|
| 1 | +name: Clang Static Analyzer (scan-build) |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: [ 'master', 'main', 'release/**' ] |
| 6 | + pull_request: |
| 7 | + branches: [ '*' ] |
| 8 | + |
| 9 | +jobs: |
| 10 | + scan-build: |
| 11 | + runs-on: ubuntu-latest |
| 12 | + steps: |
| 13 | + - uses: actions/checkout@v4 |
| 14 | + |
| 15 | + # Install scan-build (part of clang-tools) |
| 16 | + - name: Install scan-build |
| 17 | + run: | |
| 18 | + sudo apt-get update |
| 19 | + sudo apt-get install -y clang-tools |
| 20 | +
|
| 21 | + # Cache Junit JARs |
| 22 | + - name: Cache Junit JARs |
| 23 | + uses: actions/cache@v3 |
| 24 | + id: cache-junit |
| 25 | + with: |
| 26 | + path: ${{ github.workspace }}/junit |
| 27 | + key: junit-cache-${{ runner.os }}-junit-4.13.2-hamcrest-1.3 |
| 28 | + restore-keys: | |
| 29 | + junit-cache-${{ runner.os }}- |
| 30 | +
|
| 31 | + # Download Junit JARs (needed for full build) |
| 32 | + - name: Download junit-4.13.2.jar |
| 33 | + if: steps.cache-junit.outputs.cache-hit != 'true' |
| 34 | + run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar |
| 35 | + - name: Download hamcrest-all-1.3.jar |
| 36 | + if: steps.cache-junit.outputs.cache-hit != 'true' |
| 37 | + run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar |
| 38 | + |
| 39 | + # Build native wolfSSL |
| 40 | + - name: Build native wolfSSL |
| 41 | + uses: wolfSSL/actions-build-autotools-project@v1 |
| 42 | + with: |
| 43 | + repository: wolfSSL/wolfssl |
| 44 | + ref: master |
| 45 | + path: wolfssl |
| 46 | + configure: '--enable-jni --enable-all' |
| 47 | + check: false |
| 48 | + install: true |
| 49 | + |
| 50 | + # Setup Java |
| 51 | + - name: Setup java |
| 52 | + uses: actions/setup-java@v4 |
| 53 | + with: |
| 54 | + distribution: 'zulu' |
| 55 | + java-version: '11' |
| 56 | + |
| 57 | + - name: Set JUNIT_HOME |
| 58 | + run: | |
| 59 | + echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV" |
| 60 | + - name: Set LD_LIBRARY_PATH |
| 61 | + run: | |
| 62 | + echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV" |
| 63 | +
|
| 64 | + # Copy appropriate makefile for Linux |
| 65 | + - name: Copy makefile |
| 66 | + run: cp makefile.linux makefile |
| 67 | + |
| 68 | + # Run scan-build over the native JNI C files |
| 69 | + - name: Run scan-build |
| 70 | + env: |
| 71 | + PREFIX: ${{ github.workspace }}/build-dir |
| 72 | + run: | |
| 73 | + scan-build --status-bugs -o scan-build-reports make |
| 74 | +
|
| 75 | + # Upload scan-build results as artifacts |
| 76 | + - name: Upload scan-build results |
| 77 | + if: always() |
| 78 | + uses: actions/upload-artifact@v4 |
| 79 | + with: |
| 80 | + name: scan-build-reports |
| 81 | + path: scan-build-reports/ |
| 82 | + |
| 83 | + # Show scan-build results in logs |
| 84 | + - name: Show scan-build results |
| 85 | + if: always() |
| 86 | + run: | |
| 87 | + if [ -d "scan-build-reports" ]; then |
| 88 | + echo "=== Scan-build analysis complete ===" |
| 89 | + find scan-build-reports -name "*.html" -exec echo "Report: {}" \; |
| 90 | + if find scan-build-reports -name "*.html" | head -1 | xargs grep -l "No bugs found" > /dev/null 2>&1; then |
| 91 | + echo "✅ No static analysis issues found" |
| 92 | + else |
| 93 | + echo "⚠️ Static analysis issues detected - check artifacts" |
| 94 | + find scan-build-reports -name "*.txt" -exec cat {} \; || true |
| 95 | + fi |
| 96 | + else |
| 97 | + echo "No scan-build reports generated" |
| 98 | + fi |
0 commit comments