Merge pull request #128 from cconlon/ghActionScanBuild

rlm2002 · web-flow · commit d0278428f0d3 · 2025-07-16T16:41:35.000-06:00
Testing: add GitHub action to run clang scan-build over native sources
diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml
@@ -0,0 +1,98 @@
+name: Clang Static Analyzer (scan-build)
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  scan-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Install scan-build (part of clang-tools)
+      - name: Install scan-build
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clang-tools
+
+      # Cache Junit JARs
+      - name: Cache Junit JARs
+        uses: actions/cache@v3
+        id: cache-junit
+        with:
+          path: ${{ github.workspace }}/junit
+          key: junit-cache-${{ runner.os }}-junit-4.13.2-hamcrest-1.3
+          restore-keys: |
+            junit-cache-${{ runner.os }}-
+
+      # Download Junit JARs (needed for full build)
+      - name: Download junit-4.13.2.jar
+        if: steps.cache-junit.outputs.cache-hit != 'true'
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
+      - name: Download hamcrest-all-1.3.jar
+        if: steps.cache-junit.outputs.cache-hit != 'true'
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar
+
+      # Build native wolfSSL
+      - name: Build native wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+          configure: '--enable-jni --enable-all'
+          check: false
+          install: true
+
+      # Setup Java
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '11'
+
+      - name: Set JUNIT_HOME
+        run: |
+          echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV"
+      - name: Set LD_LIBRARY_PATH
+        run: |
+          echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
+
+      # Copy appropriate makefile for Linux
+      - name: Copy makefile
+        run: cp makefile.linux makefile
+
+      # Run scan-build over the native JNI C files
+      - name: Run scan-build
+        env:
+          PREFIX: ${{ github.workspace }}/build-dir
+        run: |
+          scan-build --status-bugs -o scan-build-reports make
+
+      # Upload scan-build results as artifacts
+      - name: Upload scan-build results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: scan-build-reports
+          path: scan-build-reports/
+
+      # Show scan-build results in logs
+      - name: Show scan-build results
+        if: always()
+        run: |
+          if [ -d "scan-build-reports" ]; then
+            echo "=== Scan-build analysis complete ==="
+            find scan-build-reports -name "*.html" -exec echo "Report: {}" \;
+            if find scan-build-reports -name "*.html" | head -1 | xargs grep -l "No bugs found" > /dev/null 2>&1; then
+              echo "✅ No static analysis issues found"
+            else
+              echo "⚠️  Static analysis issues detected - check artifacts"
+              find scan-build-reports -name "*.txt" -exec cat {} \; || true
+            fi
+          else
+            echo "No scan-build reports generated"
+          fi
