# Checks for potential issues in the source code. name: Check-C on: workflow_dispatch: push: branches-ignore: - 'dependabot/**' paths: - '**.c' - '**.h' - 'm4/**' - 'src/**.mk' - 'src/**Makefile' - .github/workflows/check-c.yml - Makefile - ci/printenv.sh - config.mk.in - config.sh.in - configure - configure.ac pull_request: paths: - '**.c' - '**.h' - 'm4/**' - 'src/**.mk' - 'src/**Makefile' - .github/workflows/check-c.yml - Makefile - ci/printenv.sh - config.mk.in - config.sh.in - configure - configure.ac schedule: - cron: '0 7 * * 2' permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: scan-build: runs-on: ubuntu-22.04 timeout-minutes: 10 steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 with: egress-policy: block allowed-endpoints: > archive.ubuntu.com:80 azure.archive.ubuntu.com:80 github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: update package information run: sudo apt-get update -qy - name: install clang-tools-14 and dependencies run: > sudo apt-get install -qy clang-tools-14 libapparmor-dev libselinux1-dev - name: print env run: ./ci/printenv.sh - name: configure run: > ./configure CC=clang-14 SCAN_BUILD=scan-build-14 --prefix=/usr --enable-fatal-warnings --enable-apparmor --enable-selinux || (cat config.log; exit 1) - name: scan-build run: make scan-build cppcheck: runs-on: ubuntu-22.04 timeout-minutes: 10 steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 with: egress-policy: block allowed-endpoints: > archive.ubuntu.com:80 azure.archive.ubuntu.com:80 github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: update package information run: sudo apt-get update -qy - name: install cppcheck run: sudo apt-get install -qy cppcheck - name: configure run: > ./configure CPPCHECK='cppcheck -q' || (cat config.log; exit 1) - run: cppcheck --version - name: cppcheck run: make cppcheck # new cppcheck version currently chokes on checkcfg.c and main.c, therefore # scan all files also with older cppcheck version from ubuntu 20.04. cppcheck_old: runs-on: ubuntu-20.04 timeout-minutes: 10 steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 with: egress-policy: block allowed-endpoints: > archive.ubuntu.com:80 azure.archive.ubuntu.com:80 github.com:443 packages.microsoft.com:443 ppa.launchpad.net:80 ppa.launchpadcontent.net:443 security.ubuntu.com:80 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: update package information run: sudo apt-get update -qy - name: install cppcheck run: sudo apt-get install -qy cppcheck - name: configure run: > ./configure CPPCHECK='cppcheck -q' || (cat config.log; exit 1) - run: cppcheck --version - name: cppcheck-old run: make cppcheck-old codeql-cpp: permissions: actions: read contents: read security-events: write runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 objects.githubusercontent.com:443 uploads.github.com:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: print env run: ./ci/printenv.sh # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea with: languages: cpp - name: configure run: ./configure - name: make run: make -j "$(nproc)" - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea