11# ##############################################################
22#
3- # # Copyright (©) 2025 International Color Consortium.
4- # # All rights reserved.
5- # # https://color.org
6- #
7- #
8- # # Intent: iccDEV Scan Build Runner for Matrix OS
9- #
10- # # Last Updated: 28-NOV-2025 0000Z by David Hoyt
11- # # Add Read Permission Block
12- # # TODO: Push binary releases, tags etc..
13- #
14- # #
15- #
3+ # Copyright (©) 2025 International Color Consortium.
4+ # All rights reserved.
5+ # https://color.org
166#
177#
8+ # Intent: iccDEV Scan Build Runner
189#
10+ # Last Updated: 2026-02-17 16:14:17 UTC by David Hoyt
11+ # Parallel build, hardened shells, sanitizer,
12+ # dynamic LLVM path, libjpeg-dev dependency.
1913#
2014# ##############################################################
2115
2216name : " Scan Build"
2317
18+ permissions :
19+ contents : read
20+
2421on :
2522 workflow_dispatch :
2623
2724jobs :
2825 build-linux :
2926 name : Build and Test Linux with scan-build
3027 runs-on : ubuntu-latest
31- timeout-minutes : 20
32- permissions :
33- contents : read
34-
28+ timeout-minutes : 30
3529 strategy :
3630 fail-fast : false
3731
3832 steps :
39- - name : 📥 Checkout master
33+ - name : Checkout
4034 uses : actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5
35+ with :
36+ fetch-depth : 0
37+ persist-credentials : false
4138
42- # Install dependencies
4339 - name : Install dependencies
44- shell : bash
40+ shell : bash --noprofile --norc {0}
4541 env :
46- BASH_ENV : /dev/null
42+ BASH_ENV : /dev/null
4743 run : |
4844 set -euo pipefail
4945 git config --global --add safe.directory "$GITHUB_WORKSPACE"
5046 git config --global credential.helper ""
51-
52- # Clear the in-shell GITHUB_TOKEN
5347 unset GITHUB_TOKEN || true
5448
55- sudo apt-get update
56- sudo apt-get install -y build-essential cmake gcc g++ clang clang-tools libpng-dev libxml2 libxml2-dev libtiff-dev nlohmann-json3-dev libwxgtk3.2-dev wx-common python3 python3-pip curl git llvm
57- # Ensure scan-build is in PATH
58- - name : Ensure scan-build is installed and accessible
59- shell : bash
60- env :
61- BASH_ENV : /dev/null
62- run : |
63- set -euo pipefail
64- git config --global --add safe.directory "$GITHUB_WORKSPACE"
65- git config --global credential.helper ""
66-
67- # Clear the in-shell GITHUB_TOKEN
68- unset GITHUB_TOKEN || true
49+ sudo apt-get update -qq
50+ sudo apt-get install -y \
51+ build-essential cmake gcc g++ clang clang-tools \
52+ libpng-dev libxml2-dev libtiff-dev libjpeg-dev \
53+ nlohmann-json3-dev libwxgtk3.2-dev wx-common \
54+ python3 curl git llvm
55+
56+ echo "### Environment" >> "$GITHUB_STEP_SUMMARY"
57+ echo "| Tool | Version |" >> "$GITHUB_STEP_SUMMARY"
58+ echo "|------|---------|" >> "$GITHUB_STEP_SUMMARY"
59+ echo "| scan-build | $(scan-build --version 2>&1 | head -1) |" >> "$GITHUB_STEP_SUMMARY"
60+ echo "| clang | $(clang --version 2>&1 | head -1) |" >> "$GITHUB_STEP_SUMMARY"
61+ echo "| cmake | $(cmake --version | head -1) |" >> "$GITHUB_STEP_SUMMARY"
62+ echo "| nproc | $(nproc) |" >> "$GITHUB_STEP_SUMMARY"
63+ echo "" >> "$GITHUB_STEP_SUMMARY"
6964
70- which scan-build || echo "? scan-build not found"
71- scan-build --version || echo "? scan-build version check failed"
72- # Configure the build with scan-build
73- - name : Configure the build with scan-build
74- shell : bash
65+ name : Configure with scan-build
66+ shell : bash --noprofile --norc {0}
7567 env :
76- BASH_ENV : /dev/null
68+ BASH_ENV : /dev/null
69+ CC : clang
70+ CXX : clang++
7771 run : |
7872 set -euo pipefail
7973 git config --global --add safe.directory "$GITHUB_WORKSPACE"
8074 git config --global credential.helper ""
81-
82- # Clear the in-shell GITHUB_TOKEN
8375 unset GITHUB_TOKEN || true
8476
85- ls
77+ LLVM_BIN=$(llvm-config --bindir 2>/dev/null || echo "/usr/lib/llvm-$(llvm-config --version 2>/dev/null | cut -d. -f1)/bin")
78+ export PATH="${LLVM_BIN}:${PATH}"
