xen-api/.github/workflows/codechecker.yml at a6b367cdca28a4dac9dbd5661ddfc39e3144c0bd · liulinC/xen-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Run CodeChecker static analyzer on XAPI's C stubs
permissions: {}

on:
  push:
  pull_request:
    branches:
      - master
      - 'feature/**'
      - '*-lcm'

concurrency: # On new push, cancel old workflows from the same PR, branch or tag:
  group: ${{ github.workflow }}-${{github.event_name}}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  staticanalyzer:
    name: Static analyzer for OCaml C stubs
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    env:
      XAPI_VERSION: "v0.0.0-${{ github.sha }}"

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Setup XenAPI environment
        uses: ./.github/workflows/setup-xapi-environment
        with:
          xapi_version: ${{ env.XAPI_VERSION }}
          ocaml_version: "4.14.2"

      - name: Install dune-compiledb to generate compile_commands.json
        run: |
          opam pin add -y ezjsonm https://github.com/mirage/ezjsonm/releases/download/v1.3.0/ezjsonm-1.3.0.tbz
          opam pin add -y dune-compiledb https://github.com/edwintorok/dune-compiledb/releases/download/0.6.0/dune-compiledb-0.6.0.tbz

      - name: Trim dune cache
        run: opam exec -- dune cache trim --size=2GiB

      - name: Generate compile_commands.json
        run: opam exec -- make compile_commands.json

      - name: Upload compile commands json
        uses: actions/upload-artifact@v4
        with:
          path: ${{ github.workspace }}/compile_commands.json

      - uses: whisperity/codechecker-analysis-action@v1
        id: codechecker
        with:
          ctu: true
          logfile: ${{ github.workspace }}/compile_commands.json
          analyze-output: "codechecker_results"

      - name: Upload CodeChecker report
        uses: actions/upload-artifact@v4
        with:
          name: codechecker_results
          path: "${{ steps.codechecker.outputs.result-html-dir }}"

      # cppcheck even for other analyzers apparently, this is
      # codechecker's output
      - name: convert to SARIF
        shell: bash
        run: report-converter "codechecker_results" --type cppcheck --output codechecker.sarif --export sarif

      - name: Upload CodeChecker SARIF report
        uses: actions/upload-artifact@v4
        with:
          name: codechecker_sarif
          path: codechecker.sarif

      # TODO: reenable after fixing
      # https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/
      #
      #- name: Upload SARIF report
      #  uses: github/codeql-action/upload-sarif@v3
      #  with:
      #   sarif_file: codechecker.sarif