitizer".
-            effective_sanitizers = cfg.sanitizers or [""]
-            effective_archs = {arch: _ARCHS[arch] for arch in cfg.arch}

-            for compiler, build_type, sanitizer, (arch, arch_info) in itertools.product(
-                cfg.compiler,
-                cfg.build_type,
-                effective_sanitizers,
-                effective_archs.items(),
+def generate_strategy_matrix(all: bool, config: Config) -> list[dict]:
+    configurations = []
+    for architecture, os, build_type, cmake_args in itertools.product(
+        config.architecture, config.os, config.build_type, config.cmake_args
+    ):
+        # The default CMake target is 'all' for Linux and MacOS and 'install'
+        # for Windows, but it can get overridden for certain configurations.
+        cmake_target = "install" if os["distro_name"] == "windows" else "all"
+
+        # We build and test all configurations by default, except for Windows in
+        # Debug, because it is too slow, as well as when code coverage is
+        # enabled as that mode already runs the tests.
+        build_only = False
+        if os["distro_name"] == "windows" and build_type == "Debug":
+            build_only = True
+
+        # Only generate a subset of configurations in PRs.
+        if not all:
+            # Debian:
+            # - Bookworm using GCC 13: Debug on linux/amd64, set the reference
+            #   fee to 500 and enable code coverage (which will be done below).
+            # - Bookworm using GCC 15: Debug on linux/amd64, enable Address and
+            #   UB sanitizers (which will be done below).
+            # - Bookworm using Clang 16: Debug on linux/amd64, enable voidstar.
+            # - Bookworm using Clang 17: Release on linux/amd64, set the
+            #   reference fee to 1000.
+            # - Bookworm using Clang 20: Debug on linux/amd64, enable Address
+            #   and UB sanitizers (which will be done below).
+            if os["distro_name"] == "debian":
+                skip = True
+                if os["distro_version"] == "bookworm":
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-13"
+                        and build_type == "Debug"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        cmake_args = f"-DUNIT_TEST_REFERENCE_FEE=500 {cmake_args}"
+                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-16"
+                        and build_type == "Debug"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        cmake_args = f"-Dvoidstar=ON {cmake_args}"
+                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-17"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        cmake_args = f"-DUNIT_TEST_REFERENCE_FEE=1000 {cmake_args}"
+                        skip = False
+                elif os["distro_version"] == "trixie":
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-22"
+                        and build_type == "Debug"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                if skip:
+                    continue
+
+            # RHEL:
+            # - 9 using GCC 12: Debug and Release on linux/amd64
+            #   (Release is required for RPM packaging).
+            # - 10 using Clang: Release on linux/amd64.
+            if os["distro_name"] == "rhel":
+                skip = True
+                if os["distro_version"] == "9":
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
+                        and build_type in ["Debug", "Release"]
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                elif os["distro_version"] == "10":
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-any"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                if skip:
+                    continue
+
+            # Ubuntu:
+            # - Jammy using GCC 12: Debug on linux/arm64, Release on
+            #   linux/amd64 (Release is required for DEB packaging).
+            # - Noble using GCC 14: Release on linux/amd64.
+            # - Noble using Clang 18: Debug on linux/amd64.
+            # - Noble using Clang 19: Release on linux/arm64.
+            if os["distro_name"] == "ubuntu":
+                skip = True
+                if os["distro_version"] == "jammy":
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
+                        and build_type == "Debug"
+                        and architecture["platform"] == "linux/arm64"
+                    ):
+                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                elif os["distro_version"] == "noble":
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-14"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-18"
+                        and build_type == "Debug"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-19"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/arm64"
+                    ):
+                        skip = False
+                if skip:
+                    continue
+
+            # MacOS:
+            # - Debug on macos/arm64.
+            if os["distro_name"] == "macos" and not (
+                build_type == "Debug" and architecture["platform"] == "macos/arm64"
            ):
-                name = f"{distro}-{compiler}-{build_type.lower()}-{arch}"
-                suffix_parts = [
-                    s for s in [cfg.suffix, _SANITIZER_SUFFIX.get(sanitizer, "")] if s
-                ]
-                if suffix_parts:
-                    name += "-" + "-".join(suffix_parts)
+                continue

-                entries.append(
-                    MatrixEntry(
-                        config_name=name,
-                        image=f"ghcr.io/xrplf/xrpld/nix-{distro}:{linux.image_tag}",
-                        cmake_args=get_cmake_args(build_type, cfg.extra_cmake_args),
-                        cmake_target="all",
-                        build_only=False,
-                        build_type=build_type,
-                        architecture=arch_info,
-                        sanitizers=sanitizer,
-                        compiler=compiler,
-                    )
-                )
+            # Windows:
+            # - Release on windows/amd64.
+            if os["distro_name"] == "windows" and not (
+                build_type == "Release" and architecture["platform"] == "windows/amd64"
+            ):
+                continue

-    return entries
+        # Additional CMake arguments.
+        cmake_args = f"{cmake_args} -Dtests=ON -Dwerr=ON -Dxrpld=ON"
+        if not f"{os['compiler_name']}-{os['compiler_version']}" in [
+            "gcc-12",
+            "clang-16",
+        ]:
+            cmake_args = f"{cmake_args} -Dwextra=ON"
+        if build_type == "Release":
+            cmake_args = f"{cmake_args} -Dassert=ON"

+        # We skip all RHEL on arm64 due to a build failure that needs further
+        # investigation.
+        if os["distro_name"] == "rhel" and architecture["platform"] == "linux/arm64":
+            continue

-def expand_linux_packaging(linux: LinuxFile) -> list[PackagingEntry]:
-    """Generate the packaging matrix from a LinuxFile's package_configs section.
+        # We skip all clang 20+ on arm64 due to Boost build error.
+        if (
+            os["compiler_name"] == "clang"
+            and os["compiler_version"].isdigit()
+            and int(os["compiler_version"]) >= 20
+            and architecture["platform"] == "linux/arm64"
+        ):
+            continue

