From 1c9af28611489dc3387cb44b20d0ab261b2053b0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 16 Aug 2023 03:04:42 -0300 Subject: ci: move main code checks into new check-c.yml Move scan-build, cppcheck and CodeQL (cpp). This is similar to build-extra.yml, but for jobs that check for issues in the code rather than checking for build failures. Note: As this deletes codeql-analysis.yml, its configuration also has to be deleted in the GitHub web UI to prevent it from warning about the file being missing: * Security -> Code scanning -> Tool status -> (Setup Types) CodeQL -> (Configurations) language:python -> Delete configuration Misc: The above was clarified by @topimiettinen[1]. [1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643 --- .github/workflows/build-extra.yml | 79 --------------------------------------- 1 file changed, 79 deletions(-) (limited to '.github/workflows/build-extra.yml') diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b6e8e902b..b538fde68 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -68,82 +68,3 @@ jobs: run: sudo make install - name: print version run: command -V firejail && firejail --version - scan-build: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install clang-tools-14 and dependencies - run: > - sudo apt-get install -qy - clang-tools-14 libapparmor-dev libselinux1-dev - - name: print env - run: ./ci/printenv.sh - - name: configure - run: > - CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor - --enable-selinux - || (cat config.log; exit 1) - - name: scan-build - run: scan-build-14 --status-bugs make - cppcheck: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: > - cppcheck -q --force --error-exitcode=1 --enable=warning,performance - -i src/firejail/checkcfg.c -i src/firejail/main.c . - # new cppcheck version currently chokes on checkcfg.c and main.c, therefore - # scan all files also with older cppcheck version from ubuntu 20.04. - cppcheck_old: - runs-on: ubuntu-20.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpad.net:80 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . -- cgit v1.2.3-54-g00ecf