From d1f34f9896e251c89169b64aea0df62222532f9a Mon Sep 17 00:00:00 2001 From: David Cozens Date: Mon, 4 May 2026 10:03:03 +0100 Subject: [PATCH 1/4] ci: add analyze-iwyu required check, bump cpputest-clang to sha-7eac3ab MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the analyze-iwyu CI job (mirrors analyze-tidy/analyze-cppcheck shape) that runs `cmake --build --preset iwyu --target iwyu` against the new cpputest-clang image (which now ships include-what-you-use 0.23 built against clang-19). Job is wired into the summary's needs list so it gates the PR. The container SHA bump from sha-0385cea to sha-7eac3ab also updates the existing build-linux-clang job and the local clang dev-container. After this merges, branch protection should be updated to make analyze-iwyu a required status check (not done in this PR — it's a GitHub UI change, not a code change). --- .devcontainer/docker-compose.yml | 2 +- .github/workflows/ci.yml | 32 ++++++++++++++++++++++++++++++-- docs/ci.md | 1 + docs/containers.md | 2 +- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index f10319c5..ff4d43e0 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -64,7 +64,7 @@ services: command: sleep infinity clang: - image: ghcr.io/davidcozens/cpputest-clang:sha-0385cea + image: ghcr.io/davidcozens/cpputest-clang:sha-7eac3ab volumes: - ..:/workspaces/SolidSyslog:cached - ${SSH_AUTH_SOCK:-/dev/null}:/ssh-agent diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad259861..4c23eb7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,7 +108,7 @@ jobs: contents: read checks: write container: - image: ghcr.io/davidcozens/cpputest-clang:sha-0385cea + image: ghcr.io/davidcozens/cpputest-clang:sha-7eac3ab options: --user root env: GIT_CONFIG_COUNT: 1 @@ -289,6 +289,34 @@ jobs: path: build/tidy/clang-tidy-output.txt retention-days: 1 + analyze-iwyu: + runs-on: ubuntu-latest + container: + image: ghcr.io/davidcozens/cpputest-clang:sha-7eac3ab + options: --user root + env: + GIT_CONFIG_COUNT: 1 + GIT_CONFIG_KEY_0: safe.directory + GIT_CONFIG_VALUE_0: '*' + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Configure + run: cmake --preset iwyu + + - name: Run include-what-you-use + shell: bash + run: set -o pipefail && cmake --build --preset iwyu --target iwyu 2>&1 | tee build/iwyu/iwyu-output.txt + + - name: Upload iwyu output + if: success() || failure() + uses: actions/upload-artifact@v4 + with: + name: iwyu-report + path: build/iwyu/iwyu-output.txt + retention-days: 1 + analyze-format: runs-on: ubuntu-latest container: @@ -549,7 +577,7 @@ jobs: summary: if: always() && github.event_name == 'pull_request' - needs: [build-linux-gcc, build-linux-clang, sanitize-linux-gcc, coverage-linux-gcc, analyze-tidy, analyze-cppcheck, analyze-format, bdd-linux-syslog-ng, build-windows-msvc, bdd-windows-otel, integration-linux-openssl] + needs: [build-linux-gcc, build-linux-clang, sanitize-linux-gcc, coverage-linux-gcc, analyze-tidy, analyze-cppcheck, analyze-format, analyze-iwyu, bdd-linux-syslog-ng, build-windows-msvc, bdd-windows-otel, integration-linux-openssl] runs-on: ubuntu-latest permissions: contents: read diff --git a/docs/ci.md b/docs/ci.md index badeba04..3947d7f4 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -18,6 +18,7 @@ without renaming what's already there. | `analyze-tidy` | `tidy` | clang-tidy — pass/fail with errors in job log | | `analyze-cppcheck` | `cppcheck` | cppcheck static analysis | | `analyze-format` | — | clang-format dry-run; fails if any file needs reformatting | +| `analyze-iwyu` | `iwyu` | include-what-you-use; fails on missing or unused `#include` directives | | `integration-linux-openssl` | `debug` | Runs the in-process TLS integration tests against libssl (no network oracle) | | `bdd-linux-syslog-ng` | — | End-to-end BDD test via Docker Compose (syslog-ng + Behave), Linux runner | | `bdd-windows-otel` | — | Windows-eligible BDD scenarios driven against an OTel Collector oracle | diff --git a/docs/containers.md b/docs/containers.md index dd312fd2..ac53554a 100644 --- a/docs/containers.md +++ b/docs/containers.md @@ -5,7 +5,7 @@ | Image | Tag | Used by | |---|---|---| | `ghcr.io/davidcozens/cpputest` | `sha-18f19e1` | devcontainer (`gcc` service), all CI jobs except clang | -| `ghcr.io/davidcozens/cpputest-clang` | `sha-0385cea` | `clang` compose service, `build-linux-clang` CI job | +| `ghcr.io/davidcozens/cpputest-clang` | `sha-7eac3ab` | `clang` compose service, `build-linux-clang` CI job, `analyze-iwyu` CI job | | `balabit/syslog-ng` | `latest` | `syslog-ng` service — BDD test oracle | | `ghcr.io/davidcozens/behave` | `sha-3faff14` | `behave` service — Debian trixie + Python 3.12 + Behave for BDD scenarios | From f37311f9e14d3314fd8b70c6dd1adabeab643f89 Mon Sep 17 00:00:00 2001 From: David Cozens Date: Mon, 4 May 2026 10:13:01 +0100 Subject: [PATCH 2/4] ci: surface analyze-iwyu in PR Quality Monitor summary CodeRabbit caught that analyze-iwyu was wired into the summary job's needs (gating execution) but the Quality Monitor summary itself neither downloaded the iwyu-report artifact nor had an analyze-iwyu analysis entry, so PR-level findings would be invisible. Adds the download step and the analysis block using warnings-ng's `iwyu` parser id. --- .github/workflows/ci.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c23eb7b..3f05785b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -606,6 +606,14 @@ jobs: with: name: cppcheck-report path: quality-reports/ + + - name: Download iwyu report + continue-on-error: true + uses: actions/download-artifact@v4 + with: + name: iwyu-report + path: quality-reports/ + - name: Quality Monitor uses: uhafner/quality-monitor@v1 with: @@ -674,6 +682,16 @@ jobs: "pattern": "**/cppcheck-report.xml" } ] + }, + { + "name": "analyze-iwyu", + "id": "analyze-iwyu", + "tools": [ + { + "id": "iwyu", + "pattern": "**/iwyu-output.txt" + } + ] } ] } From 90f115f218226e258dc0c6ff70bc26fb4d2a441c Mon Sep 17 00:00:00 2001 From: David Cozens Date: Mon, 4 May 2026 10:19:35 +0100 Subject: [PATCH 3/4] ci: drop analyze-iwyu Quality Monitor analysis entry, keep artifact download MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The warnings-ng parser registry bundled with quality-monitor@v1 has no parser registered under id `iwyu` — the summary job was failing with `java.util.NoSuchElementException: No such parser registered: iwyu`. Dropping the analysis-array entry. The iwyu-report artifact download is kept for archival/inspection. The job-level pass/fail status of analyze-iwyu (which becomes a required check via branch protection) is the gate — Quality Monitor surfacing was nice-to-have for warnings-ng formatted output, not strictly necessary for required-check semantics. --- .github/workflows/ci.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f05785b..2ce9eb68 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -682,16 +682,6 @@ jobs: "pattern": "**/cppcheck-report.xml" } ] - }, - { - "name": "analyze-iwyu", - "id": "analyze-iwyu", - "tools": [ - { - "id": "iwyu", - "pattern": "**/iwyu-output.txt" - } - ] } ] } From f6f651004c8a1449fd65cb8070d4081d375a9967 Mon Sep 17 00:00:00 2001 From: David Cozens Date: Mon, 4 May 2026 10:27:08 +0100 Subject: [PATCH 4/4] ci: pin upload/download-artifact in analyze-iwyu and summary MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The analyze-iwyu job's iwyu-report upload and the summary job's iwyu-report download were still using @v4 floating tags. Pinning them to match the v5.0.0 SHAs introduced in #262 — keeps the action reference style uniform across the workflow. --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ce9eb68..c2a86973 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -311,7 +311,7 @@ jobs: - name: Upload iwyu output if: success() || failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: iwyu-report path: build/iwyu/iwyu-output.txt @@ -609,7 +609,7 @@ jobs: - name: Download iwyu report continue-on-error: true - uses: actions/download-artifact@v4 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: iwyu-report path: quality-reports/