-    Packaging uses vanilla distro images (debian:bookworm, ubi9, …) instead of
-    the nix-based build images, because deb/rpm tooling (debhelper, rpm-build)
-    is taken from the distro's archive rather than from nixpkgs. Each config
-    entry carries its own 'image'.
-    """
-    entries = []
-    for distro, configs in linux.package_configs.items():
-        for cfg in configs:
-            for compiler, build_type in itertools.product(cfg.compiler, cfg.build_type):
-                entries.append(
-                    PackagingEntry(
-                        artifact_name=f"xrpld-{distro}-{compiler}-{build_type.lower()}-amd64",
-                        image=cfg.image,
-                        distro=distro,
-                    )
-                )
+        # Enable code coverage for Debian Bookworm using GCC 13 in Debug on
+        # linux/amd64.
+        if (
+            f"{os['distro_name']}-{os['distro_version']}" == "debian-bookworm"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-13"
+            and build_type == "Debug"
+            and architecture["platform"] == "linux/amd64"
+        ):
+            cmake_args = f"{cmake_args} -Dcoverage=ON -Dcoverage_format=xml -DCODE_COVERAGE_VERBOSE=ON -DCMAKE_C_FLAGS=-O0 -DCMAKE_CXX_FLAGS=-O0"

-    return entries
+        # Enable unity build for Ubuntu Jammy using GCC 12 in Debug on
+        # linux/amd64.
+        if (
+            f"{os['distro_name']}-{os['distro_version']}" == "ubuntu-jammy"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
+            and build_type == "Debug"
+            and architecture["platform"] == "linux/amd64"
+        ):
+            cmake_args = f"{cmake_args} -Dunity=ON"

+        # Generate a unique name for the configuration, e.g. macos-arm64-debug
+        # or debian-bookworm-gcc-12-amd64-release.
+        config_name = build_config_name(os, architecture["platform"], build_type)
+        if "-Dcoverage=ON" in cmake_args:
+            config_name += "-coverage"
+        if "-Dunity=ON" in cmake_args:
+            config_name += "-unity"

-def expand_platform_matrix(pf: PlatformFile) -> list[MatrixEntry]:
-    """Expand a PlatformFile (macOS or Windows) into matrix entries."""
-    platform_name, arch = pf.platform.split("/")
-    is_windows = platform_name == "windows"
-
-    entries: list[MatrixEntry] = []
-    for cfg in pf.configs:
-        for build_type in cfg.build_type:
-            entries.append(
-                MatrixEntry(
-                    config_name=f"{platform_name}-{arch}-{build_type.lower()}",
-                    cmake_args=get_cmake_args(build_type, cfg.extra_cmake_args),
-                    cmake_target="install" if is_windows else "all",
-                    build_only=cfg.build_only,
-                    build_type=build_type,
-                    architecture=Architecture(platform=pf.platform, runner=pf.runner),
-                    sanitizers="",
-                )
+        # Add the configuration to the list, with the most unique fields first,
+        # so that they are easier to identify in the GitHub Actions UI, as long
+        # names get truncated.
+        # Add Address and UB sanitizers as separate configurations for specific
+        # bookworm distros. Thread sanitizer is currently disabled (see below).
+        # GCC-Asan xrpld-embedded tests are failing because of https://github.com/google/sanitizers/issues/856
+        if (
+            os["distro_version"] == "bookworm"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
+        ) or (
+            os["distro_version"] == "trixie"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "clang-22"
+        ):
+            # Add ASAN and UBSAN configurations for both gcc-15 and clang-22
+            configurations.append(
+                {
+                    "config_name": config_name + "-asan",
+                    "cmake_args": cmake_args,
+                    "cmake_target": cmake_target,
+                    "build_only": build_only,
+                    "build_type": build_type,
+                    "os": os,
+                    "architecture": architecture,
+                    "sanitizers": "address",
+                }
            )
-    return entries
+            configurations.append(
+                {
+                    "config_name": config_name + "-ubsan",
+                    "cmake_args": cmake_args,
+                    "cmake_target": cmake_target,
+                    "build_only": build_only,
+                    "build_type": build_type,
+                    "os": os,
+                    "architecture": architecture,
+                    "sanitizers": "undefinedbehavior",
+                }
+            )
+            # TSAN is deactivated due to seg faults with latest compilers.
+            activate_tsan = False
+            if activate_tsan:
+                configurations.append(
+                    {
+                        "config_name": config_name + "-tsan-ubsan",
+                        "cmake_args": cmake_args,
+                        "cmake_target": cmake_target,
+                        "build_only": build_only,
+                        "build_type": build_type,
+                        "os": os,
+                        "architecture": architecture,
+                        "sanitizers": "thread,undefinedbehavior",
+                    }
+                )
+        else:
+            configurations.append(
+                {
+                    "config_name": config_name,
+                    "cmake_args": cmake_args,
+                    "cmake_target": cmake_target,
+                    "build_only": build_only,
+                    "build_type": build_type,
+                    "os": os,
+                    "architecture": architecture,
+                    "sanitizers": "",
+                }
+            )
+
+    return configurations


-# ---------------------------------------------------------------------------
-# Entry point
-# ---------------------------------------------------------------------------
+def read_config(file: Path) -> Config:
+    config = json.loads(file.read_text())
+    if (
+        config["architecture"] is None
+        or config["os"] is None
+        or config["build_type"] is None
+        or config["cmake_args"] is None
+    ):
+        raise Exception("Invalid configuration file.")
+
+    return Config(**config)


 if __name__ == "__main__":
-    parser = argparse.ArgumentParser(
-        description="Generate a CI strategy matrix for all platforms or a specific one."
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "-a",
+        "--all",
+        help="Set to generate all configurations (generally used when merging a PR) or leave unset to generate a subset of configurations (generally used when committing to a PR).",
+        action="store_true",
    )
    parser.add_argument(
        "-c",
        "--config",
-        help="Platform to generate for ('linux', 'macos', or 'windows'). Defaults to all platforms.",
-        choices=["linux", "macos", "windows"],
-        default=None,
+        help="Path to the JSON file containing the strategy matrix configurations.",
+        required=False,
+        type=Path,
    )
    parser.add_argument(
        "-p",
        "--packaging",
-        help="Emit the Linux packaging matrix instead of the build/test matrix.",
+        help="Emit the packaging matrix (derived from the 'package' field on os entries) instead of the build/test matrix.",
        action="store_true",
    )
    args = parser.parse_args()

-    matrix: list[MatrixEntry] | list[PackagingEntry] = []
-
+    matrix = []
    if args.packaging:
-        matrix = expand_linux_packaging(LinuxFile.load(THIS_DIR / "linux.json"))
+        config_path = args.config if args.config else THIS_DIR / "linux.json"
+        matrix += generate_packaging_matrix(read_config(config_path))
+    elif args.config is None or args.config == "":
+        matrix += generate_strategy_matrix(
+            args.all, read_config(THIS_DIR / "linux.json")
+        )
+        matrix += generate_strategy_matrix(
+            args.all, read_config(THIS_DIR / "macos.json")
+        )
+        matrix += generate_strategy_matrix(
+            args.all, read_config(THIS_DIR / "windows.json")
+        )
    else:
-        if args.config in ("linux", None):
-            matrix += expand_linux_matrix(LinuxFile.load(THIS_DIR / "linux.json"))
-        if args.config in ("macos", None):
-            matrix += expand_platform_matrix(PlatformFile.load(THIS_DIR / "macos.json"))
-        if args.config in ("windows", None):
-            matrix += expand_platform_matrix(
-                PlatformFile.load(THIS_DIR / "windows.json")
-            )
+        matrix += generate_strategy_matrix(args.all, read_config(args.config))

-    print(f"matrix={json.dumps({'include': [dataclasses.asdict(e) for e in matrix]})}")
+    # Generate the strategy matrix.
+    print(f"matrix={json.dumps({'include': matrix})}")
--- a/.github/scripts/strategy-matrix/linux.json
+++ b/.github/scripts/strategy-matrix/linux.json
@@ -1,83 +1,221 @@
 {
-  "image_tag": "sha-6c54342",
-  "configs": {
-    "ubuntu": [
-      {
-        "compiler": ["gcc", "clang"],
-        "build_type": ["Debug", "Release"],
-        "arch": ["amd64", "arm64"]
-      },
-
-      {
-        "compiler": ["gcc", "clang"],
-        "build_type": ["Debug"],
-        "arch": ["amd64"],
-        "sanitizers": ["address", "undefinedbehavior"]
-      },
-
-      {
-        "compiler": ["gcc"],
-        "build_type": ["Debug"],
-        "arch": ["amd64"],
-        "suffix": "coverage",
-        "extra_cmake_args": "-DUNIT_TEST_REFERENCE_FEE=500 -Dcoverage=ON -Dcoverage_format=xml -DCODE_COVERAGE_VERBOSE=ON -DCMAKE_C_FLAGS=-O0 -DCMAKE_CXX_FLAGS=-O0"
-      },
-      {
-        "compiler": ["clang"],
-        "build_type": ["Debug"],
-        "arch": ["amd64"],
-        "suffix": "voidstar",
-        "extra_cmake_args": "-Dvoidstar=ON"
-      },
-      {
-        "compiler": ["clang"],
-        "build_type": ["Release"],
-        "arch": ["amd64"],
-        "suffix": "reffee",
-        "extra_cmake_args": "-DUNIT_TEST_REFERENCE_FEE=1000"
-      },
-      {
-        "compiler": ["gcc"],
-        "build_type": ["Debug"],
-        "arch": ["amd64"],
-        "suffix": "unity",
-        "extra_cmake_args": "-Dunity=ON"
-      }
-    ],
-
-    "debian": [
-      {
-        "compiler": ["gcc"],
-        "build_type": ["Release"],
-        "arch": ["amd64"]
-      }
-    ],
-
-    "rhel": [
-      {
-        "compiler": ["gcc"],
-        "build_type": ["Release"],
-        "arch": ["amd64"]
-      }
-    ]
-  },
-  "package_configs": {
-    "debian": [
-      {
-        "compiler": ["gcc"],
-        "build_type": ["Release"],
-        "arch": ["amd64"],
-        "image": "debian:bookworm"
-      }
-    ],
-
-    "rhel": [
-      {
-        "compiler": ["gcc"],
-        "build_type": ["Release"],
-        "arch": ["amd64"],
-        "image": "registry.access.redhat.com/ubi9/ubi:latest"
-      }
-    ]
-  }
+  "architecture": [
+    {
+      "platform": "linux/amd64",
+      "runner": ["self-hosted", "Linux", "X64", "heavy"]
+    },
+    {
+      "platform": "linux/arm64",
+      "runner": ["self-hosted", "Linux", "ARM64", "heavy-arm64"]
+    }
+  ],
+  "os": [
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "gcc",
+      "compiler_version": "12",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "gcc",
+      "compiler_version": "13",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "gcc",
+      "compiler_version": "14",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "gcc",
+      "compiler_version": "15",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "clang",
+      "compiler_version": "16",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "clang",
+      "compiler_version": "17",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "clang",
+      "compiler_version": "18",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "clang",
+      "compiler_version": "19",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "bookworm",
+      "compiler_name": "clang",
+      "compiler_version": "20",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "trixie",
+      "compiler_name": "gcc",
+      "compiler_version": "14",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "trixie",
+      "compiler_name": "gcc",
+      "compiler_version": "15",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "trixie",
+      "compiler_name": "clang",
+      "compiler_version": "20",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "trixie",
+      "compiler_name": "clang",
+      "compiler_version": "21",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "trixie",
+      "compiler_name": "clang",
+      "compiler_version": "22",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "8",
+      "compiler_name": "gcc",
+      "compiler_version": "14",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "8",
+      "compiler_name": "clang",
+      "compiler_version": "any",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "9",
+      "compiler_name": "gcc",
+      "compiler_version": "12",
+      "image_sha": "4c086b9",
+      "package": true
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "9",
+      "compiler_name": "gcc",
+      "compiler_version": "13",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "9",
+      "compiler_name": "gcc",
+      "compiler_version": "14",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "9",
+      "compiler_name": "clang",
+      "compiler_version": "any",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "10",
+      "compiler_name": "gcc",
+      "compiler_version": "14",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "rhel",
+      "distro_version": "10",
+      "compiler_name": "clang",
+      "compiler_version": "any",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "jammy",
+      "compiler_name": "gcc",
+      "compiler_version": "12",
+      "image_sha": "4c086b9",
+      "package": true
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "noble",
+      "compiler_name": "gcc",
+      "compiler_version": "13",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "noble",
+      "compiler_name": "gcc",
+      "compiler_version": "14",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "noble",
+      "compiler_name": "clang",
+      "compiler_version": "16",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "noble",
+      "compiler_name": "clang",
+      "compiler_version": "17",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "noble",
+      "compiler_name": "clang",
+      "compiler_version": "18",
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "ubuntu",
+      "distro_version": "noble",
+      "compiler_name": "clang",
+      "compiler_version": "19",
+      "image_sha": "4c086b9"
+    }
+  ],
+  "build_type": ["Debug", "Release"],
+  "cmake_args": [""]
 }
--- a/.github/scripts/strategy-matrix/macos.json
+++ b/.github/scripts/strategy-matrix/macos.json
@@ -1,15 +1,19 @@
 {
-  "platform": "macos/arm64",
-  "runner": ["self-hosted", "macOS", "ARM64", "mac-runner-m1"],
-  "configs": [
+  "architecture": [
    {
-      "build_type": "Release",
-      "extra_cmake_args": "-DCMAKE_POLICY_VERSION_MINIMUM=3.5"
-    },
-    {
-      "build_type": "Debug",
-      "extra_cmake_args": "-DCMAKE_POLICY_VERSION_MINIMUM=3.5",
-      "build_only": true
+      "platform": "macos/arm64",
+      "runner": ["self-hosted", "macOS", "ARM64", "mac-runner-m1"]
    }
-  ]
+  ],
+  "os": [
+    {
+      "distro_name": "macos",
+      "distro_version": "",
+      "compiler_name": "",
+      "compiler_version": "",
+      "image_sha": ""
+    }
+  ],
+  "build_type": ["Debug", "Release"],
+  "cmake_args": ["-DCMAKE_POLICY_VERSION_MINIMUM=3.5"]
 }
--- a/.github/scripts/strategy-matrix/windows.json
+++ b/.github/scripts/strategy-matrix/windows.json
@@ -1,8 +1,19 @@
 {
-  "platform": "windows/amd64",
-  "runner": ["self-hosted", "Windows", "devbox"],
-  "configs": [
-    { "build_type": "Release" },
-    { "build_type": "Debug", "build_only": true }
-  ]
+  "architecture": [
+    {
+      "platform": "windows/amd64",
+      "runner": ["self-hosted", "Windows", "devbox"]
+    }
+  ],
+  "os": [
+    {
+      "distro_name": "windows",
+      "distro_version": "",
+      "compiler_name": "",
+      "compiler_version": "",
+      "image_sha": ""
+    }
+  ],
+  "build_type": ["Debug", "Release"],
+  "cmake_args": [""]
 }
--- a/.github/workflows/on-tag.yml
+++ b/.github/workflows/on-tag.yml
@@ -33,6 +33,7 @@ jobs:
    with:
      ccache_enabled: false
      os: ${{ matrix.os }}
+      strategy_matrix: minimal
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