79+
8680 cd Build
87- pwd
88- ls
89- export CC=clang
90- export CXX=clang++
91- export PATH="/usr/lib/llvm-17/bin:$PATH"
92- scan-build cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Release -DENABLE_TOOLS=ON -Wno-dev Cmake/
93- # Run scan-build for static analysis
94- - name : Run scan-build for static analysis
95- shell : bash
81+ scan-build cmake \
82+ -DCMAKE_INSTALL_PREFIX=$HOME/.local \
83+ -DCMAKE_BUILD_TYPE=Release \
84+ -DENABLE_TOOLS=ON \
85+ -Wno-dev \
86+ Cmake/
87+
88+ name : Run scan-build with all processors
89+ shell : bash --noprofile --norc {0}
9690 env :
97- BASH_ENV : /dev/null
91+ BASH_ENV : /dev/null
9892 run : |
9993 set -euo pipefail
10094 git config --global --add safe.directory "$GITHUB_WORKSPACE"
10195 git config --global credential.helper ""
102-
103- # Clear the in-shell GITHUB_TOKEN
10496 unset GITHUB_TOKEN || true
10597
106- pwd
107- ls
98+ LLVM_BIN=$(llvm-config --bindir 2>/dev/null || echo "/usr/lib/llvm-$(llvm-config --version 2>/dev/null | cut -d. -f1)/bin")
99+ export PATH="${LLVM_BIN}:${PATH}"
100+
101+ NPROC=$(nproc)
102+ echo "Running scan-build with $NPROC parallel jobs"
108103 cd Build
109- pwd
110- ls
111- export PATH="/usr/lib/llvm-17/bin:$PATH"
112- scan-build --status-bugs --keep-going -o scan-build-reports make -j$(nproc) || true
113- continue-on-error : true # Allow the step to complete even if issues are found
104+ scan-build --status-bugs --keep-going -o scan-build-reports \
105+ make -j"$NPROC" 2>&1 | tee scan-build-output.log || true
106+
107+ # Count findings
108+ BUGS=$({ grep -c 'warning:' scan-build-output.log 2>/dev/null || true; })
109+ echo "scan-build found $BUGS warnings"
110+ echo "SCAN_BUGS=$BUGS" >> "$GITHUB_ENV"
111+ continue-on-error : true
114112
115- # Upload scan-build reports
116113 - name : Upload scan-build reports
117114 uses : actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
118115 with :
119116 name : scan-build-reports
120117 path : Build/scan-build-reports
118+ if-no-files-found : warn
121119
122- # Upload built binaries as artifacts
123120 - name : Upload build artifacts
124121 uses : actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
125122 with :
126123 name : master-build-linux
127- path : Build
124+ path : |
125+ Build/**/*.so
126+ Build/**/*.a
127+ Build/**/Icc*
128+ LICENSE.md
129+ if-no-files-found : warn
128130
129- # Upload build logs
130131 - name : Upload build logs
131132 uses : actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
132133 with :
133134 name : build-logs
134- path : Build/CMakeCache.txt
135+ path : |
136+ Build/CMakeCache.txt
137+ Build/scan-build-output.log
138+
135139name : Summary Report
136140 if : always()
141+ shell : bash --noprofile --norc {0}
142+ env :
143+ BASH_ENV : /dev/null
137144 run : |
138- echo "### Build Summary" >> $GITHUB_STEP_SUMMARY
139- echo "- Build Directory: Build/" >> $GITHUB_STEP_SUMMARY
140- echo "- Artifacts Uploaded: iccdev-linux-clang" >> $GITHUB_STEP_SUMMARY
141- echo "- Status: Success" >> $GITHUB_STEP_SUMMARY
145+ set -euo pipefail
146+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
147+ git config --global credential.helper ""
148+ unset GITHUB_TOKEN || true
149+
150+ SANITIZER=".github/scripts/sanitize-sed.sh"
151+ if [[ -f "$SANITIZER" ]]; then
152+ # shellcheck disable=SC1090
153+ source "$SANITIZER"
154+ else
155+ sanitize_line() { printf '%s' "$1"; }
156+ fi
157+
158+ BUGS="${SCAN_BUGS:-0}"
159+ REPORT_COUNT=$(find Build/scan-build-reports -name '*.html' 2>/dev/null | wc -l | tr -d ' ')
160+
161+ {
162+ echo "### 🧠 Scan-Build Summary"
163+ echo ""
164+ echo "| Metric | Value |"
165+ echo "|--------|-------|"
166+ echo "| Parallel jobs | $(nproc) |"
167+ echo "| Warnings logged | $(sanitize_line "$BUGS") |"
168+ echo "| HTML reports | $(sanitize_line "$REPORT_COUNT") |"
169+ echo "| Status | ${{ job.status }} |"
170+ echo ""
171+ } >> "$GITHUB_STEP_SUMMARY"
0 commit comments