chore: upgrade macos runner to xlarge (M2)

Upgrades macOS CI runner from macos-15 to macos-15-xlarge for faster
builds with more CPU cores.

Changes:
- runs-on: macos-15-xlarge (was: macos-15)

Benefits:
- M2 processor with more cores
- Faster compilation times
- Better ccache performance

.github/actions/xahau-configure-ccache/action.yml

@@ -1,63 +0,0 @@
-name: 'Configure ccache'
-description: 'Sets up ccache with consistent configuration'
-
-inputs:
-  max_size:
-    description: 'Maximum cache size'
-    required: false
-    default: '2G'
-  hash_dir:
-    description: 'Whether to include directory paths in hash'
-    required: false
-    default: 'true'
-  compiler_check:
-    description: 'How to check compiler for changes'
-    required: false
-    default: 'content'
-  is_main_branch:
-    description: 'Whether the current branch is the main branch'
-    required: false
-    default: 'false'
-  main_cache_dir:
-    description: 'Path to the main branch cache directory'
-    required: false
-    default: '~/.ccache-main'
-  current_cache_dir:
-    description: 'Path to the current branch cache directory'
-    required: false
-    default: '~/.ccache-current'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Configure ccache
-      shell: bash
-      run: |
-        # Create cache directories
-        mkdir -p ${{ inputs.main_cache_dir }} ${{ inputs.current_cache_dir }}
-        
-        # Set compiler check globally
-        ccache -o compiler_check=${{ inputs.compiler_check }}
-        
-        # Use a single config file location
-        mkdir -p ~/.ccache
-        export CONF_PATH="$HOME/.ccache/ccache.conf"
-        
-        # Apply common settings
-        echo "max_size = ${{ inputs.max_size }}" > "$CONF_PATH"
-        echo "hash_dir = ${{ inputs.hash_dir }}" >> "$CONF_PATH"
-        echo "compiler_check = ${{ inputs.compiler_check }}" >> "$CONF_PATH"
-        
-        if [ "${{ inputs.is_main_branch }}" == "true" ]; then
-          # Main branch: use main branch cache
-          ccache --set-config=cache_dir="${{ inputs.main_cache_dir }}"
-          echo "CCACHE_DIR=${{ inputs.main_cache_dir }}" >> $GITHUB_ENV
-        else
-          # Feature branch: use current branch cache with main as secondary
-          ccache --set-config=cache_dir="${{ inputs.current_cache_dir }}"
-          ccache --set-config=secondary_storage="file:${{ inputs.main_cache_dir }}"
-          echo "CCACHE_DIR=${{ inputs.current_cache_dir }}" >> $GITHUB_ENV
-        fi
-        
-        ccache -p # Print config for verification
-        ccache -z # Zero statistics before the build

.github/actions/xahau-ga-build/action.yml

@@ -47,6 +47,18 @@ inputs:
     description: 'GCC version to use for Clang toolchain (e.g. 11, 13)'
     required: false
     default: ''
+  ccache_max_size:
+    description: 'Maximum ccache size'
+    required: false
+    default: '2G'
+  ccache_hash_dir:
+    description: 'Whether to include directory paths in hash'
+    required: false
+    default: 'true'
+  ccache_compiler_check:
+    description: 'How to check compiler for changes'
+    required: false
+    default: 'content'
 
 runs:
   using: 'composite'
@@ -59,21 +71,22 @@ runs:
         SAFE_BRANCH=$(echo "${{ github.ref_name }}" | tr -c 'a-zA-Z0-9_.-' '-')
         echo "name=${SAFE_BRANCH}" >> $GITHUB_OUTPUT
 
-    - name: Restore ccache directory for default branch
+    - name: Restore ccache directory for main branch
       if: inputs.ccache_enabled == 'true'
       id: ccache-restore
-      uses: actions/cache/restore@v4
+      uses: ./.github/actions/xahau-ga-cache-restore
       with:
         path: ~/.ccache-main
         key: ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ inputs.configuration }}-${{ inputs.main_branch }}
         restore-keys: |
           ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ inputs.configuration }}-
           ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-
+        cache-type: ccache-main
 