--- a/.github/workflows/on-trigger.yml
+++ b/.github/workflows/on-trigger.yml
@@ -88,6 +88,7 @@ jobs:
      # not identical to a regular compilation.
      ccache_enabled: ${{ github.repository_owner == 'XRPLF' && !startsWith(github.ref, 'refs/heads/release') }}
      os: ${{ matrix.os }}
+      strategy_matrix: ${{ github.event_name == 'schedule' && 'all' || 'minimal' }}
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

--- a/.github/workflows/reusable-build-test-config.yml
+++ b/.github/workflows/reusable-build-test-config.yml
@@ -57,12 +57,6 @@ on:
        type: string
        default: ""

-      compiler:
-        description: 'The compiler to use ("gcc" or "clang"). Leave empty for macOS/Windows (uses system default).'
-        required: false
-        type: string
-        default: ""
-
    secrets:
      CODECOV_TOKEN:
        description: "The Codecov token to use for uploading coverage reports."
@@ -130,12 +124,6 @@ jobs:
        with:
          subtract: ${{ inputs.nproc_subtract }}

-      - name: Set compiler environment (Linux)
-        if: ${{ runner.os == 'Linux' }}
-        uses: ./.github/actions/set-compiler-env
-        with:
-          compiler: ${{ inputs.compiler }}
-
      - name: Setup Conan
        env:
          SANITIZERS: ${{ inputs.sanitizers }}
@@ -203,21 +191,6 @@ jobs:
              --parallel "${BUILD_NPROC}" \
              --target "${CMAKE_TARGET}"

-      # This step is needed to allow running in non-Nix environments
-      - name: Patch binary to use default loader and remove rpath (Linux)
-        if: ${{ runner.os == 'Linux' && env.SANITIZERS_ENABLED == 'false' }}
-        run: |
-          loader="$(/tmp/loader-path.sh)"
-          patchelf --set-interpreter "${loader}" --remove-rpath "${{ env.BUILD_DIR }}/xrpld"
-
-      # We're only running aarch64 Linux builds in Ubuntu-based images, so this is kept simple
-      - name: Install libatomic (Linux aarch64)
-        if: ${{ runner.os == 'Linux' && runner.arch == 'ARM64' }}
-        run: |
-          apt update --yes
-          apt install -y --no-install-recommends \
-              libatomic1
-
      - name: Show ccache statistics
        if: ${{ inputs.ccache_enabled }}
        run: |
@@ -244,7 +217,7 @@ jobs:
          ./xrpld --definitions | python3 -m json.tool >server_definitions.json

      - name: Upload server definitions
-        if: ${{ github.event.repository.visibility == 'public' && inputs.config_name == 'debian-gcc-release-amd64' }}
+        if: ${{ github.event.repository.visibility == 'public' && inputs.config_name == 'debian-bookworm-gcc-13-amd64-release' }}
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: server-definitions
@@ -306,25 +279,7 @@ jobs:
          set -o pipefail
          # Coverage builds are slower due to instrumentation; use fewer parallel jobs to avoid flakiness
          [ "$COVERAGE_ENABLED" = "true" ] && BUILD_NPROC=$((BUILD_NPROC - 2))
-
-          # The resolver/preload workaround is only correct for the ASan build:
-          # a regular build doesn't hit the __dn_expand interceptor bug, and must
-          # NOT have libasan injected. So only preload when xrpld is ASan-built.
-          #
-          # libresolv hosts getaddrinfo's resolver helpers (dn_expand, res_*). Under ASan
-          # these are intercepted via dlsym(RTLD_NEXT, ...), which yields a NULL pointer
-          # and crashes DNS resolution if libresolv isn't loaded. Linking it guarantees
-          # the symbols are present; it's a harmless no-op on glibc >= 2.34 (merged into
-          # libc) and is what the compiler driver already does for sanitizer builds.
-          #   https://github.com/llvm/llvm-project/issues/59007
-          #   https://github.com/google/sanitizers/issues/1592
-          if ldd ./xrpld | grep -q libasan; then
-              PRELOAD="$(gcc -print-file-name=libasan.so):/usr/lib/x86_64-linux-gnu/libresolv.so.2"
-          else
-              PRELOAD=""
-          fi
-
-          LD_PRELOAD="$PRELOAD" ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log
+          ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log

