[llvm] [workflows] Add post-commit job that periodically runs the clang static analyzer (PR #94106)

Tom Stellard via llvm-commits llvm-commits at lists.llvm.org
Mon Jun 3 13:34:57 PDT 2024 

https://github.com/tstellar updated https://github.com/llvm/llvm-project/pull/94106

>From 2a7b8b7447173f398eb07c96c854e1ed0c78f379 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Sat, 1 Jun 2024 07:22:16 +0000
Subject: [PATCH 1/3] [workflows] Add post-commit job that runs the clang
 static analyzer

OpenSSF Best Practices recoomends running a static analyzer on software
before it is released: https://www.bestpractices.dev/en/criteria/0#0.static_analysis
---
 .github/workflows/ci-post-commit-analyzer.yml | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 .github/workflows/ci-post-commit-analyzer.yml

diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml
new file mode 100644
index 0000000000000..b7ee832b8e8ea
--- /dev/null
+++ b/.github/workflows/ci-post-commit-analyzer.yml
@@ -0,0 +1,64 @@
+name: Post-Commit Static Analyzer
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'release/**'
+    paths:
+      - 'llvm/**'
+  pull_request:
+    paths:
+      - '.github/workflows/ci-post-commit-analyzer.yml'
+  schedule:
+    - cron: '30 0 * * *'
+
+concurrency:
+  group: >-
+    llvm-project-${{ github.workflow }}-${{ github.event_name == 'pull_request' &&
+      ( github.event.pull_request.number || github.ref) }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  post-commit-analyzer:
+    if: >-
+      github.repository_owner == 'llvm' &&
+      github.event.action != 'closed'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout at b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install \
+            cmake \
+            ninja-build \
+            perl \
+            clang-tools \
+            clang
+
+      - name: Configure
+        run: |
+          scan-build \
+              --use-c++=clang++ \
+              --use-cc=clang \
+              cmake -B build -S llvm -G Ninja \
+                  -DLLVM_ENABLE_ASSERTIONS=ON \
+                  -DLLVM_BUILD_LLVM_DYLIB=ON \
+                  -DLLVM_LINK_LLVM_DYLIB=ON \
+                  -DCMAKE_BUILD_TYPE=Release
+
+      - name: Build
+        run: |
+           scan-build -o analyzer-results --use-c++=clang++ --use-cc=clang ninja -v -C build
+
+      - name: Upload Results
+        uses: actions/upload-artifact at 26f96dfa697d77e81fd5907df203aa23a56210a8 #v4.3.0
+        with:
+          name: analyzer-results
+          path: 'analyzer-results/**/*'
+

>From fe82839b116a8612afd385cf1ce2461be05b0bf5 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Sat, 1 Jun 2024 10:14:07 +0000
Subject: [PATCH 2/3] Use apt.llvm.org for the latest packages

---
 .github/workflows/ci-post-commit-analyzer.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml
index b7ee832b8e8ea..7b7d5c3126aea 100644
--- a/.github/workflows/ci-post-commit-analyzer.yml
+++ b/.github/workflows/ci-post-commit-analyzer.yml
@@ -27,23 +27,27 @@ jobs:
       github.repository_owner == 'llvm' &&
       github.event.action != 'closed'
     runs-on: ubuntu-22.04
+    env:
+      LLVM_VERSION: 18
     steps:
       - name: Checkout Source
         uses: actions/checkout at b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install Dependencies
         run: |
+          sudo echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-18 main" | sudo tee -a /etc/apt/sources.list.d/llvm.list
+          wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
           sudo apt-get update
           sudo apt-get install \
             cmake \
             ninja-build \
             perl \
-            clang-tools \
-            clang
+            clang-tools-$LLVM_VERSION \
+            clang-$LLVM_VERSION
 
       - name: Configure
         run: |
-          scan-build \
+          scan-build-$LLVM_VERSION \
               --use-c++=clang++ \
               --use-cc=clang \
               cmake -B build -S llvm -G Ninja \
@@ -54,7 +58,7 @@ jobs:
 
       - name: Build
         run: |
-           scan-build -o analyzer-results --use-c++=clang++ --use-cc=clang ninja -v -C build
+           scan-build-$LLVM_VERSION -o analyzer-results --use-c++=clang++ --use-cc=clang ninja -v -C build
 
       - name: Upload Results
         uses: actions/upload-artifact at 26f96dfa697d77e81fd5907df203aa23a56210a8 #v4.3.0

>From ac70506508aecae24f2785ad3ac93a0bf69106f4 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Sat, 1 Jun 2024 10:18:29 +0000
Subject: [PATCH 3/3] Run workflow on pushes when the workflow file itself is
 modified.

---
 .github/workflows/ci-post-commit-analyzer.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml
index 7b7d5c3126aea..642cc6f214f84 100644
--- a/.github/workflows/ci-post-commit-analyzer.yml
+++ b/.github/workflows/ci-post-commit-analyzer.yml
@@ -9,6 +9,7 @@ on:
       - 'release/**'
     paths:
       - 'llvm/**'
+      - '.github/workflows/ci-post-commit-analyzer.yml'
   pull_request:
     paths:
       - '.github/workflows/ci-post-commit-analyzer.yml'

More information about the llvm-commits mailing list