Skip to content

[StepSecurity] Harden GibHub Actions, part 2 (#3340) #814

[StepSecurity] Harden GibHub Actions, part 2 (#3340)

[StepSecurity] Harden GibHub Actions, part 2 (#3340) #814

Workflow file for this run

name: cppcheck
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
cppcheck:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: 'recursive'
- name: Set up dependencies
run: |
sudo apt update -y
sudo apt install -y cppcheck
- name: Run cppcheck
run: |
cppcheck --version | tee cppcheck.log
cppcheck \
--force \
--enable=warning,performance,portability \
--inline-suppr \
--suppress=unknownMacro:exporters/etw/include/opentelemetry/exporters/etw/TraceLoggingDynamic.h \
--language=c++ \
--std=c++14 \
-I api/include \
-I exporters/elasticsearch/include \
-I exporters/etw/include \
-I exporters/memory/include \
-I exporters/ostream/include \
-I exporters/otlp/include \
-I exporters/prometheus/include \
-I exporters/zipkin/include \
-I ext/include \
-I opentracing-shim/include \
-I sdk/include \
-i build \
-i test \
-i third_party \
-j $(nproc) \
. 2>&1 | tee --append cppcheck.log
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: success() || failure()
with:
name: Logs (cppcheck)
path: ./cppcheck.log
- name: Count warnings
run: |
set +e
readonly WARNING_COUNT=`grep -c -E "\[.+\]" cppcheck.log`
echo "cppcheck reported ${WARNING_COUNT} warning(s)"
# Acceptable limit, to decrease over time down to 0
readonly WARNING_LIMIT=10
# FAIL the build if WARNING_COUNT > WARNING_LIMIT
if [ $WARNING_COUNT -gt $WARNING_LIMIT ] ; then
exit 1
# WARN in annotations if WARNING_COUNT > 0
elif [ $WARNING_COUNT -gt 0 ] ; then
echo "::warning::cppcheck reported ${WARNING_COUNT} warning(s)"
fi