      - name: Show test failure summary
        if: ${{ failure() && !inputs.build_only }}
--- a/.github/workflows/reusable-build-test.yml
+++ b/.github/workflows/reusable-build-test.yml
@@ -19,6 +19,13 @@ on:
        required: true
        type: string

+      strategy_matrix:
+        # TODO: Support additional strategies, e.g. "ubuntu" for generating all Ubuntu configurations.
+        description: 'The strategy matrix to use for generating the configurations ("minimal", "all").'
+        required: false
+        type: string
+        default: "minimal"
+
    secrets:
      CODECOV_TOKEN:
        description: "The Codecov token to use for uploading coverage reports."
@@ -30,6 +37,7 @@ jobs:
    uses: ./.github/workflows/reusable-strategy-matrix.yml
    with:
      os: ${{ inputs.os }}
+      strategy_matrix: ${{ inputs.strategy_matrix }}

  # Build and test the binary for each configuration.
  build-test-config:
@@ -39,6 +47,7 @@ jobs:
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+      max-parallel: 10
    with:
      build_only: ${{ matrix.build_only }}
      build_type: ${{ matrix.build_type }}
@@ -46,9 +55,8 @@ jobs:
      cmake_args: ${{ matrix.cmake_args }}
      cmake_target: ${{ matrix.cmake_target }}
      runs_on: ${{ toJSON(matrix.architecture.runner) }}
-      image: ${{ matrix.image || '' }}
+      image: ${{ contains(matrix.architecture.platform, 'linux') && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) || '' }}
      config_name: ${{ matrix.config_name }}
      sanitizers: ${{ matrix.sanitizers }}
-      compiler: ${{ matrix.compiler || '' }}
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/reusable-package.yml
+++ b/.github/workflows/reusable-package.yml
@@ -1,7 +1,8 @@
 # Build Linux packages (DEB and RPM) from pre-built binary artifacts.
-# Discovers which configurations to package from linux.json (configs in
-# "package_configs") and fans out one job per distro. Only linux/amd64 is
-# supported; the runner is hardcoded in the job below.
+# Discovers which configurations to package from linux.json (os entries
+# with "package": true) and fans out one job per entry. Today only
+# linux/amd64 is emitted; the architecture is hardcoded both here
+# (runner) and in generate.py.
 name: Package

 on:
@@ -32,12 +33,13 @@ jobs:
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
-          python-version: "3.13"
+          python-version: 3.13

      - name: Generate packaging matrix
        id: generate
        working-directory: .github/scripts/strategy-matrix
-        run: ./generate.py --packaging >>"${GITHUB_OUTPUT}"
+        run: |
+          ./generate.py --packaging --config=linux.json >>"${GITHUB_OUTPUT}"

  generate-version:
    runs-on: ubuntu-latest
@@ -64,35 +66,10 @@ jobs:
    permissions:
      contents: read
    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
-    container: ${{ matrix.image }}
+    container: ${{ format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) }}
    timeout-minutes: 30

    steps:
-      # Packaging runs in a vanilla distro image, so the tooling has to come
-      # from the distro's archive: debhelper for deb, rpm-build (and the
-      # systemd / find-debuginfo macros it depends on) for rpm. Run this
-      # before actions/checkout so the latter can use git (real history) for
-      # build_pkg.sh's SOURCE_DATE_EPOCH; otherwise it falls back to a tarball
-      # download and the timestamp comes from wall-clock time.
-      - name: Install packaging tooling (deb)
-        if: ${{ matrix.distro == 'debian' }}
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
-          apt-get install -y --no-install-recommends \
-              ca-certificates \
-              debhelper \
-              git
-
-      - name: Install packaging tooling (rpm)
-        if: ${{ matrix.distro == 'rhel' }}
-        run: |
-          dnf install -y --setopt=install_weak_deps=False \
-              git \
-              rpm-build \
-              redhat-rpm-config \
-              systemd-rpm-macros
-
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

--- a/.github/workflows/reusable-strategy-matrix.yml
+++ b/.github/workflows/reusable-strategy-matrix.yml
@@ -4,9 +4,15 @@ on:
  workflow_call:
    inputs:
      os:
-        description: 'The operating system to use for the build ("linux", "macos", "windows", or empty for all).'
+        description: 'The operating system to use for the build ("linux", "macos", "windows").'
        required: false
        type: string
+      strategy_matrix:
+        # TODO: Support additional strategies, e.g. "ubuntu" for generating all Ubuntu configurations.
+        description: 'The strategy matrix to use for generating the configurations ("minimal", "all").'
+        required: false
+        type: string
+        default: "minimal"
    outputs:
      matrix:
        description: "The generated strategy matrix."
@@ -28,11 +34,12 @@ jobs:
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
-          python-version: "3.13"
+          python-version: 3.13

      - name: Generate strategy matrix
        working-directory: .github/scripts/strategy-matrix
        id: generate
        env:
-          GENERATE_CONFIG: ${{ inputs.os != '' && format('--config={0}', inputs.os) || '' }}
-        run: ./generate.py ${GENERATE_CONFIG} >>"${GITHUB_OUTPUT}"
+          GENERATE_CONFIG: ${{ inputs.os != '' && format('--config={0}.json', inputs.os) || '' }}
+          GENERATE_OPTION: ${{ inputs.strategy_matrix == 'all' && '--all' || '' }}
+        run: ./generate.py ${GENERATE_OPTION} ${GENERATE_CONFIG} >>"${GITHUB_OUTPUT}"
--- a/.github/workflows/upload-conan-deps.yml
+++ b/.github/workflows/upload-conan-deps.yml
@@ -48,6 +48,8 @@ jobs:
  # Generate the strategy matrix to be used by the following job.
  generate-matrix:
    uses: ./.github/workflows/reusable-strategy-matrix.yml
+    with:
+      strategy_matrix: ${{ github.event_name == 'pull_request' && 'minimal' || 'all' }}

  # Build and upload the dependencies for each configuration.
  run-upload-conan-deps:
@@ -56,8 +58,9 @@ jobs:
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+      max-parallel: 10
    runs-on: ${{ matrix.architecture.runner }}
-    container: ${{ matrix.image || null }}
+    container: ${{ contains(matrix.architecture.platform, 'linux') && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) || null }}
    steps:
      - name: Cleanup workspace (macOS and Windows)
        if: ${{ runner.os == 'macOS' || runner.os == 'Windows' }}
@@ -80,12 +83,6 @@ jobs:
        with:
          subtract: ${{ env.NPROC_SUBTRACT }}

