[llvm] [workflows] Add post-commit job that periodically runs the clang static analyzer (PR #94106)

Wed Jun 5 05:45:47 PDT 2024

================
@@ -0,0 +1,69 @@
+name: Post-Commit Static Analyzer
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'release/**'
+    paths:
+      - 'llvm/**'
+      - '.github/workflows/ci-post-commit-analyzer.yml'
+  pull_request:
+    paths:
+      - '.github/workflows/ci-post-commit-analyzer.yml'
+  schedule:
+    - cron: '30 0 * * *'
+
+concurrency:
+  group: >-
+    llvm-project-${{ github.workflow }}-${{ github.event_name == 'pull_request' &&
+      ( github.event.pull_request.number || github.ref) }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  post-commit-analyzer:
+    if: >-
+      github.repository_owner == 'llvm' &&
+      github.event.action != 'closed'
+    runs-on: ubuntu-22.04
+    env:
+      LLVM_VERSION: 18
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout at b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Dependencies
+        run: |
+          sudo echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-18 main" | sudo tee -a /etc/apt/sources.list.d/llvm.list
+          wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
+          sudo apt-get update
+          sudo apt-get install \
+            cmake \
+            ninja-build \
+            perl \
+            clang-tools-$LLVM_VERSION \
+            clang-$LLVM_VERSION
+
+      - name: Configure
+        run: |
+          scan-build-$LLVM_VERSION \
+              --use-c++=clang++ \
+              --use-cc=clang \
+              cmake -B build -S llvm -G Ninja \
----------------
mstorsjo wrote:

> It may also be a good idea to drop scan-build entirely and implement the whole thing with a tiny custom CMAKE_CXX_COMPILER_LAUNCHER. That's the whole point of scan-build anyway, it's just a hacky way to intercept compiler invocations from arbitrary build systems and append --analyze to them. A hand-crafted integration into your build system is almost always preferable if you have time for it.

If done this way, one would need to do some extra work to wrap up the analyze outputs and gather it all into a common report, like scan-build does, right? Outside of the context of this PR, I'd be interested in knowing how to do this (I'm not sure if there's any good docs that show examples on how to do this)?

https://github.com/llvm/llvm-project/pull/94106