     - name: Restore ccache directory for current branch
       if: inputs.ccache_enabled == 'true' && steps.safe-branch.outputs.name != inputs.main_branch
       id: ccache-restore-current-branch
-      uses: actions/cache/restore@v4
+      uses: ./.github/actions/xahau-ga-cache-restore
       with:
         path: ~/.ccache-current
         key: ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ inputs.configuration }}-${{ steps.safe-branch.outputs.name }}
@@ -81,6 +94,40 @@ runs:
           ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ inputs.configuration }}-${{ inputs.main_branch }}
           ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ inputs.configuration }}-
           ${{ runner.os }}-ccache-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-
+        cache-type: ccache-current
+
+    - name: Configure ccache
+      if: inputs.ccache_enabled == 'true'
+      shell: bash
+      run: |
+        # Create cache directories
+        mkdir -p ~/.ccache-main ~/.ccache-current
+
+        # Configure ccache settings AFTER cache restore (prevents stale cached config)
+        ccache --set-config=max_size=${{ inputs.ccache_max_size }}
+        ccache --set-config=hash_dir=${{ inputs.ccache_hash_dir }}
+        ccache --set-config=compiler_check=${{ inputs.ccache_compiler_check }}
+
+        # Determine if we're on the main branch
+        if [ "${{ steps.safe-branch.outputs.name }}" = "${{ inputs.main_branch }}" ]; then
+          # Main branch: use main branch cache only
+          ccache --set-config=cache_dir="$HOME/.ccache-main"
+          echo "CCACHE_DIR=$HOME/.ccache-main" >> $GITHUB_ENV
+          echo "📦 Main branch: using ~/.ccache-main"
+        else
+          # Feature branch: use current branch cache with main as secondary (read-only fallback)
+          ccache --set-config=cache_dir="$HOME/.ccache-current"
+          ccache --set-config=secondary_storage="file:$HOME/.ccache-main"
+          echo "CCACHE_DIR=$HOME/.ccache-current" >> $GITHUB_ENV
+          echo "📦 Feature branch: using ~/.ccache-current with ~/.ccache-main as secondary"
+        fi
+
+        # Print config for verification
+        echo "=== ccache configuration ==="
+        ccache -p
+
+        # Zero statistics before the build
+        ccache -z
 
     - name: Configure project
       shell: bash
@@ -96,14 +143,27 @@ runs:
         if [ -n "${{ inputs.cxx }}" ]; then
           export CXX="${{ inputs.cxx }}"
         fi
-        
-        
-        # Configure ccache launcher args
-        CCACHE_ARGS=""
+
+        # Create wrapper toolchain that overlays ccache on top of Conan's toolchain
+        # This enables ccache for the main app build without affecting Conan dependency builds
         if [ "${{ inputs.ccache_enabled }}" = "true" ]; then
-          CCACHE_ARGS="-DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CXX_COMPILER_LAUNCHER=ccache"
+          cat > wrapper_toolchain.cmake <<'EOF'
+        # Include Conan's generated toolchain first (sets compiler, flags, etc.)
+        # Note: CMAKE_CURRENT_LIST_DIR is the directory containing this wrapper (.build/)
+        include(${CMAKE_CURRENT_LIST_DIR}/build/generators/conan_toolchain.cmake)
+
+        # Overlay ccache configuration for main application build
+        # This does NOT affect Conan dependency builds (already completed)
+        set(CMAKE_C_COMPILER_LAUNCHER ccache CACHE STRING "C compiler launcher" FORCE)
+        set(CMAKE_CXX_COMPILER_LAUNCHER ccache CACHE STRING "C++ compiler launcher" FORCE)
+        EOF
+          TOOLCHAIN_FILE="wrapper_toolchain.cmake"
+          echo "✅ Created wrapper toolchain with ccache enabled"
+        else
+          TOOLCHAIN_FILE="build/generators/conan_toolchain.cmake"
+          echo "ℹ️  Using Conan toolchain directly (ccache disabled)"
         fi
-        
+
         # Configure C++ standard library if specified
         # libstdcxx used for clang-14/16 to work around missing lexicographical_compare_three_way in libc++
         # libcxx can be used with clang-17+ which has full C++20 support
@@ -143,31 +203,48 @@ runs:
         # So we get: .build/build/generators/ with our non-standard folder name
         cmake .. \
           -G "${{ inputs.generator }}" \
-          $CCACHE_ARGS \
           ${CMAKE_CXX_FLAGS:+-DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS"} \
-          -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
+          -DCMAKE_TOOLCHAIN_FILE:FILEPATH=${TOOLCHAIN_FILE} \
           -DCMAKE_BUILD_TYPE=${{ inputs.configuration }}
 
+    - name: Show ccache config before build
+      if: inputs.ccache_enabled == 'true'
+      shell: bash
+      run: |
+        echo "=========================================="
+        echo "ccache configuration before build"
+        echo "=========================================="
+        ccache -p
+        echo ""
+
     - name: Build project
       shell: bash
       run: |
         cd ${{ inputs.build_dir }}
-        cmake --build . --config ${{ inputs.configuration }} --parallel $(nproc)
+
+        # Check for verbose build flag in commit message
+        VERBOSE_FLAG=""
+        if echo "${XAHAU_GA_COMMIT_MSG}" | grep -q '\[ci-ga-cmake-verbose\]'; then
+          echo "🔊 [ci-ga-cmake-verbose] detected - enabling verbose output"
+          VERBOSE_FLAG="-- -v"
+        fi
+
+        cmake --build . --config ${{ inputs.configuration }} --parallel $(nproc) ${VERBOSE_FLAG}
 
     - name: Show ccache statistics
       if: inputs.ccache_enabled == 'true'
       shell: bash
       run: ccache -s
 
-    - name: Save ccache directory for default branch
-      if: always() && inputs.ccache_enabled == 'true' && steps.safe-branch.outputs.name == inputs.main_branch
+    - name: Save ccache directory for main branch
+      if: success() && inputs.ccache_enabled == 'true' && steps.safe-branch.outputs.name == inputs.main_branch
       uses: actions/cache/save@v4
       with:
         path: ~/.ccache-main
         key: ${{ steps.ccache-restore.outputs.cache-primary-key }}
 