-      - name: Set compiler environment (Linux)
-        if: ${{ runner.os == 'Linux' }}
-        uses: ./.github/actions/set-compiler-env
-        with:
-          compiler: ${{ matrix.compiler }}
-
      - name: Setup Conan
        env:
          SANITIZERS: ${{ matrix.sanitizers }}
--- a/cmake/XrplCompiler.cmake
+++ b/cmake/XrplCompiler.cmake
@@ -145,39 +145,13 @@ else()
        INTERFACE
            -rdynamic
            $<$<BOOL:${is_linux}>:-Wl,-z,relro,-z,now,--build-id>
-            # link to static libc/c++ if:
-            # * static option set and
-            # * NOT APPLE (AppleClang does not support static libc/c++)
-            $<$<AND:$<BOOL:${static}>,$<NOT:$<BOOL:${APPLE}>>>:
+            # link to static libc/c++ iff: * static option set and * NOT APPLE (AppleClang does not support static
+            # libc/c++) and * NOT SANITIZERS (sanitizers typically don't work with static libc/c++)
+            $<$<AND:$<BOOL:${static}>,$<NOT:$<BOOL:${APPLE}>>,$<NOT:$<BOOL:${SANITIZERS_ENABLED}>>>:
            -static-libstdc++
            -static-libgcc
            >
    )
-
-    # Keep -stdlib=libstdc++ off the compile commands, but preserve it for linking.
-    #
-    # Conan turns `compiler.libcxx=libstdc++` into `-stdlib=libstdc++` and puts it in
-    # CMAKE_CXX_FLAGS, which CMake passes to BOTH compile and link steps. On a normal Clang
-    # the compile step consumes it while choosing the C++ stdlib include paths. The Nixpkgs
-    # Clang wrapper supplies those paths itself (via -nostdinc++), so at compile time the
-    # flag is unused -> Clang errors under our -Werror. At link time the flag IS consumed
-    # (it selects the C++ runtime), so we move it there instead of dropping it entirely.
-    get_filename_component(_cxx_real "${CMAKE_CXX_COMPILER}" REALPATH)
-    if(
-        _cxx_real MATCHES "^/nix/store/"
-        AND is_linux
-        AND is_clang
-        AND CMAKE_CXX_FLAGS MATCHES "stdlib=libstdc"
-    )
-        string(
-            REPLACE "-stdlib=libstdc++"
-            ""
-            CMAKE_CXX_FLAGS
-            "${CMAKE_CXX_FLAGS}"
-        )
-        string(STRIP "${CMAKE_CXX_FLAGS}" CMAKE_CXX_FLAGS)
-        add_link_options($<$<LINK_LANGUAGE:CXX>:-stdlib=libstdc++>)
-    endif()
 endif()

 # Antithesis instrumentation will only be built and deployed using machines running Linux.
--- a/conan/profiles/ci
+++ b/conan/profiles/ci
@@ -1,8 +1 @@
-{% set os = detect_api.detect_os() %}
 include(sanitizers)
-
-[conf]
-{% if os == "Linux" %}
-user.package:libc_version=2.31
-tools.info.package_id:confs+=["user.package:libc_version"]
-{% endif %}
--- a/cspell.config.yaml
+++ b/cspell.config.yaml
@@ -50,7 +50,6 @@ words:
  - AMMXRP
  - amt
  - amts
-  - archs
  - asnode
  - asynchrony
  - attestation
@@ -135,7 +134,6 @@ words:
  - iou
  - ious
  - isrdc
-  - isystem
  - itype
  - jemalloc
  - jlog
--- a/docker/check-tool-versions.sh
+++ b/docker/check-tool-versions.sh
@@ -8,18 +8,13 @@ clang++ --version
 clang-format --version
 cmake --version
 conan --version
-curl --version
-doxygen --version
 g++ --version
 gcc --version
-gcov --version
 gcovr --version
 git --version
-gpg --version
 less --version
 make --version
 mold --version
-netstat --version
 ninja --version
 perl --version
 pkg-config --version
@@ -27,9 +22,3 @@ pre-commit --version
 python3 --version
 run-clang-tidy --help
 vim --version
-
-# A simple test to verify that git can clone a repository over HTTPS
-# (i.e. the CA bundle is wired up). Clone to a temp dir and clean up.
-tmp_clone="$(mktemp -d)"
-git clone --depth 1 https://github.com/XRPLF/actions.git "${tmp_clone}/actions"
-rm -rf "${tmp_clone}"
--- a/docker/install-sanitizer-libs.sh
+++ b/docker/install-sanitizer-libs.sh
@@ -27,87 +27,63 @@ fi
 echo "Detected OS: ${ID} ${VERSION_ID:-}"

 case "${ID}" in
-    ubuntu | debian | rhel | centos | rocky | almalinux)
-        echo "Supported OS detected: ${ID}"
+    debian)
+        apt-get update -y
+        apt-get install -y --no-install-recommends \
+            libasan8 \
+            libtsan2 \
+            libubsan1
+
+        apt-get clean
+        rm -rf /var/lib/apt/lists/*
        ;;
+
+    ubuntu)
+        apt-get update -y
+        apt-get install -y --no-install-recommends \
+            gnupg \
+            software-properties-common
+        add-apt-repository -y ppa:ubuntu-toolchain-r/test
+        apt-get update -y
+        apt-get install -y --no-install-recommends \
+            libasan8 \
+            libtsan2 \
+            libubsan1
+
+        apt-get clean
+        rm -rf /var/lib/apt/lists/*
+        ;;
+
+    rhel | centos | rocky | almalinux)
+        dnf install -y \
+            libasan8 \
+            libtsan2 \
+            libubsan
+
+        dnf clean -y all
+        rm -rf /var/cache/dnf/*
+        ;;
+
    *)
        echo "ERROR: unsupported OS '${ID}'. Supported: debian, ubuntu, rhel-family" >&2
        exit 1
        ;;
 esac

