ci: move main code checks into new check-c.yml

Move scan-build, cppcheck and CodeQL (cpp). This is similar to build-extra.yml, but for jobs that check for issues in the code rather than checking for build failures. Note: As this deletes codeql-analysis.yml, its configuration also has to be deleted in the GitHub web UI to prevent it from warning about the file being missing: * Security -> Code scanning -> Tool status -> (Setup Types) CodeQL -> (Configurations) language:python -> Delete configuration Misc: The above was clarified by @topimiettinen[1]. [1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-08-16 03:04:42 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-08-22 04:58:21 -0300
commit: 1c9af28611489dc3387cb44b20d0ab261b2053b0 (patch)
tree: eabd6d3f1ba6f1d358fdc85efe234f4a135e184c /.github
parent: ci: run make in parallel where applicable (diff)
download: firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.tar.gz
firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.tar.zst
firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.zip
3 files changed, 159 insertions, 157 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index b6e8e902b..b538fde68 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -68,82 +68,3 @@ jobs:
      run: sudo make install
    - name: print version
      run: command -V firejail && firejail --version
-  scan-build:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install clang-tools-14 and dependencies
-      run: >
-        sudo apt-get install -qy
-        clang-tools-14 libapparmor-dev libselinux1-dev
-    - name: print env
-      run: ./ci/printenv.sh
-    - name: configure
-      run: >
-        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
-        --enable-selinux
-        || (cat config.log; exit 1)
-    - name: scan-build
-      run: scan-build-14 --status-bugs make
-  cppcheck:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install cppcheck
-      run: sudo apt-get install -qy cppcheck
-    - run: cppcheck --version
-    - name: cppcheck
-      run: >
-        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
-        -i src/firejail/checkcfg.c -i src/firejail/main.c .
-  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
-  # scan all files also with older cppcheck version from ubuntu 20.04.
-  cppcheck_old:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpad.net:80
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install cppcheck
-      run: sudo apt-get install -qy cppcheck
-    - run: cppcheck --version
-    - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
new file mode 100644
index 000000000..472238ff0
--- /dev/null
+++ b/.github/workflows/check-c.yml
@@ -0,0 +1,159 @@
+name: Check-C
+on:
+  push:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/check-c.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+  pull_request:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/check-c.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+  schedule:
+    - cron: '0 7 * * 2'
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+jobs:
+  scan-build:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install clang-tools-14 and dependencies
+      run: >
+        sudo apt-get install -qy
+        clang-tools-14 libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
+        || (cat config.log; exit 1)
+    - name: scan-build
+      run: scan-build-14 --status-bugs make
+  cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install cppcheck
+      run: sudo apt-get install -qy cppcheck
+    - run: cppcheck --version
+    - name: cppcheck
+      run: >
+        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
+        -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
+  # scan all files also with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpad.net:80
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install cppcheck
+      run: sudo apt-get install -qy cppcheck
+    - run: cppcheck --version
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+  codeql-cpp:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+          uploads.github.com:443
+    - name: Checkout repository
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: print env
+      run: ./ci/printenv.sh
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624
+      with:
+        languages: cpp
+    - name: configure
+      run: ./configure
+    - name: make
+      run: make -j "$(nproc)"
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index b4a5b55dd..000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-name: CodeQL
-on:
-  push:
-    paths:
-      - 'm4/**'
-      - 'src/**.c'
-      - 'src/**.h'
-      - 'src/**.mk'
-      - 'src/**Makefile'
-      - .github/workflows/codeql-analysis.yml
-      - Makefile
-      - ci/printenv.sh
-      - config.mk.in
-      - config.sh.in
-      - configure
-      - configure.ac
-  pull_request:
-    paths:
-      - 'm4/**'
-      - 'src/**.c'
-      - 'src/**.h'
-      - 'src/**.mk'
-      - 'src/**Makefile'
-      - .github/workflows/codeql-analysis.yml
-      - Makefile
-      - ci/printenv.sh
-      - config.mk.in
-      - config.sh.in
-      - configure
-      - configure.ac
-  schedule:
-    - cron: '0 7 * * 2'
-permissions:  # added using https://github.com/step-security/secure-workflows
-  contents: read
-jobs:
-  analyze:
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    name: Analyze
-    runs-on: ubuntu-latest
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        disable-sudo: true
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          github.com:443
-          objects.githubusercontent.com:443
-          uploads.github.com:443
-    - name: Checkout repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: print env
-      run: ./ci/printenv.sh
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624
-      with:
-        languages: cpp
-    - name: configure
-      run: ./configure
-    - name: make
-      run: make -j "$(nproc)"
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-08-16 03:04:42 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-08-22 04:58:21 -0300
commit	1c9af28611489dc3387cb44b20d0ab261b2053b0 (patch)
tree	eabd6d3f1ba6f1d358fdc85efe234f4a135e184c /.github
parent	ci: run make in parallel where applicable (diff)
download	firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.tar.gz firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.tar.zst firejail-1c9af28611489dc3387cb44b20d0ab261b2053b0.zip