-
Notifications
You must be signed in to change notification settings - Fork 8
182 lines (165 loc) · 6.29 KB
/
reusable-cppcheck.yml
File metadata and controls
182 lines (165 loc) · 6.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
---
## Copyright (C) 2026 - 2026 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## AI-Assisted
## Reusable workflow: cppcheck static analysis for C / C++.
##
## Free open-source local-runnable alternative to Coverity Scan -
## complements (does not replace) Coverity, with a different rule
## set and no third-party service dependency. Useful where Coverity
## is disabled (forks of upstream Coverity-registered projects), or
## as a faster pre-Coverity gate.
##
## ## Trust footprint
##
## cppcheck is in the Debian / Ubuntu archive; apt-installed by
## name. No GitHub Marketplace action used.
##
## ## Caller responsibilities
##
## - Define the trigger schedule. Schedule cannot live in
## workflow_call per G-A-002.
## - Hardcode the owner in 'jobs.<id>.uses:' (G-A-001).
##
## ## Inputs
##
## - paths (optional) Space-separated list of paths to
## scan. Default '.' (whole repo).
## - enable (optional) cppcheck '--enable=' value.
## Default 'warning,style,performance,
## portability'. Use 'all' for
## inconclusive/information too.
## - extra-args (optional) Extra cppcheck flags appended
## verbatim. Default empty. Useful for
## '--suppress=' lines or
## '-D<macro>=...' definitions.
## - prepare-command (optional) Bash run AFTER checkout but BEFORE
## cppcheck. Use for source-tree prep
## (e.g. ci/codeql-prepare.sh-style
## symlinks for genmkfile-tagged
## source files). Default empty.
## - timeout-minutes (optional) Job timeout. Default 15.
##
## ## Caller example
##
## name: cppcheck
## on:
## pull_request:
## branches: [master]
## push:
## branches: [master]
## permissions:
## contents: read
## jobs:
## cppcheck:
## uses: org-ai-assisted/developer-meta-files/.github/workflows/cppcheck.yml@master
## with:
## paths: src
## permissions:
## contents: read
name: cppcheck (reusable)
on:
workflow_call:
inputs:
paths:
required: false
type: string
default: "."
enable:
required: false
type: string
## 'style' deliberately omitted from the default. cppcheck's
## --error-exitcode triggers on ANY finding at any enabled
## severity (NOT only the 'error' severity, despite the
## flag's name); style findings are typically noisy
## (variableScope, constVariablePointer, etc.) and would
## fail CI on every PR for repos that haven't been previously
## audited. Add 'style' explicitly via the input when a repo
## wants the broader check.
default: "warning,performance,portability"
extra-args:
required: false
type: string
default: ""
prepare-command:
required: false
type: string
default: ""
timeout-minutes:
required: false
type: number
default: 15
permissions:
contents: read
## No 'concurrency:' block - see agents/github-actions.md G-A-006.
jobs:
cppcheck:
name: cppcheck
runs-on: ubuntu-latest
timeout-minutes: ${{ inputs.timeout-minutes }}
if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Prepare apt cache directory
run: |
sudo mkdir -p /var/cache/apt/archives
sudo chown -R "$(id -u):$(id -g)" /var/cache/apt/archives
- name: Cache apt packages
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: /var/cache/apt/archives
key: ${{ runner.os }}-apt-cppcheck-${{ hashFiles('.github/workflows/reusable-cppcheck.yml') }}
- name: Install cppcheck
run: |
sudo --non-interactive apt-get update --error-on=any
sudo --non-interactive apt-get install --yes --no-install-recommends \
cppcheck
- name: Prepare source tree
if: inputs.prepare-command != ''
run: ${{ inputs.prepare-command }}
shell: bash
- name: cppcheck
## --inline-suppr enables 'cppcheck-suppress' inline comments
## as the per-line escape hatch.
## --error-exitcode=2 means: cppcheck exits with this code
## if any finding is reported at any enabled severity
## (despite the flag name, this is NOT 'error'-severity
## only). Combined with the default enable list above
## ('warning,performance,portability', no 'style'), this
## triggers CI failure only on the bug-class findings.
## --quiet drops the per-file scan progress lines (the actual
## findings still print to stderr).
##
## NB: cppcheck does NOT support '--' as end-of-options
## separator (verified locally; rejects with 'unrecognized
## command line option'). Per R-062, do not add it here.
run: |
cppcheck \
--enable=${{ inputs.enable }} \
--inline-suppr \
--error-exitcode=2 \
--quiet \
${{ inputs.extra-args }} \
${{ inputs.paths }}
- name: Checkout developer-meta-files (step-summary helper)
if: always()
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: org-ai-assisted/developer-meta-files
ref: ${{ github.repository == 'org-ai-assisted/developer-meta-files' && github.sha || 'master' }}
path: .github/dmf
persist-credentials: false
- name: Emit step summary
if: always()
run: |
.github/dmf/ci/step-summary-emit.sh \
--tool 'cppcheck' \
--column-header field \
--row "outcome=${{ job.status }}" \
--row "paths=${{ inputs.paths }}" \
--row "enable=${{ inputs.enable }}"