-function preinstall() {
-    case "${ID}" in
-        ubuntu)
-            apt-get update -y
-            apt-get install -y --no-install-recommends \
-                gnupg \
-                software-properties-common
-            add-apt-repository -y ppa:ubuntu-toolchain-r/test
-            ;;
-    esac
-}
-
-function install() {
-    case "${ID}" in
-        debian | ubuntu)
-            apt-get update -y
-            apt-get install -y --no-install-recommends \
-                libasan8 \
-                libtsan2 \
-                libubsan1
-            ;;
-
-        rhel | centos | rocky | almalinux)
-            dnf install -y \
-                libasan8 \
-                libtsan2 \
-                libubsan
-            ;;
-    esac
-}
-
-function postinstall() {
-    # Don't clear cache in non-CI environments
-    if [ -z "${CI:-}" ]; then
-        echo "Not running in CI environment; skipping cache cleanup"
-        return
+# Verify that every expected library is now resolvable by the dynamic linker.
+missing=0
+for lib in libasan.so.8 libtsan.so.2 libubsan.so.1; do
+    if ldconfig -p | grep -q "${lib}"; then
+        echo "OK: ${lib} found"
+    else
+        echo "ERROR: ${lib} not found after installation" >&2
+        missing=$((missing + 1))
    fi
+done

-    case "${ID}" in
-        debian | ubuntu)
-            apt-get clean
-            rm -rf /var/lib/apt/lists/*
-            ;;
-
-        rhel | centos | rocky | almalinux)
-            dnf clean -y all
-            rm -rf /var/cache/dnf/*
-            ;;
-    esac
-}
-
-function verify() {
-    # Verify that every expected library is now resolvable by the dynamic linker.
-    missing=0
-    for lib in libasan.so.8 libtsan.so.2 libubsan.so.1; do
-        if ldconfig -p | grep -q "${lib}"; then
-            echo "OK: ${lib} found"
-        else
-            echo "ERROR: ${lib} not found after installation" >&2
-            missing=$((missing + 1))
-        fi
-    done
-
-    if [ "${missing}" -ne 0 ]; then
-        echo "ERROR: ${missing} library/libraries missing" >&2
-        exit 1
-    fi
-}
-
-preinstall
-install
-postinstall
-verify
+if [ "${missing}" -ne 0 ]; then
+    echo "ERROR: ${missing} library/libraries missing" >&2
+    exit 1
+fi

 echo "All sanitizer runtime libraries installed successfully."
--- a/docker/nix.Dockerfile
+++ b/docker/nix.Dockerfile
@@ -47,12 +47,6 @@ COPY --from=builder /tmp/build/result /nix/ci-env

 ENV PATH="/nix/ci-env/bin:${PATH}"

-# Point HTTPS clients (git, curl, conan, ...) at the CA bundle shipped in the
-# Nix CI environment, so TLS verification works without ca-certificates being
-# installed in the system.
-ENV SSL_CERT_FILE="/nix/ci-env/etc/ssl/certs/ca-bundle.crt"
-ENV GIT_SSL_CAINFO="/nix/ci-env/etc/ssl/certs/ca-bundle.crt"
-
 # Externally-built dynamically-linked ELF binaries hard-code the loader path
 # (e.g. /lib64/ld-linux-x86-64.so.2) in their PT_INTERP header. Install it
 # from the Nix store when the base image doesn't already provide one.
@@ -71,8 +65,8 @@ if [ ! -e "${target}" ]; then
 fi
 EOF

-COPY docker/check-tools.sh /tmp/check-tools.sh
-RUN /tmp/check-tools.sh
+COPY docker/check-tool-versions.sh /tmp/check-tool-versions.sh
+RUN /tmp/check-tool-versions.sh

 # Sanity-check that the g++/clang++ are able to build binaries, including sanitizer-instrumented ones.
 COPY docker/test_files/cpp_sources/ /tmp/cpp_sources/
--- a/docker/test_files/cpp_sources/asan.cpp
+++ b/docker/test_files/cpp_sources/asan.cpp
@@ -2,13 +2,6 @@
 #include <cstddef>
 #include <iostream>

-// Regression test: the compiler-rt sanitizer interface headers must be on the
-// include path. A bare on-PATH clang in the Nix CI env doesn't get them
-// propagated automatically, so this include would fail to compile with clang++
-// if the env isn't wired up correctly. abseil hits the same include during
-// sanitizer builds. LeakSanitizer ships with AddressSanitizer.
-#include <sanitizer/lsan_interface.h>
-
 #if defined(__clang__) || defined(__GNUC__)
 __attribute__((noinline))
 #elif defined(_MSC_VER)
--- a/nix/ci-env.nix
+++ b/nix/ci-env.nix
@@ -43,15 +43,6 @@ let
    bintools = customBinutils;
  };

-  # gcov ships in gcc's `cc` output, but the cc-wrapper doesn't expose it.
-  # Surface the gcov from our rebuilt gcc (linked against the custom glibc, so
-  # it runs under the loader installed in the image) and matching the exact
-  # compiler version, so gcovr can produce coverage reports in the CI env.
-  customGcov = pkgs.runCommand "gcov-custom-for-ci-env" { } ''
-    mkdir -p "$out/bin"
-    ln -s "${customGccCc}/bin/gcov" "$out/bin/gcov"
-  '';
-
  # stdenv built around the rebuilt gcc / custom glibc. Used to rebuild
  # compiler-rt below so its sanitizer runtimes see the custom glibc
  # headers.
@@ -94,14 +85,6 @@ let
      ln -s "${customCompilerRt.out}/lib" "$rsrc/lib"
      ln -s "${customCompilerRt.out}/share" "$rsrc/share" || true
      echo "-resource-dir=$rsrc" >> $out/nix-support/cc-cflags
-      # compiler-rt ships the sanitizer/profile/xray interface headers (e.g.
-      # <sanitizer/lsan_interface.h>) in its `dev` output. In a normal Nix
-      # build these reach the include path because compiler-rt is propagated
-      # via depsTargetTargetPropagated and stdenv's setup hooks add its
-      # dev/include. The CI image runs clang outside a Nix stdenv (binaries
-      # on PATH, no setup hooks), so that never happens; add the headers
-      # explicitly. gcc ships its own copy, which is why this is clang-only.
-      echo "-isystem ${customCompilerRt.dev}/include" >> $out/nix-support/cc-cflags
    '';
  };