     - name: Save ccache directory for current branch
-      if: always() && inputs.ccache_enabled == 'true' && steps.safe-branch.outputs.name != inputs.main_branch
+      if: success() && inputs.ccache_enabled == 'true' && steps.safe-branch.outputs.name != inputs.main_branch
       uses: actions/cache/save@v4
       with:
         path: ~/.ccache-current

.github/actions/xahau-ga-cache-restore/action.yml

@@ -0,0 +1,146 @@
+name: 'Cache Restore'
+description: 'Restores cache with optional clearing based on commit message tags'
+
+inputs:
+  path:
+    description: 'A list of files, directories, and wildcard patterns to cache'
+    required: true
+  key:
+    description: 'An explicit key for restoring the cache'
+    required: true
+  restore-keys:
+    description: 'An ordered list of prefix-matched keys to use for restoring stale cache if no cache hit occurred for key'
+    required: false
+    default: ''
+  cache-type:
+    description: 'Type of cache (for logging purposes, e.g., "ccache-main", "Conan")'
+    required: false
+    default: 'cache'
+  fail-on-cache-miss:
+    description: 'Fail the workflow if cache entry is not found'
+    required: false
+    default: 'false'
+  lookup-only:
+    description: 'Check if a cache entry exists for the given input(s) without downloading it'
+    required: false
+    default: 'false'
+  additional-clear-keys:
+    description: 'Additional cache keys to clear (newline separated)'
+    required: false
+    default: ''
+
+outputs:
+  cache-hit:
+    description: 'A boolean value to indicate an exact match was found for the primary key'
+    value: ${{ steps.restore-cache.outputs.cache-hit }}
+  cache-primary-key:
+    description: 'The key that was used to restore the cache'
+    value: ${{ steps.restore-cache.outputs.cache-primary-key }}
+  cache-matched-key:
+    description: 'The key that was used to restore the cache (exact or prefix match)'
+    value: ${{ steps.restore-cache.outputs.cache-matched-key }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Clear cache if requested via commit message
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        echo "=========================================="
+        echo "${{ inputs.cache-type }} cache clear tag detection"
+        echo "=========================================="
+        echo "Searching for: [ci-ga-clear-cache] or [ci-ga-clear-cache:*]"
+        echo ""
+
+        CACHE_KEY="${{ inputs.key }}"
+
+        # Extract search terms if present (e.g., "ccache" from "[ci-ga-clear-cache:ccache]")
+        SEARCH_TERMS=$(echo "${XAHAU_GA_COMMIT_MSG}" | grep -o '\[ci-ga-clear-cache:[^]]*\]' | sed 's/\[ci-ga-clear-cache://;s/\]//' || echo "")
+
+        SHOULD_CLEAR=false
+
+        if [ -n "${SEARCH_TERMS}" ]; then
+          # Search terms provided - check if THIS cache key matches ALL terms (AND logic)
+          echo "🔍 [ci-ga-clear-cache:${SEARCH_TERMS}] detected"
+          echo "Checking if cache key matches search terms..."
+          echo "  Cache key: ${CACHE_KEY}"
+          echo "  Search terms: ${SEARCH_TERMS}"
+          echo ""
+
+          MATCHES=true
+          for term in ${SEARCH_TERMS}; do
+            if ! echo "${CACHE_KEY}" | grep -q "${term}"; then
+              MATCHES=false
+              echo "  ✗ Key does not contain '${term}'"
+              break
+            else
+              echo "  ✓ Key contains '${term}'"
+            fi
+          done
+
+          if [ "${MATCHES}" = "true" ]; then
+            echo ""
+            echo "✅ Cache key matches all search terms - will clear cache"
+            SHOULD_CLEAR=true
+          else
+            echo ""
+            echo "⏭️  Cache key doesn't match search terms - skipping cache clear"
+          fi
+        elif echo "${XAHAU_GA_COMMIT_MSG}" | grep -q '\[ci-ga-clear-cache\]'; then
+          # No search terms - always clear this job's cache
+          echo "🗑️  [ci-ga-clear-cache] detected in commit message"
+          echo "Clearing ${{ inputs.cache-type }} cache for key: ${CACHE_KEY}"
+          SHOULD_CLEAR=true
+        fi
+
+        if [ "${SHOULD_CLEAR}" = "true" ]; then
+          echo ""
+          echo "Deleting ${{ inputs.cache-type }} caches via GitHub API..."
+
+          # Delete primary cache key
+          echo "Checking for cache: ${CACHE_KEY}"
+          if gh cache list --key "${CACHE_KEY}" --json key --jq '.[].key' | grep -q "${CACHE_KEY}"; then
+            echo "  Deleting: ${CACHE_KEY}"
+            gh cache delete "${CACHE_KEY}" || true
+            echo "  ✓ Deleted"
+          else
+            echo "  ℹ️  Not found"
+          fi
+
+          # Delete additional keys if provided
+          if [ -n "${{ inputs.additional-clear-keys }}" ]; then
+            echo ""
+            echo "Checking additional keys..."
+            while IFS= read -r key; do
+              [ -z "${key}" ] && continue
+              echo "Checking for cache: ${key}"
+              if gh cache list --key "${key}" --json key --jq '.[].key' | grep -q "${key}"; then
+                echo "  Deleting: ${key}"
+                gh cache delete "${key}" || true
+                echo "  ✓ Deleted"
+              else
+                echo "  ℹ️  Not found"
+              fi
+            done <<< "${{ inputs.additional-clear-keys }}"
+          fi
+
+          echo ""
+          echo "✅ ${{ inputs.cache-type }} cache cleared successfully"
+          echo "Build will proceed from scratch"
+        else
+          echo ""
+          echo "ℹ️  No ${{ inputs.cache-type }} cache clear requested"
+        fi
+        echo "=========================================="
+
+    - name: Restore cache
+      id: restore-cache
+      uses: actions/cache/restore@v4
+      with:
+        path: ${{ inputs.path }}
+        key: ${{ inputs.key }}
+        restore-keys: ${{ inputs.restore-keys }}
+        fail-on-cache-miss: ${{ inputs.fail-on-cache-miss }}
+        lookup-only: ${{ inputs.lookup-only }}

