Skip to content

ci: Update iwyu to LLVM 19 #2403

ci: Update iwyu to LLVM 19

ci: Update iwyu to LLVM 19 #2403

Workflow file for this run

name: StaticAnalysis
on:
push:
paths:
# Workflow file itself
- '.github/workflows/StaticAnalysis.yml'
# C++ files
- '**.cpp'
- '**.hpp'
# CMake files
- '**.cmake'
- '**.txt'
# Script files
- '**.sh'
pull_request:
branches:
- main
- develop
paths:
# Workflow file itself
- '.github/workflows/StaticAnalysis.yml'
# C++ files
- '**.cpp'
- '**.hpp'
# CMake files
- '**.cmake'
- '**.txt'
# Script files
- '**.sh'
release:
types: [published]
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
cppcheck:
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
env:
LLVM_VERSION: 19
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1.3.0
with:
reviewdog_version: latest
- name: Install
env:
CPPCHECK_VERSION: "2.16.0"
run: scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} cppcheck-${{ env.CPPCHECK_VERSION }} ninja
- name: Configure
run: |
# Create build directory
mkdir build -p
cd build
# Generate compile_commands.json
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON -DPHI_TEST_WITH_ALL_STANDARDS:BOOL=OFF
- name: Run cppcheck
env:
CPPCHECK_SUPPRESSIONS: "--suppress=missingInclude --suppress=unusedFunction --suppress=unmatchedSuppression --suppress=syntaxError --suppress=cppcheckError --suppress=templateRecursion --suppress=noExplicitConstructor"
run: |
cppcheck --project=build/compile_commands.json --enable=all --inconclusive --inline-suppr --template='{file}:{line}:{column}: {severity}: {message} [{id}](CWE {cwe})' -DPHI_CONFIG_ALWAYS_INLINE_OVERWRITE=inline -DPHI_CONFIG_NEVER_INLINE_OVERWRITE="" ${{ env.CPPCHECK_SUPPRESSIONS }} --output-file=cppcheck.log
# Filter out test code
cat cppcheck.log | grep -Ev "Phi/tests|tests/integration" > cppcheck_filtered.log || true
- name: Print results
run: cat cppcheck_filtered.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat cppcheck_filtered.log | reviewdog -efm="%f:%l:%c: %m" -reporter=${{ steps.reporter.outputs.value }} -name CppCheck -level warning
clang-tidy:
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
env:
LLVM_VERSION: 19
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Environment
run: scripts/ci/SetupEnvironment.sh
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1.3.0
with:
reviewdog_version: latest
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install
run: scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} clang-tidy-${{ env.LLVM_VERSION }} ninja
- name: Run clang-tidy
run: |
# Create build directory
mkdir build -p
cd build
# Generate compile_commands.json
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON -DPHI_TEST_COMPILE_FAILURES:BOOL=OFF -DPHI_TEST_WITH_ALL_STANDARDS:BOOL=OFF
# Run clang-tidy
run-clang-tidy-${{ env.LLVM_VERSION }} -quiet -header-filter=.* -j $(nproc) | tee clang_tidy.log
# Filter out external libraries and test code
cat clang_tidy.log | grep -E "warning: |error: " > clang_tidy_filtered.log || true
# Remove duplicate entries
sort clang_tidy_filtered.log | uniq > clang_tidy_output.log
- name: Print results
run: cat build/clang_tidy_output.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat build/clang_tidy_output.log | reviewdog -efm="%f:%l:%c: warning: %m" -reporter=${{ steps.reporter.outputs.value }} -name Clang-Tidy -level warning
include-what-you-use:
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
env:
LLVM_VERSION: 19
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1.3.0
with:
reviewdog_version: latest
- name: Install
run: scripts/ci/InstallTools.sh iwyu-${{ env.LLVM_VERSION }} ninja
- name: Run Include-What-You-Use
run: |
# Create build directory
mkdir build -p
cd build
# Configure
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON -DPHI_TEST_COMPILE_FAILURES:BOOL=OFF -DPHI_TEST_WITH_ALL_STANDARDS:BOOL=OFF
# Run include-what-you-use
iwyu_tool.py ../examples ../libs ../tests --jobs $(nproc) -p . -o clang -- -Xiwyu --cxx17ns | tee iwyu.log
