From 1c9af28611489dc3387cb44b20d0ab261b2053b0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 16 Aug 2023 03:04:42 -0300 Subject: ci: move main code checks into new check-c.yml Move scan-build, cppcheck and CodeQL (cpp). This is similar to build-extra.yml, but for jobs that check for issues in the code rather than checking for build failures. Note: As this deletes codeql-analysis.yml, its configuration also has to be deleted in the GitHub web UI to prevent it from warning about the file being missing: * Security -> Code scanning -> Tool status -> (Setup Types) CodeQL -> (Configurations) language:python -> Delete configuration Misc: The above was clarified by @topimiettinen[1]. [1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643 --- .github/workflows/check-c.yml | 159 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 .github/workflows/check-c.yml (limited to '.github/workflows/check-c.yml') diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 000000000..472238ff0 --- /dev/null +++ b/.github/workflows/check-c.yml @@ -0,0 +1,159 @@ +name: Check-C + +on: + push: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + pull_request: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + schedule: + - cron: '0 7 * * 2' + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + scan-build: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install clang-tools-14 and dependencies + run: > + sudo apt-get install -qy + clang-tools-14 libapparmor-dev libselinux1-dev + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor + --enable-selinux + || (cat config.log; exit 1) + - name: scan-build + run: scan-build-14 --status-bugs make + + cppcheck: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: > + cppcheck -q --force --error-exitcode=1 --enable=warning,performance + -i src/firejail/checkcfg.c -i src/firejail/main.c . + + # new cppcheck version currently chokes on checkcfg.c and main.c, therefore + # scan all files also with older cppcheck version from ubuntu 20.04. + cppcheck_old: + runs-on: ubuntu-20.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpad.net:80 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . + + codeql-cpp: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + + - name: print env + run: ./ci/printenv.sh + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 + with: + languages: cpp + + - name: configure + run: ./configure + + - name: make + run: make -j "$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 -- cgit v1.2.3-54-g00ecf