diff options
Diffstat (limited to '.github/workflows/check-c.yml')
-rw-r--r-- | .github/workflows/check-c.yml | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 000000000..472238ff0 --- /dev/null +++ b/.github/workflows/check-c.yml | |||
@@ -0,0 +1,159 @@ | |||
1 | name: Check-C | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths: | ||
6 | - 'm4/**' | ||
7 | - 'src/**.c' | ||
8 | - 'src/**.h' | ||
9 | - 'src/**.mk' | ||
10 | - 'src/**Makefile' | ||
11 | - .github/workflows/check-c.yml | ||
12 | - Makefile | ||
13 | - ci/printenv.sh | ||
14 | - config.mk.in | ||
15 | - config.sh.in | ||
16 | - configure | ||
17 | - configure.ac | ||
18 | pull_request: | ||
19 | paths: | ||
20 | - 'm4/**' | ||
21 | - 'src/**.c' | ||
22 | - 'src/**.h' | ||
23 | - 'src/**.mk' | ||
24 | - 'src/**Makefile' | ||
25 | - .github/workflows/check-c.yml | ||
26 | - Makefile | ||
27 | - ci/printenv.sh | ||
28 | - config.mk.in | ||
29 | - config.sh.in | ||
30 | - configure | ||
31 | - configure.ac | ||
32 | schedule: | ||
33 | - cron: '0 7 * * 2' | ||
34 | |||
35 | permissions: # added using https://github.com/step-security/secure-workflows | ||
36 | contents: read | ||
37 | |||
38 | jobs: | ||
39 | scan-build: | ||
40 | runs-on: ubuntu-22.04 | ||
41 | steps: | ||
42 | - name: Harden Runner | ||
43 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
44 | with: | ||
45 | egress-policy: block | ||
46 | allowed-endpoints: > | ||
47 | archive.ubuntu.com:80 | ||
48 | azure.archive.ubuntu.com:80 | ||
49 | github.com:443 | ||
50 | packages.microsoft.com:443 | ||
51 | ppa.launchpadcontent.net:443 | ||
52 | security.ubuntu.com:80 | ||
53 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
54 | - name: update package information | ||
55 | run: sudo apt-get update -qy | ||
56 | - name: install clang-tools-14 and dependencies | ||
57 | run: > | ||
58 | sudo apt-get install -qy | ||
59 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
60 | - name: print env | ||
61 | run: ./ci/printenv.sh | ||
62 | - name: configure | ||
63 | run: > | ||
64 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
65 | --enable-selinux | ||
66 | || (cat config.log; exit 1) | ||
67 | - name: scan-build | ||
68 | run: scan-build-14 --status-bugs make | ||
69 | |||
70 | cppcheck: | ||
71 | runs-on: ubuntu-22.04 | ||
72 | steps: | ||
73 | - name: Harden Runner | ||
74 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
75 | with: | ||
76 | egress-policy: block | ||
77 | allowed-endpoints: > | ||
78 | archive.ubuntu.com:80 | ||
79 | azure.archive.ubuntu.com:80 | ||
80 | github.com:443 | ||
81 | packages.microsoft.com:443 | ||
82 | ppa.launchpadcontent.net:443 | ||
83 | security.ubuntu.com:80 | ||
84 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
85 | - name: update package information | ||
86 | run: sudo apt-get update -qy | ||
87 | - name: install cppcheck | ||
88 | run: sudo apt-get install -qy cppcheck | ||
89 | - run: cppcheck --version | ||
90 | - name: cppcheck | ||
91 | run: > | ||
92 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance | ||
93 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
94 | |||
95 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
96 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
97 | cppcheck_old: | ||
98 | runs-on: ubuntu-20.04 | ||
99 | steps: | ||
100 | - name: Harden Runner | ||
101 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
102 | with: | ||
103 | egress-policy: block | ||
104 | allowed-endpoints: > | ||
105 | archive.ubuntu.com:80 | ||
106 | azure.archive.ubuntu.com:80 | ||
107 | github.com:443 | ||
108 | packages.microsoft.com:443 | ||
109 | ppa.launchpad.net:80 | ||
110 | ppa.launchpadcontent.net:443 | ||
111 | security.ubuntu.com:80 | ||
112 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
113 | - name: update package information | ||
114 | run: sudo apt-get update -qy | ||
115 | - name: install cppcheck | ||
116 | run: sudo apt-get install -qy cppcheck | ||
117 | - run: cppcheck --version | ||
118 | - name: cppcheck | ||
119 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
120 | |||
121 | codeql-cpp: | ||
122 | permissions: | ||
123 | actions: read | ||
124 | contents: read | ||
125 | security-events: write | ||
126 | runs-on: ubuntu-latest | ||
127 | |||
128 | steps: | ||
129 | - name: Harden Runner | ||
130 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
131 | with: | ||
132 | disable-sudo: true | ||
133 | egress-policy: block | ||
134 | allowed-endpoints: > | ||
135 | api.github.com:443 | ||
136 | github.com:443 | ||
137 | objects.githubusercontent.com:443 | ||
138 | uploads.github.com:443 | ||
139 | |||
140 | - name: Checkout repository | ||
141 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
142 | |||
143 | - name: print env | ||
144 | run: ./ci/printenv.sh | ||
145 | |||
146 | # Initializes the CodeQL tools for scanning. | ||
147 | - name: Initialize CodeQL | ||
148 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
149 | with: | ||
150 | languages: cpp | ||
151 | |||
152 | - name: configure | ||
153 | run: ./configure | ||
154 | |||
155 | - name: make | ||
156 | run: make -j "$(nproc)" | ||
157 | |||
158 | - name: Perform CodeQL Analysis | ||
159 | uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||