@@ -122,16 +105,11 @@ in
    name = "xrpld-ci-env";
    paths = commonPackages ++ [
      customGcc
-      customGcov
      customClangForCiEnv
      customBinutils
-      # CA certificate bundle so HTTPS clients (git, curl, conan) can verify
-      # TLS connections without ca-certificates being installed in the system.
-      pkgs.cacert
    ];
    pathsToLink = [
      "/bin"
-      "/etc/ssl/certs"
      "/lib"
      "/include"
      "/share"
--- a/nix/packages.nix
+++ b/nix/packages.nix
@@ -11,16 +11,12 @@ in
    ccache
    cmake
    conan
-    curlMinimal # needed for codecov/codecov-action
-    doxygen
    gcovr
    git
    gnumake
-    gnupg # needed for signing commits & codecov/codecov-action
    llvmPackages_22.clang-tools
    less # needed for git diff
    mold
-    nettools # provides netstat, used to debug failures in CI
    ninja
    patchelf
    perl # needed for openssl
--- a/src/libxrpl/tx/transactors/nft/NFTokenCancelOffer.cpp
+++ b/src/libxrpl/tx/transactors/nft/NFTokenCancelOffer.cpp
@@ -4,7 +4,6 @@
 #include <xrpl/basics/base_uint.h>
 #include <xrpl/ledger/View.h>
 #include <xrpl/ledger/helpers/NFTokenHelpers.h>
-#include <xrpl/protocol/Feature.h>
 #include <xrpl/protocol/Indexes.h>
 #include <xrpl/protocol/LedgerFormats.h>
 #include <xrpl/protocol/Protocol.h>
@@ -22,14 +21,8 @@ namespace xrpl {
 NotTEC
 NFTokenCancelOffer::preflight(PreflightContext const& ctx)
 {
-    auto const& offerIds = ctx.tx[sfNFTokenOffers];
-
-    if (offerIds.empty() || (offerIds.size() > kMaxTokenOfferCancelCount))
-        return temMALFORMED;
-
-    // Zero offer IDs cannot be passed as ledger entry keys.
-    if (ctx.rules.enabled(fixCleanup3_2_0) &&
-        std::ranges::any_of(offerIds, [](uint256 const& id) { return id.isZero(); }))
+    if (auto const& ids = ctx.tx[sfNFTokenOffers];
+        ids.empty() || (ids.size() > kMaxTokenOfferCancelCount))
        return temMALFORMED;

    // In order to prevent unnecessarily overlarge transactions, we
--- a/src/libxrpl/tx/transactors/vault/VaultWithdraw.cpp
+++ b/src/libxrpl/tx/transactors/vault/VaultWithdraw.cpp
@@ -300,7 +300,7 @@ VaultWithdraw::doApply()
                << "VaultWithdraw: "  //
                   "Cannot burn all outstanding shares while unrealized loss is non-zero";
            return tefINTERNAL;
-            // LCOV_EXCL_STOP
+            // LCOV_EXCL_END
        }

        STAmount const allAvailable{vaultAsset, *assetsAvailable};
--- a/src/test/app/NFToken_test.cpp
+++ b/src/test/app/NFToken_test.cpp
@@ -892,25 +892,6 @@ class NFTokenBaseUtil_test : public beast::unit_test::Suite
            BEAST_EXPECT(ownerCount(env, buyer) == 1);
        }

-        // Only test this with fixCleanup3_2_0 enabled. Without the fix,
-        // an assert-enabled build can crash when Ledger::read() receives
-        // a zero-key offer ID.
-        if (features[fixCleanup3_2_0])
-        {
-            // Zero is not a valid offer ID.
-            env(token::cancelOffer(buyer, {uint256{}}), Ter(temMALFORMED));
-            env.close();
-            BEAST_EXPECT(ownerCount(env, buyer) == 1);
-
-            // List of offer IDs containing zero is invalid.
-            // craftedIndex is not a valid offer index but it is not zero.
-            auto const craftedIndex = keylet::nftoffer(gw, env.seq(gw)).key;
-            env(token::cancelOffer(buyer, {buyerOfferIndex, uint256{}, craftedIndex}),
-                Ter(temMALFORMED));
-            env.close();
-            BEAST_EXPECT(ownerCount(env, buyer) == 1);
-        }
-
        // List of tokens to delete is too long.
        {
            std::vector<uint256> const offers(kMaxTokenOfferCancelCount + 1, buyerOfferIndex);
--- a/src/xrpld/app/ledger/ConsensusTransSetSF.cpp
+++ b/src/xrpld/app/ledger/ConsensusTransSetSF.cpp
@@ -20,7 +20,6 @@
 #include <functional>
 #include <memory>
 #include <optional>
-#include <string>

 namespace xrpl {

@@ -40,6 +39,8 @@ ConsensusTransSetSF::gotNode(
    if (fromFilter)
        return;

+    nodeCache_.insert(nodeHash, nodeData);
+
    if ((type == SHAMapNodeType::TnTransactionNm) && (nodeData.size() > 16))
    {
        // this is a transaction, and we didn't have it
@@ -55,20 +56,9 @@ ConsensusTransSetSF::gotNode(
                stx->getTransactionID() == nodeHash.asUInt256(),
                "xrpl::ConsensusTransSetSF::gotNode : transaction hash "
                "match");
-
-            // Rather than caching the (potentially large) transaction blob in
-            // nodeCache_, store the transaction in the TransactionMaster so
-            // getNode() can rebuild the leaf on demand. This is done
-            // synchronously to close the window before the asynchronous
-            // submission below populates the cache.
-            std::string reason;
-            auto tx = std::make_shared<Transaction>(stx, reason, app_);
-            app_.getMasterTransaction().canonicalize(&tx);
-
            auto const pap = &app_;
            app_.getJobQueue().addJob(
                JtTransaction, "TxsToTxn", [pap, stx]() { pap->getOPs().submitTransaction(stx); });
-            return;
        }
        catch (std::exception const& ex)
        {
@@ -76,11 +66,6 @@ ConsensusTransSetSF::gotNode(
                            << ex.what();
        }
    }
-
-    // Inner nodes have no alternative recovery source, so they must be cached
-    // for getNode() to satisfy later lookups. Any leaf we could not store in
-    // the TransactionMaster above also falls through to here.
-    nodeCache_.insert(nodeHash, nodeData);
 }

 std::optional<Blob>
--- a/src/xrpld/app/main/Application.cpp
+++ b/src/xrpld/app/main/Application.cpp
@@ -1088,7 +1088,7 @@ public:
                                   << "; size after: " << cachedSLEs_.size();
        }

-        mallocTrim("doSweep", journal_);
+        // mallocTrim("doSweep", journal_);

        // Set timer to do another sweep later.
        setSweepTimer();