# Filter out correct includes and generated code
cat iwyu.log | grep -Ev "#includes/fwd-decls are correct|tests/integration" > iwyu_filtered.log || true
- name: Print results
run: cat build/iwyu_filtered.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
continue-on-error: true
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat build/iwyu_filtered.log | reviewdog -efm="%Z%A%f:%l:%c: error: %m" -efm="%C%m" -reporter=${{ steps.reporter.outputs.value }} -name include-what-you-use -level warning
cmake-lint:
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1.3.0
with:
reviewdog_version: latest
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install
run: scripts/ci/InstallTools.sh cmake-format
- name: Run cmake-lint
run: cmake-lint $(find -iregex "./.*\.cmake" -or -iregex "./.*\CMakeLists\.txt") -c ".cmake-format.yaml" --suppress-decorations --outfile-path cmake_lint.log || true
- name: Print results
run: cat cmake_lint.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat cmake_lint.log | reviewdog -efm="%f:%l: %m" -reporter=${{ steps.reporter.outputs.value }} -name cmake-lint -level warning
pvs-studio:
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: false && github.actor != 'dependabot[bot]'
env:
LLVM_VERSION: 19
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Environment
run: scripts/ci/SetupEnvironment.sh
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1.3.0
with:
reviewdog_version: latest
- name: Install
run: scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} pvs-studio ninja
- name: Configure build directory
run: |
mkdir build -p
cd build
# Configure
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON -DPHI_TEST_COMPILE_FAILURES:BOOL=OFF
- name: Run PVS-Studio
working-directory: ./build
run: |
# Create License
pvs-studio-analyzer credentials ${{ secrets.PVS_USERNAME }} ${{ secrets.PVS_KEY }} -o PVS-Studio.lic
# Run analysis
pvs-studio-analyzer analyze --threads $(nproc) --lic-file PVS-Studio.lic --output-file PVS-Studio.log --exclude-path ../external
# Convert to readable format
plog-converter --renderTypes errorfile PVS-Studio.log --analyzer "GA:1,2,3;OP:1,2,3;64:1,2,3;CS:1,2,3" --output PVS-Studio.err
# Filter out external libraries, test code and help message
cat PVS-Studio.err | grep -Ev "Phi/external|Phi/tests|https://www.viva64.com/en/w/" > PVS-Studio_filtered.err || true
- name: Print results
run: cat build/PVS-Studio_filtered.err
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat build/PVS-Studio_filtered.err | reviewdog -efm="%f:%l:%c: %m" -reporter=${{ steps.reporter.outputs.value }} -name PVS-Studio -level warning
code-ql:
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
env:
CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"run-queries": ["--off-heap-ram=0"]}}'
LLVM_VERSION: 19
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'cpp' ]
steps:
# NOTE: We won't cache the compiliation since CodeQL requires a full rebuild for analysis to work
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Environment
run: scripts/ci/SetupEnvironment.sh
- name: Install compiler
run: scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} ninja
- name: Configure build directory
run: |
mkdir build -p
cd build
cmake -DCMAKE_BUILD_TYPE:STRING="Debug" -DPHI_TEST_WITH_ALL_STANDARDS:BOOL=OFF -DPHI_BUILD_TESTS:BOOL=OFF ..
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
# Override language selection by uncommenting this and choosing your languages
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
- name: Build
working-directory: ./build
run: cmake --build . --config "Debug"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
mull:
runs-on: ubuntu-20.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
env:
LLVM_VERSION: 12
MULL_VERSION: 12
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Environment
run: scripts/ci/SetupEnvironment.sh
- name: Setup Reviewdog
uses: reviewdog/action-setup@v1.3.0
with:
reviewdog_version: latest
- name: Install compiler / mull