.github/actions/xahau-ga-dependencies/action.yml

@@ -25,6 +25,28 @@ inputs:
     description: 'Main branch name for restore keys'
     required: false
     default: 'dev'
+  os:
+    description: 'Operating system (Linux, Macos)'
+    required: false
+    default: 'Linux'
+  arch:
+    description: 'Architecture (x86_64, armv8)'
+    required: false
+    default: 'x86_64'
+  compiler:
+    description: 'Compiler type (gcc, clang, apple-clang)'
+    required: true
+  compiler_version:
+    description: 'Compiler version (11, 13, 14, etc.)'
+    required: true
+  cc:
+    description: 'C compiler executable (gcc-13, clang-14, etc.), empty for macOS'
+    required: false
+    default: ''
+  cxx:
+    description: 'C++ compiler executable (g++-14, clang++-14, etc.), empty for macOS'
+    required: false
+    default: ''
   stdlib:
     description: 'C++ standard library for Conan configuration (note: also in compiler-id)'
     required: true
@@ -41,47 +63,70 @@ outputs:
 runs:
   using: 'composite'
   steps:
-    - name: Generate safe branch name
-      if: inputs.cache_enabled == 'true'
-      id: safe-branch
-      shell: bash
-      run: |
-        SAFE_BRANCH=$(echo "${{ github.ref_name }}" | tr -c 'a-zA-Z0-9_.-' '-')
-        echo "name=${SAFE_BRANCH}" >> $GITHUB_OUTPUT
-
-    - name: Check conanfile changes
-      if: inputs.cache_enabled == 'true'
-      id: check-conanfile-changes
-      shell: bash
-      run: |
-        # Check if we're on the main branch
-        if [ "${{ github.ref_name }}" == "${{ inputs.main_branch }}" ]; then
-          echo "should-save-conan-cache=true" >> $GITHUB_OUTPUT
-        else
-          # Fetch main branch for comparison
-          git fetch origin ${{ inputs.main_branch }}
-          
-          # Check if conanfile.txt or conanfile.py has changed compared to main branch
-          if git diff --quiet origin/${{ inputs.main_branch }}..HEAD -- '**/conanfile.txt' '**/conanfile.py'; then
-            echo "should-save-conan-cache=false" >> $GITHUB_OUTPUT
-          else
-            echo "should-save-conan-cache=true" >> $GITHUB_OUTPUT
-          fi
-        fi
-
     - name: Restore Conan cache
       if: inputs.cache_enabled == 'true'
       id: cache-restore-conan
-      uses: actions/cache/restore@v4
+      uses: ./.github/actions/xahau-ga-cache-restore
       with:
-        path: |
-          ~/.conan
-          ~/.conan2
+        path: ~/.conan2
         # Note: compiler-id format is compiler-version-stdlib[-gccversion]
-        key: ${{ runner.os }}-conan-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ hashFiles('**/conanfile.txt', '**/conanfile.py') }}-${{ inputs.configuration }}
+        key: ${{ runner.os }}-conan-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ hashFiles('**/conanfile.py') }}-${{ inputs.configuration }}
         restore-keys: |
-          ${{ runner.os }}-conan-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ hashFiles('**/conanfile.txt', '**/conanfile.py') }}-
+          ${{ runner.os }}-conan-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-${{ hashFiles('**/conanfile.py') }}-
           ${{ runner.os }}-conan-v${{ inputs.cache_version }}-${{ inputs.compiler-id }}-
+        cache-type: Conan
+
+    - name: Configure Conan
+      shell: bash
+      run: |
+        # Create the default profile directory if it doesn't exist
+        mkdir -p ~/.conan2/profiles
+
+        # Determine the correct libcxx based on stdlib parameter
+        if [ "${{ inputs.stdlib }}" = "libcxx" ]; then
+          LIBCXX="libc++"
+        else
+          LIBCXX="libstdc++11"
+        fi
+
+        # Create profile with our specific settings
+        # This overwrites any cached profile to ensure fresh configuration
+        cat > ~/.conan2/profiles/default <<EOF
+        [settings]
+        arch=${{ inputs.arch }}
+        build_type=${{ inputs.configuration }}
+        compiler=${{ inputs.compiler }}
+        compiler.cppstd=20
+        compiler.libcxx=${LIBCXX}
+        compiler.version=${{ inputs.compiler_version }}
+        os=${{ inputs.os }}
+        EOF
+
+        # Add buildenv and conf sections for Linux (not needed for macOS)
+        if [ "${{ inputs.os }}" = "Linux" ] && [ -n "${{ inputs.cc }}" ]; then
+          cat >> ~/.conan2/profiles/default <<EOF
+
+        [buildenv]
+        CC=/usr/bin/${{ inputs.cc }}
+        CXX=/usr/bin/${{ inputs.cxx }}
+
+        [conf]
+        tools.build:compiler_executables={"c": "/usr/bin/${{ inputs.cc }}", "cpp": "/usr/bin/${{ inputs.cxx }}"}
+        EOF
+        fi
+
+        # Add macOS-specific conf if needed
+        if [ "${{ inputs.os }}" = "Macos" ]; then
+          cat >> ~/.conan2/profiles/default <<EOF
+
+        [conf]
+        # Workaround for gRPC with newer Apple Clang
+        tools.build:cxxflags=["-Wno-missing-template-arg-list-after-template-kw"]
+        EOF
+        fi
+
+        # Display profile for verification
+        conan profile show
 
     - name: Export custom recipes
       shell: bash
@@ -107,10 +152,8 @@ runs:
           ..
 
     - name: Save Conan cache
-      if: always() && inputs.cache_enabled == 'true' && steps.cache-restore-conan.outputs.cache-hit != 'true' && steps.check-conanfile-changes.outputs.should-save-conan-cache == 'true'
+      if: success() && inputs.cache_enabled == 'true' && steps.cache-restore-conan.outputs.cache-hit != 'true'
       uses: actions/cache/save@v4
       with:
-        path: |
-          ~/.conan
-          ~/.conan2
+        path: ~/.conan2
         key: ${{ steps.cache-restore-conan.outputs.cache-primary-key }}

.github/actions/xahau-ga-get-commit-message/action.yml

@@ -0,0 +1,73 @@
+name: 'Get Commit Message'
+description: 'Gets commit message for both push and pull_request events and sets XAHAU_GA_COMMIT_MSG env var'
+
+inputs:
+  event-name:
+    description: 'The event name (push or pull_request)'
+    required: true
+  head-commit-message:
+    description: 'The head commit message (for push events)'
+    required: false
+    default: ''
+  pr-head-sha:
+    description: 'The PR head SHA (for pull_request events)'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get commit message and set environment variable
+      shell: python
+      run: |
+        import os
+        import subprocess
+        import secrets
+
+        event_name = "${{ inputs.event-name }}"
+        pr_head_sha = "${{ inputs.pr-head-sha }}"
+
+        print("==========================================")
+        print("Setting XAHAU_GA_COMMIT_MSG environment variable")
+        print("==========================================")
+        print(f"Event: {event_name}")
+
+        if event_name == 'push':
+            # For push events, use the input directly
+            message = """${{ inputs.head-commit-message }}"""
+            print("Source: workflow input (github.event.head_commit.message)")
+        elif event_name == 'pull_request':
+            # For PR events, fetch the specific SHA
+            print(f"Source: git show {pr_head_sha} (fetching PR head commit)")
+
+            # Fetch the PR head commit
+            subprocess.run(
+                ['git', 'fetch', 'origin', pr_head_sha],
+                check=True
+            )
+
+            # Get commit message from the fetched SHA
+            result = subprocess.run(
+                ['git', 'show', '-s', '--format=%B', pr_head_sha],
+                capture_output=True,
+                text=True,
+                check=True
+            )
+            message = result.stdout.strip()
+        else:
+            message = ""
+            print(f"Warning: Unknown event type: {event_name}")
+
+        print(f"Commit message (first 100 chars): {message[:100]}")
+
+        # Write to GITHUB_ENV using heredoc with random delimiter (prevents injection attacks)
+        # See: https://securitylab.github.com/resources/github-actions-untrusted-input/
+        delimiter = f"EOF_{secrets.token_hex(16)}"
+
+        with open(os.environ['GITHUB_ENV'], 'a') as f:
+            f.write(f'XAHAU_GA_COMMIT_MSG<<{delimiter}\n')
+            f.write(message)
+            f.write(f'\n{delimiter}\n')
+
+        print(f"✓ XAHAU_GA_COMMIT_MSG set (available to all subsequent steps)")
+        print("==========================================")

