diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-16 03:04:42 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-22 04:58:21 -0300 |
commit | 1c9af28611489dc3387cb44b20d0ab261b2053b0 (patch) | |
tree | eabd6d3f1ba6f1d358fdc85efe234f4a135e184c /.github/workflows/build-extra.yml | |
parent | ci: run make in parallel where applicable (diff) | |
download | firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.tar.gz firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.tar.zst firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.zip |
ci: move main code checks into new check-c.yml
Move scan-build, cppcheck and CodeQL (cpp).
This is similar to build-extra.yml, but for jobs that check for issues
in the code rather than checking for build failures.
Note: As this deletes codeql-analysis.yml, its configuration also has to
be deleted in the GitHub web UI to prevent it from warning about the
file being missing:
* Security -> Code scanning -> Tool status -> (Setup Types) CodeQL ->
(Configurations) language:python -> Delete configuration
Misc: The above was clarified by @topimiettinen[1].
[1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643
Diffstat (limited to '.github/workflows/build-extra.yml')
-rw-r--r-- | .github/workflows/build-extra.yml | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b6e8e902b..b538fde68 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -68,82 +68,3 @@ jobs: | |||
68 | run: sudo make install | 68 | run: sudo make install |
69 | - name: print version | 69 | - name: print version |
70 | run: command -V firejail && firejail --version | 70 | run: command -V firejail && firejail --version |
71 | scan-build: | ||
72 | runs-on: ubuntu-22.04 | ||
73 | steps: | ||
74 | - name: Harden Runner | ||
75 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
76 | with: | ||
77 | egress-policy: block | ||
78 | allowed-endpoints: > | ||
79 | archive.ubuntu.com:80 | ||
80 | azure.archive.ubuntu.com:80 | ||
81 | github.com:443 | ||
82 | packages.microsoft.com:443 | ||
83 | ppa.launchpadcontent.net:443 | ||
84 | security.ubuntu.com:80 | ||
85 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
86 | - name: update package information | ||
87 | run: sudo apt-get update -qy | ||
88 | - name: install clang-tools-14 and dependencies | ||
89 | run: > | ||
90 | sudo apt-get install -qy | ||
91 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
92 | - name: print env | ||
93 | run: ./ci/printenv.sh | ||
94 | - name: configure | ||
95 | run: > | ||
96 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
97 | --enable-selinux | ||
98 | || (cat config.log; exit 1) | ||
99 | - name: scan-build | ||
100 | run: scan-build-14 --status-bugs make | ||
101 | cppcheck: | ||
102 | runs-on: ubuntu-22.04 | ||
103 | steps: | ||
104 | - name: Harden Runner | ||
105 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
106 | with: | ||
107 | egress-policy: block | ||
108 | allowed-endpoints: > | ||
109 | archive.ubuntu.com:80 | ||
110 | azure.archive.ubuntu.com:80 | ||
111 | github.com:443 | ||
112 | packages.microsoft.com:443 | ||
113 | ppa.launchpadcontent.net:443 | ||
114 | security.ubuntu.com:80 | ||
115 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
116 | - name: update package information | ||
117 | run: sudo apt-get update -qy | ||
118 | - name: install cppcheck | ||
119 | run: sudo apt-get install -qy cppcheck | ||
120 | - run: cppcheck --version | ||
121 | - name: cppcheck | ||
122 | run: > | ||
123 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance | ||
124 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
125 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
126 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
127 | cppcheck_old: | ||
128 | runs-on: ubuntu-20.04 | ||
129 | steps: | ||
130 | - name: Harden Runner | ||
131 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
132 | with: | ||
133 | egress-policy: block | ||
134 | allowed-endpoints: > | ||
135 | archive.ubuntu.com:80 | ||
136 | azure.archive.ubuntu.com:80 | ||
137 | github.com:443 | ||
138 | packages.microsoft.com:443 | ||
139 | ppa.launchpad.net:80 | ||
140 | ppa.launchpadcontent.net:443 | ||
141 | security.ubuntu.com:80 | ||
142 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
143 | - name: update package information | ||
144 | run: sudo apt-get update -qy | ||
145 | - name: install cppcheck | ||
146 | run: sudo apt-get install -qy cppcheck | ||
147 | - run: cppcheck --version | ||
148 | - name: cppcheck | ||
149 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||