ci: Run the PtrToIntCast clang-tidy check

Christian A. Ehrhardt · Christian A. Ehrhardt · commit 17fe01c237ee · 2025-11-27T10:48:07.000+01:00
When building the cheri riscv kernel also run the PtrToIntCast clang
tidy check to warn about dubious capability conversions.

Signed-off-by: Christian A. Ehrhardt &lt;christian.ehrhardt@codasip.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -138,6 +138,7 @@ jobs:
           set -o pipefail
           ARGS=""
           LLVM_DIR=
+          TARGETS="all"
           if [ "${{ matrix.arch }}" = "aarch64" ]; then
             ARGS="$ARGS ARCH=arm64"
             CROSS="aarch64-linux-gnu-"
@@ -148,6 +149,7 @@ jobs:
             ARGS="$ARGS ARCH=arm64"
           elif [ "${{ matrix.arch }}" = "riscv64cheri" ]; then
             ARGS="$ARGS ARCH=riscv"
+            TARGETS="${TARGETS} compile_commands.json"
           fi
 
           if [[ "${{ matrix.compiler }}" == "llvm-morello" ]]; then
@@ -160,7 +162,25 @@ jobs:
           fi
           make $ARGS O=build ${{ matrix.config }}
           # Pipe output to tee so we can see it and save it for counting warnings
-          make $ARGS O=build -j$(nproc) 2>&1 | tee build.log
+          make $ARGS O=build -j$(nproc) ${TARGETS} 2>&1 | tee build.log
+
+      - name: Run clang-tidy
+        if: matrix.compiler == 'llvm-cheri'
+        shell: bash
+        run: |
+          set -o pipefail
+          grep "file.:.*\.c.$" build/compile_commands.json | \
+              sed 's/.*file.:..//; s/.$//' | \
+              xargs -n $(nproc) -P 12 -- /usr/lib/llvm-cheri/bin/clang-tidy \
+                  --checks='-*,cheri-PtrToIntCast' \
+                  --header-filter='.*' \
+                  --system-headers \
+                  -p build 2>&1 | tee tidy.log
+          echo "CHECKING clang-tidy messages"
+          if egrep "(warning|error):" tidy.log; then
+            echo "ERROR: Unexpected clang-tidy warnings"
+            false # Fail
+          fi
 
       - name: Process Logs (Errors & Warnings)
         if: always()
@@ -169,15 +189,16 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           JOB_NAME: "Build ${{ matrix.arch }} ${{ matrix.compiler }} ${{ matrix.config }}"
         run: |
+          touch tidy.log
           echo "::group::📝 Build Issues (Errors & Warnings)"
-          if grep -iE "warning:|error:" build.log; then
+          if grep -iE "warning:|error:" build.log tidy.log; then
             echo "--------------------------------------------------"
             echo "Full list above."
           else
             echo "🎉 Clean build - No warnings or errors found."
           fi
           echo "::endgroup::"
-          COUNT=$(grep -c -i "warning:" build.log || true)
+          COUNT=$(grep -c -i "warning:" build.log tidy.log || true)
           OUTCOME="${{ steps.kbuild.outcome }}"
           FULL_LINK="${{ steps.job-link.outputs.url }}#step:${{ steps.job-link.outputs.build_step_num }}:1"
           COUNT_CLEAN=$(echo $COUNT | xargs)
