From f3fadfa29db895ccf77d13bcbf1c3867bfda51bc Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Sat, 13 Jan 2024 23:15:02 +0200
Subject: [PATCH] ci: add scan-build workflow

---
 .github/workflows/static-analysis.yml | 91 +++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 .github/workflows/static-analysis.yml

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
new file mode 100644
index 0000000..6a513f8
--- /dev/null
+++ b/.github/workflows/static-analysis.yml
@@ -0,0 +1,91 @@
+name: Static Code Analysis
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: none
+
+jobs:
+  scan-build:
+    name: Run Clang Analyzer
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      CC: clang-17
+      CXX: clang++-17
+      CCC_CC: clang-17
+      CCC_CXX: clang++-17
+      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
+    steps:
+      - name: Check out code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clang-tools ca-certificates python3-minimal python3-whichcraft nlohmann-json3-dev libsqlite3-dev libev-dev pkgconf
+
+      - name: Install newer Clang
+        run: |
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x ./llvm.sh
+          sudo ./llvm.sh 17
+          sudo apt-get install -y clang-tools-17
+
+      - name: Install sarif-multitool
+        run: npm i -g @microsoft/sarif-multitool
+
+      - name: Install libada
+        run: |
+          git clone https://github.com/ada-url/ada.git --depth 1 -b v2.7.4
+          cd ada
+          cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel -DADA_TOOLS=off -DADA_TESTING=off
+          cmake --build build
+          sudo cmake --install build
+
+      - name: Install llhttp
+        run: |
+          wget -q -O - https://github.com/nodejs/llhttp/archive/refs/tags/release/v9.1.3.tar.gz | tar xzf -
+          cd llhttp-release-v*
+          cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON
+          cmake --build build
+          sudo cmake --install build
+
+      - name: Install sqlite3pp
+        run: |
+          git clone https://github.com/iwongu/sqlite3pp.git --depth 1 -b v1.0.9 && \
+          cd sqlite3pp/headeronly_src && \
+          sudo cp ./* /usr/local/include
+
+      - name: Run analysis
+        run: |
+          scan-build cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel
+          scan-build --force-analyze-debug-code -sarif --status-bugs -o "${SCANBUILD_DIR}" cmake --build build
+          echo "directory=${SCANBUILD_DIR}/$(ls -1 ${SCANBUILD_DIR})" >> "${GITHUB_OUTPUT}"
+        continue-on-error: true
+        id: scanbuild
+        env:
+          SCANBUILD_DIR: /tmp/scanbuild
+
+      - name: Merge SARIF reports
+        run: sarif-multitool merge ${{steps.scanbuild.outputs.directory}}/*.sarif --recurse --output-directory=. --output-file=/tmp/scan-build.sarif
+
+      - name: Upload scan results
+        uses: github/codeql-action/upload-sarif@v3.23.0
+        with:
+          sarif_file: /tmp/scan-build.sarif
+          category: scanbuild
+        continue-on-error: true
+
+      - name: Set exit code
+        run: exit 1
+        if: steps.scanbuild.outcome == 'failure'