From 1c9af28611489dc3387cb44b20d0ab261b2053b0 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 16 Aug 2023 03:04:42 -0300 Subject: ci: move main code checks into new check-c.yml Move scan-build, cppcheck and CodeQL (cpp). This is similar to build-extra.yml, but for jobs that check for issues in the code rather than checking for build failures. Note: As this deletes codeql-analysis.yml, its configuration also has to be deleted in the GitHub web UI to prevent it from warning about the file being missing: * Security -> Code scanning -> Tool status -> (Setup Types) CodeQL -> (Configurations) language:python -> Delete configuration Misc: The above was clarified by @topimiettinen[1]. [1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643 --- .github/workflows/build-extra.yml | 79 ----------------- .github/workflows/check-c.yml | 159 ++++++++++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 78 ----------------- 3 files changed, 159 insertions(+), 157 deletions(-) create mode 100644 .github/workflows/check-c.yml delete mode 100644 .github/workflows/codeql-analysis.yml (limited to '.github') diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b6e8e902b..b538fde68 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -68,82 +68,3 @@ jobs: run: sudo make install - name: print version run: command -V firejail && firejail --version - scan-build: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install clang-tools-14 and dependencies - run: > - sudo apt-get install -qy - clang-tools-14 libapparmor-dev libselinux1-dev - - name: print env - run: ./ci/printenv.sh - - name: configure - run: > - CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor - --enable-selinux - || (cat config.log; exit 1) - - name: scan-build - run: scan-build-14 --status-bugs make - cppcheck: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: > - cppcheck -q --force --error-exitcode=1 --enable=warning,performance - -i src/firejail/checkcfg.c -i src/firejail/main.c . - # new cppcheck version currently chokes on checkcfg.c and main.c, therefore - # scan all files also with older cppcheck version from ubuntu 20.04. - cppcheck_old: - runs-on: ubuntu-20.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpad.net:80 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 000000000..472238ff0 --- /dev/null +++ b/.github/workflows/check-c.yml @@ -0,0 +1,159 @@ +name: Check-C + +on: + push: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + pull_request: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + schedule: + - cron: '0 7 * * 2' + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + scan-build: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install clang-tools-14 and dependencies + run: > + sudo apt-get install -qy + clang-tools-14 libapparmor-dev libselinux1-dev + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor + --enable-selinux + || (cat config.log; exit 1) + - name: scan-build + run: scan-build-14 --status-bugs make + + cppcheck: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: > + cppcheck -q --force --error-exitcode=1 --enable=warning,performance + -i src/firejail/checkcfg.c -i src/firejail/main.c . + + # new cppcheck version currently chokes on checkcfg.c and main.c, therefore + # scan all files also with older cppcheck version from ubuntu 20.04. + cppcheck_old: + runs-on: ubuntu-20.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpad.net:80 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . + + codeql-cpp: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + + - name: print env + run: ./ci/printenv.sh + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 + with: + languages: cpp + + - name: configure + run: ./configure + + - name: make + run: make -j "$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index b4a5b55dd..000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: CodeQL - -on: - push: - paths: - - 'm4/**' - - 'src/**.c' - - 'src/**.h' - - 'src/**.mk' - - 'src/**Makefile' - - .github/workflows/codeql-analysis.yml - - Makefile - - ci/printenv.sh - - config.mk.in - - config.sh.in - - configure - - configure.ac - pull_request: - paths: - - 'm4/**' - - 'src/**.c' - - 'src/**.h' - - 'src/**.mk' - - 'src/**Makefile' - - .github/workflows/codeql-analysis.yml - - Makefile - - ci/printenv.sh - - config.mk.in - - config.sh.in - - configure - - configure.ac - schedule: - - cron: '0 7 * * 2' - -permissions: # added using https://github.com/step-security/secure-workflows - contents: read - -jobs: - analyze: - permissions: - actions: read - contents: read - security-events: write - name: Analyze - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - uploads.github.com:443 - - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - - name: print env - run: ./ci/printenv.sh - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 - with: - languages: cpp - - - name: configure - run: ./configure - - - name: make - run: make -j "$(nproc)" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 -- cgit v1.2.3-54-g00ecf