run: scripts/ci/InstallTools.sh clang-${{ env.LLVM_VERSION }} mull-${{ env.MULL_VERSION }} ninja
- name: Configure
run: |
# Create build directory
mkdir build -p
cd build
# Generate compile_commands.json
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON -DPHI_TEST_WITH_ALL_STANDARDS:BOOL=OFF -DPHI_TEST_COMPILE_FAILURES:BOOL=OFF -DCMAKE_CXX_FLAGS:STRING="-O0 -fexperimental-new-pass-manager -fpass-plugin=/usr/lib/mull-ir-frontend-${{ env.MULL_VERSION }} -g -grecord-command-line -fprofile-instr-generate -fcoverage-mapping" -DCMAKE_BUILD_TYPE:STRING=Debug
# Create mull.yml
echo "mutators:" >> mull.yml
echo " - cxx_all" >> mull.yml
- name: Build
working-directory: ./build
run: cmake --build .
- name: Run mull
working-directory: ./build
run: |
# Print all executables we found
echo "Executables to test:"
find bin -type f -iname "Phi*"
find bin -type f -iname "Phi*" -exec bash -c 'mull-runner-${{ env.MULL_VERSION }} $0' {} \; 2>&1 | tee --append mull_report.log
# Remove status lines
cat mull_report.log | grep "warning: Survived:" > mull_report_clean.log || true
# Remove cxx_remove_void_call
cat mull_report_clean.log | grep -Ev "\[cxx_remove_void_call\]" > mull_report_clean2.log || true
# Remove duplicate entries
sort mull_report_clean2.log | uniq -d > mull_report_filtered.log || true
- name: Print results
run: cat build/mull_report_filtered.log
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: ReviewDog check
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat build/mull_report_filtered.log | reviewdog -efm="%f:%l:%c: warning: %m" -reporter=${{ steps.reporter.outputs.value }} -name mull -level warning
msvc-code-analysis:
runs-on: windows-2022
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# Default windows to use bash
defaults:
run:
shell: bash
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Configure
run: |
# Create build directory
mkdir build -p
cd build
# Configure
cmake .. -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=ON -DPHI_TEST_WITH_ALL_STANDARDS:BOOL=OFF -DPHI_TEST_COMPILE_FAILURES:BOOL=OFF -DCMAKE_BUILD_TYPE:STRING="Debug"
- name: Build
working-directory: ./build
run: cmake --build . --config "Debug"
- name: Initialize MSVC Code Analysis
uses: microsoft/msvc-code-analysis-action@v0.1.1
# Provide a unique ID to access the sarif output path
id: run-analysis
with:
cmakeBuildDirectory: '${{ github.workspace }}/build'
buildConfiguration: "Debug"
# Ruleset file that will determine what checks will be run
ruleset: NativeRecommendedRules.ruleset
# Upload SARIF file to GitHub Code Scanning Alerts
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.run-analysis.outputs.sarif }}
# Upload SARIF file as an Artifact to download and view
- name: Upload SARIF as an Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-file
path: ${{ steps.run-analysis.outputs.sarif }}
dev-skim:
name: DevSkim
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
codacy-security-scan:
name: Codacy Security Scan
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v4
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@v4.4.5
with:
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
verbose: true
output: results.sarif
format: sarif
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will handover control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
run-staticcheck: "true"
# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
shellcheck:
name: ShellCheck
runs-on: ubuntu-22.04
# Don't run on dependabot PRs
if: github.actor != 'dependabot[bot]'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Determine reporter
uses: haya14busa/action-cond@v1
id: reporter
with:
cond: ${{ github.event_name == 'pull_request' }}
if_true: 'github-pr-check'
if_false: 'github-check'
- name: Run shellcheck with reviewdog
uses: reviewdog/action-shellcheck@v1
with:
github_token: ${{ secrets.github_token }}
reporter: ${{ steps.reporter.outputs.value }}
level: warning
path: "./scripts"
pattern: "*.sh"
exclude: "./.git/*"