.github/workflows/xahau-ga-macos.yml

@@ -20,7 +20,7 @@ jobs:
           - Ninja
         configuration:
           - Debug
-    runs-on: macos-15
+    runs-on: macos-15-xlarge
     env:
       build_dir: .build
       # Bump this number to invalidate all caches globally.
@@ -30,6 +30,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Get commit message
+        id: get-commit-message
+        uses: ./.github/actions/xahau-ga-get-commit-message
+        with:
+          event-name: ${{ github.event_name }}
+          head-commit-message: ${{ github.event.head_commit.message }}
+          pr-head-sha: ${{ github.event.pull_request.head.sha }}
+
       - name: Install Conan
         run: |
           brew install conan
@@ -78,14 +86,6 @@ jobs:
       - name: Install ccache
         run: brew install ccache
 
-      - name: Configure ccache
-        uses: ./.github/actions/xahau-configure-ccache
-        with:
-          max_size: 2G
-          hash_dir: true
-          compiler_check: content
-          is_main_branch: ${{ github.ref_name == env.MAIN_BRANCH_NAME }}
-
       - name: Check environment
         run: |
           echo "PATH:"
@@ -98,32 +98,12 @@ jobs:
           echo "---- Full Environment ----"
           env
 
-      - name: Configure Conan
+      - name: Detect compiler version
+        id: detect-compiler
         run: |
-          # Create the default profile directory if it doesn't exist
-          mkdir -p ~/.conan2/profiles
-
-          # Detect compiler version
           COMPILER_VERSION=$(clang --version | grep -oE 'version [0-9]+' | grep -oE '[0-9]+')
-
-          # Create profile with our specific settings
-          cat > ~/.conan2/profiles/default <<EOF
-          [settings]
-          arch=armv8
-          build_type=Release
-          compiler=apple-clang
-          compiler.cppstd=20
-          compiler.libcxx=libc++
-          compiler.version=${COMPILER_VERSION}
-          os=Macos
-
-          [conf]
-          # Workaround for gRPC with newer Apple Clang
-          tools.build:cxxflags=["-Wno-missing-template-arg-list-after-template-kw"]
-          EOF
-
-          # Display profile for verification
-          conan profile show
+          echo "compiler_version=${COMPILER_VERSION}" >> $GITHUB_OUTPUT
+          echo "Detected Apple Clang version: ${COMPILER_VERSION}"
 
       - name: Install dependencies
         uses: ./.github/actions/xahau-ga-dependencies
@@ -133,6 +113,11 @@ jobs:
           compiler-id: clang
           cache_version: ${{ env.CACHE_VERSION }}
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          os: Macos
+          arch: armv8
+          compiler: apple-clang
+          compiler_version: ${{ steps.detect-compiler.outputs.compiler_version }}
+          stdlib: libcxx
 
       - name: Build
         uses: ./.github/actions/xahau-ga-build
@@ -143,6 +128,7 @@ jobs:
           compiler-id: clang
           cache_version: ${{ env.CACHE_VERSION }}
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          stdlib: libcxx
 
       - name: Test
         run: |

.github/workflows/xahau-ga-nix.yml

@@ -156,12 +156,20 @@ jobs:
     env:
       build_dir: .build
       # Bump this number to invalidate all caches globally.
-      CACHE_VERSION: 2
+      CACHE_VERSION: 3
       MAIN_BRANCH_NAME: dev
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Get commit message
+        id: get-commit-message
+        uses: ./.github/actions/xahau-ga-get-commit-message
+        with:
+          event-name: ${{ github.event_name }}
+          head-commit-message: ${{ github.event.head_commit.message }}
+          pr-head-sha: ${{ github.event.pull_request.head.sha }}
+
       - name: Install build dependencies
         run: |
           sudo apt-get update
@@ -231,48 +239,6 @@ jobs:
           # Install Conan 2
           pip install --upgrade "conan>=2.0,<3"
 
-      - name: Configure ccache
-        uses: ./.github/actions/xahau-configure-ccache
-        with:
-          max_size: 2G
-          hash_dir: true
-          compiler_check: content
-          is_main_branch: ${{ github.ref_name == env.MAIN_BRANCH_NAME }}
-
-      - name: Configure Conan
-        run: |
-          # Create the default profile directory if it doesn't exist
-          mkdir -p ~/.conan2/profiles
-
-          # Determine the correct libcxx based on stdlib parameter
-          if [ "${{ matrix.stdlib }}" = "libcxx" ]; then
-            LIBCXX="libc++"
-          else
-            LIBCXX="libstdc++11"
-          fi
-
-          # Create profile with our specific settings
-          cat > ~/.conan2/profiles/default <<EOF
-          [settings]
-          arch=x86_64
-          build_type=${{ matrix.configuration }}
-          compiler=${{ matrix.compiler }}
-          compiler.cppstd=20
-          compiler.libcxx=${LIBCXX}
-          compiler.version=${{ matrix.compiler_version }}
-          os=Linux
-
-          [buildenv]
-          CC=/usr/bin/${{ matrix.cc }}
-          CXX=/usr/bin/${{ matrix.cxx }}
-
-          [conf]
-          tools.build:compiler_executables={"c": "/usr/bin/${{ matrix.cc }}", "cpp": "/usr/bin/${{ matrix.cxx }}"}
-          EOF
-
-          # Display profile for verification
-          conan profile show
-
       - name: Check environment
         run: |
           echo "PATH:"
@@ -293,6 +259,10 @@ jobs:
           compiler-id: ${{ matrix.compiler_id }}
           cache_version: ${{ env.CACHE_VERSION }}
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          compiler: ${{ matrix.compiler }}
+          compiler_version: ${{ matrix.compiler_version }}
+          cc: ${{ matrix.cc }}
+          cxx: ${{ matrix.cxx }}
           stdlib: ${{ matrix.stdlib }}
 
