From df4597e8c3755275f3c7b77ca62c7e361e57fdd7 Mon Sep 17 00:00:00 2001 From: Nilay Shroff Date: Sat, 20 Jun 2026 19:33:17 +0530 Subject: [PATCH] build: add Clang analyzer workflow Add a nightly workflow job which runs the Clang static analyzer, archives the generated reports and uploads them to the artifact store and SFTP server for later inspection. Signed-off-by: Nilay Shroff --- .github/workflows/run-nightly-tests.yml | 64 +++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/.github/workflows/run-nightly-tests.yml b/.github/workflows/run-nightly-tests.yml index f629da5dff..1cf4a59996 100644 --- a/.github/workflows/run-nightly-tests.yml +++ b/.github/workflows/run-nightly-tests.yml @@ -191,3 +191,67 @@ jobs: token: ${{ secrets.CODECOV_TOKEN }} files: ${{ steps.collect-coverage.outputs.files }} fail_ci_if_error: false + + build-with-clang-analyzer: + if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'linux-nvme/nvme-cli' }} + name: build with clang analyzer + runs-on: ubuntu-latest + container: + image: ghcr.io/linux-nvme/debian:latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Mark repo as safe for git + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + + - name: Install dependencies + run: | + apt update + apt install -y clang-tools + + - name: Run Clang Static Analyzer + continue-on-error: true + run: scripts/build.sh -a + + - name: Upload scan result artifacts + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: clang-analyzer-report + path: .build-ci/scan-results/ + + upload-analyzer-report: + if: ${{ github.repository == 'linux-nvme/nvme-cli' }} + name: upload analyzer report to SFTP + runs-on: ubuntu-latest + needs: build-with-clang-analyzer + steps: + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: clang-analyzer-report + path: scan-results + + - name: Archive analyzer report + run: | + REPORT="clang-analyzer-report-${GITHUB_RUN_NUMBER}-${GITHUB_SHA:0:12}.tar.gz" + tar cvzf "$REPORT" scan-results + echo "REPORT=$REPORT" >> "$GITHUB_ENV" + + - name: upload to SFTP server + env: + SFTP_USERNAME: ${{ secrets.SFTP_USERNAME }} + SFTP_SERVER: ${{ secrets.SFTP_SERVER }} + SFTP_HOST_KEY: ${{ secrets.SFTP_HOST_KEY }} + SFTP_PRIVATE_KEY: ${{ secrets.SFTP_PRIVATE_KEY }} + run: | + mkdir -p ~/.ssh + chmod 700 ~/.ssh + echo "${SFTP_HOST_KEY}" > ~/.ssh/known_hosts + echo "${SFTP_PRIVATE_KEY}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + SFTP_BATCH=$(mktemp) + trap 'rm -f "$SFTP_BATCH"' EXIT + echo "cd /upload" > "$SFTP_BATCH" + echo "put ${REPORT}" >> "$SFTP_BATCH" + sftp -b "$SFTP_BATCH" "${SFTP_USERNAME}@${SFTP_SERVER}"