-
Notifications
You must be signed in to change notification settings - Fork 1.3k
72 lines (60 loc) · 3.04 KB
/
cppcheck-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Adapted from https://github.com/nasa/cFS/blob/c36aa2c1df0fb47a3838577908af3d0d0ab0ef54/.github/workflows/static-analysis.yml
name: "Cppcheck Scan"
on:
push:
branches: [ devel, release/** ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ devel, release/** ]
paths-ignore:
- 'docs/**'
- '**.md'
- '.github/actions/spelling/**'
- '.github/ISSUE_TEMPLATE/**'
jobs:
cppcheck:
name: Cppcheck
runs-on: ubuntu-22.04
permissions:
actions: read
contents: read
security-events: write
steps:
- name: "Checkout F´ Repository"
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- uses: ./.github/actions/setup
- name: Install cppcheck
run: sudo apt-get install cppcheck xsltproc -y
- name: Install sarif tool
run: npm i -g @microsoft/sarif-multitool
# With a CMake-based project, we get the list of files by setting up a build with CMAKE_EXPORT_COMPILE_COMMANDS=ON and
# referencing the compile_commands.json file produced by the tool. This will capture the correct include paths and
# compile definitions based on how the source is actually compiled. See https://cppcheck.sourceforge.io/manual.html
- name: Generate & build F´
run: |
fprime-util generate -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
fprime-util build --all --jobs "$(nproc || printf '%s\n' 1)"
echo CPPCHECK_OPTS=--project="$GITHUB_WORKSPACE/build-fprime-automatic-native/compile_commands.json" >> $GITHUB_ENV
- name: Run cppcheck
run: cppcheck --force --relative-paths=$(pwd) --inline-suppr --std=c++11 -j "$(nproc || printf '%s\n' 1)" --max-ctu-depth=16 --enable=warning,performance,portability --suppress=variableScope --inconclusive --xml $CPPCHECK_OPTS 2> cppcheck_err.xml
- name: Convert cppcheck results to SARIF
run: npx "@microsoft/sarif-multitool" convert "cppcheck_err.xml" --tool "CppCheck" --output "cppcheck_err.sarif"
- name: Convert cppcheck results to Markdown & Integrate them in the workflow summary
run: xsltproc .github/scripts/cppcheck-xml2text.xslt cppcheck_err.xml | tee $GITHUB_STEP_SUMMARY cppcheck_err.txt
- name: Upload SARIF file to GitHub Code Scanning Alerts
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ github.workspace }}/cppcheck_err.sarif
category: "cppcheck"
- name: Archive static analysis artifacts to download and view
uses: actions/upload-artifact@v4
with:
name: cppcheck-errors
path: ./*cppcheck_err.*
# Make the whole step fail if there is an error detected by cppcheck. By default, GitHub Actions enables the set -e.
# See https://stackoverflow.com/questions/73066461/github-actions-why-an-intermediate-command-failure-in-shell-script-would-cause.
- name: Check for reported errors
run: tail -n 1 cppcheck_err.txt | grep -q '^\*\*0 error(s) reported\*\*$'