       - name: Build

cfg/xahaud-example.cfg

@@ -1769,7 +1769,7 @@ pool.ntp.org
 # Unless an absolute path is specified, it will be considered relative to the
 # folder in which the xahaud.cfg file is located.
 [validators_file]
-validators.txt
+validators-xahau.txt
 
 # Turn down default logging to save disk space in the long run.
 # Valid values here are trace, debug, info, warning, error, and fatal

src/ripple/app/misc/impl/TxQ.cpp

@@ -1482,9 +1482,13 @@ TxQ::accept(Application& app, OpenView& view)
     {
         uint32_t currentTime =
             view.parentCloseTime().time_since_epoch().count();
-        uint256 klStart = keylet::cron(0, AccountID(beast::zero)).key;
-        uint256 const klEnd =
-            keylet::cron(currentTime + 1, AccountID(beast::zero)).key;
+        bool fixCron = view.rules().enabled(fixCronStacking);
+        std::optional<AccountID> accountID = std::nullopt;
+        if (!fixCron)
+            accountID = AccountID(beast::zero);
+
+        uint256 klStart = keylet::cron(0, accountID).key;
+        uint256 const klEnd = keylet::cron(currentTime + 1, accountID).key;
 
         std::set<AccountID> cronAccs;
 

src/ripple/app/tx/impl/Cron.cpp

@@ -93,6 +93,16 @@ Cron::doApply()
     auto& view = ctx_.view();
     auto const& tx = ctx_.tx;
 
+    if (view.rules().enabled(fixCronStacking))
+    {
+        if (auto const seq = tx.getFieldU32(sfLedgerSequence);
+            seq != view.info().seq)
+        {
+            JLOG(j_.warn()) << "Cron: wrong ledger seq=" << seq;
+            return tefFAILURE;
+        }
+    }
+
     AccountID const& id = tx.getAccountID(sfOwner);
 
     auto sle = view.peek(keylet::account(id));

src/ripple/protocol/Feature.h

@@ -74,7 +74,7 @@ namespace detail {
 // Feature.cpp. Because it's only used to reserve storage, and determine how
 // large to make the FeatureBitset, it MAY be larger. It MUST NOT be less than
 // the actual number of amendments. A LogicError on startup will verify this.
-static constexpr std::size_t numFeatures = 88;
+static constexpr std::size_t numFeatures = 89;
 
 /** Amendments that this server supports and the default voting behavior.
    Whether they are enabled depends on the Rules defined in the validated
@@ -376,6 +376,7 @@ extern uint256 const featureIOUIssuerWeakTSH;
 extern uint256 const featureCron;
 extern uint256 const fixInvalidTxFlags;
 extern uint256 const featureExtendedHookState;
+extern uint256 const fixCronStacking;
 
 }  // namespace ripple
 

src/ripple/protocol/Indexes.h

@@ -298,7 +298,7 @@ Keylet
 uritoken(AccountID const& issuer, Blob const& uri);
 
 Keylet
-cron(uint32_t timestamp, AccountID const& id);
+cron(uint32_t timestamp, std::optional<AccountID> const& id = std::nullopt);
 
 }  // namespace keylet
 

src/ripple/protocol/impl/Feature.cpp

@@ -482,6 +482,7 @@ REGISTER_FEATURE(IOUIssuerWeakTSH,              Supported::yes, VoteBehavior::De
 REGISTER_FEATURE(Cron,                          Supported::yes, VoteBehavior::DefaultNo);
 REGISTER_FIX    (fixInvalidTxFlags,             Supported::yes, VoteBehavior::DefaultYes);
 REGISTER_FEATURE(ExtendedHookState,             Supported::yes, VoteBehavior::DefaultNo);
+REGISTER_FIX    (fixCronStacking,               Supported::yes, VoteBehavior::DefaultYes);
 
 // The following amendments are obsolete, but must remain supported
 // because they could potentially get enabled.

src/ripple/protocol/impl/Indexes.cpp

@@ -466,7 +466,7 @@ uritoken(AccountID const& issuer, Blob const& uri)
 //   Examples: 100M → ~5.4e-12, 1B → ~5.4e-11, 10B → ~5.4e-10, 100B → ~5.4e-9
 //   (negligible).
 Keylet
-cron(uint32_t timestamp, AccountID const& id)
+cron(uint32_t timestamp, std::optional<AccountID> const& id)
 {
     static const uint256 ns = indexHash(LedgerNameSpace::CRON);
 
@@ -481,7 +481,14 @@ cron(uint32_t timestamp, AccountID const& id)
     h[10] = static_cast<uint8_t>((timestamp >> 8) & 0xFFU);
     h[11] = static_cast<uint8_t>((timestamp >> 0) & 0xFFU);
 
-    const uint256 accHash = indexHash(LedgerNameSpace::CRON, timestamp, id);
+    if (!id.has_value())
+    {
+        // final 20 bytes are zero
+        std::memset(h + 12, 0, 20);
+        return {ltCRON, uint256::fromVoid(h)};
+    }
+
+    const uint256 accHash = indexHash(LedgerNameSpace::CRON, timestamp, *id);
 
     // final 20 bytes are account ID
     std::memcpy(h + 12, accHash.cdata(), 20);

src/ripple/rpc/impl/RPCHelpers.cpp

@@ -1106,30 +1106,32 @@ chooseLedgerEntryType(Json::Value const& params)
     std::pair<RPC::Status, LedgerEntryType> result{RPC::Status::OK, ltANY};
     if (params.isMember(jss::type))
     {
-        static constexpr std::array<std::pair<char const*, LedgerEntryType>, 22>
-            types{
-                {{jss::account, ltACCOUNT_ROOT},
-                 {jss::amendments, ltAMENDMENTS},
-                 {jss::check, ltCHECK},
-                 {jss::deposit_preauth, ltDEPOSIT_PREAUTH},
-                 {jss::directory, ltDIR_NODE},
-                 {jss::escrow, ltESCROW},
-                 {jss::emitted_txn, ltEMITTED_TXN},
-                 {jss::hook, ltHOOK},
-                 {jss::hook_definition, ltHOOK_DEFINITION},
-                 {jss::hook_state, ltHOOK_STATE},
-                 {jss::fee, ltFEE_SETTINGS},
-                 {jss::hashes, ltLEDGER_HASHES},
-                 {jss::import_vlseq, ltIMPORT_VLSEQ},
-                 {jss::offer, ltOFFER},
-                 {jss::payment_channel, ltPAYCHAN},
-                 {jss::uri_token, ltURI_TOKEN},
-                 {jss::signer_list, ltSIGNER_LIST},
-                 {jss::state, ltRIPPLE_STATE},
-                 {jss::ticket, ltTICKET},
-                 {jss::nft_offer, ltNFTOKEN_OFFER},
-                 {jss::nft_page, ltNFTOKEN_PAGE},
-                 {jss::unl_report, ltUNL_REPORT}}};
+        static constexpr std::array<std::pair<char const*, LedgerEntryType>, 23>
+            types{{
+                {jss::account, ltACCOUNT_ROOT},
+                {jss::amendments, ltAMENDMENTS},
+                {jss::check, ltCHECK},
+                {jss::deposit_preauth, ltDEPOSIT_PREAUTH},
+                {jss::directory, ltDIR_NODE},
+                {jss::escrow, ltESCROW},
+                {jss::emitted_txn, ltEMITTED_TXN},
+                {jss::hook, ltHOOK},
+                {jss::hook_definition, ltHOOK_DEFINITION},
+                {jss::hook_state, ltHOOK_STATE},
+                {jss::fee, ltFEE_SETTINGS},
+                {jss::hashes, ltLEDGER_HASHES},
+                {jss::import_vlseq, ltIMPORT_VLSEQ},
+                {jss::offer, ltOFFER},
+                {jss::payment_channel, ltPAYCHAN},
+                {jss::uri_token, ltURI_TOKEN},
+                {jss::signer_list, ltSIGNER_LIST},
+                {jss::state, ltRIPPLE_STATE},
+                {jss::ticket, ltTICKET},
+                {jss::nft_offer, ltNFTOKEN_OFFER},
+                {jss::nft_page, ltNFTOKEN_PAGE},
+                {jss::unl_report, ltUNL_REPORT},
+                {jss::cron, ltCRON},
+            }};
 
         auto const& p = params[jss::type];
         if (!p.isString())

src/test/rpc/AccountObjects_test.cpp

@@ -781,6 +781,22 @@ public:
             auto const& hook = resp[jss::result][jss::account_objects][0u];
             BEAST_EXPECT(hook[sfAccount.jsonName] == gw.human());
         }
+        {
+            // Create a Cron
+            env(cron::set(gw),
+                cron::startTime(env.now().time_since_epoch().count() + 100),
+                cron::delay(100),
+                cron::repeat(200),
+                fee(XRP(1)));
+            env.close();
+        }
+        {
+            // Find the cron.
+            Json::Value const resp = acct_objs(gw, jss::cron);
+            BEAST_EXPECT(acct_objs_is_size(resp, 1));
+            auto const& cron = resp[jss::result][jss::account_objects][0u];
+            BEAST_EXPECT(cron[sfOwner.jsonName] == gw.human());
+        }
         {
             // See how "deletion_blockers_only" handles gw's directory.
             Json::Value params;