From: Viktor Szakats Date: Sat, 20 Sep 2025 09:43:59 +0000 (+0200) Subject: GHA: enable more options in static analyzer jobs X-Git-Tag: rc-8_17_0-3~487 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d75785c7dea214d12525beb659694d3fcc483731;p=thirdparty%2Fcurl.git GHA: enable more options in static analyzer jobs This is an effort to pass more code through clang-tidt and scan-build static analyzers. Following CodeQL Linux jobs. GHA/codeql: - also build with libssh. - disable verbose output in build steps. GHA/linux: - enable more build options for the clang-tidy and scan-build jobs: libidn2, nghttp2, ldap, kerberos, rtmp, gnutls, gsasl, rustls, mbedtls, wolfssl Use Linuxbrew where necessary. - also enable ECH, gssapi in the scan-build job. - fix 'scanbuild' to be 'scan-build' in the job name. GHA/macos: - build with Rustls in the clang-tidy job. - add a new clang-tidy job to test HTTP/3 (with openssl + ngtcp2). - build with libssh in one of the clang-tidy jobs. - build with LibreSSL in the MultiSSL clang-tidy job. - build with heimdal and kerberos in the clang-tidy jobs respectively. - build with OpenLDAP in one clang-tidy job. - add support for `skipall`, `skiprun` job options, and use it. Closes #18660 --- diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 808ee0b63a..97b0ddd42c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -75,7 +75,7 @@ jobs: sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list sudo apt-get -o Dpkg::Use-Pty=0 update sudo rm -f /var/lib/man-db/auto-update - sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev \ + sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libssh-dev \ libnghttp2-dev libldap-dev heimdal-dev librtmp-dev libgnutls28-dev libwolfssl-dev /home/linuxbrew/.linuxbrew/bin/brew install c-ares gsasl libnghttp3 libngtcp2 mbedtls rustls-ffi @@ -108,19 +108,20 @@ jobs: cmake -B _bld1 -G Ninja -DENABLE_DEBUG=ON \ -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON -DCURL_USE_WOLFSSL=ON \ -DUSE_LIBRTMP=ON -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON -DUSE_ECH=ON -DENABLE_ARES=ON - cmake --build _bld1 --verbose - cmake --build _bld1 --verbose --target curlinfo - cmake --build _bld1 --verbose --target servers - cmake --build _bld1 --verbose --target tunits - cmake --build _bld1 --verbose --target curl-examples-build + cmake --build _bld1 + cmake --build _bld1 --target curlinfo + cmake --build _bld1 --target servers + cmake --build _bld1 --target tunits + cmake --build _bld1 --target curl-examples-build # HTTP/3 export PKG_CONFIG_PATH; PKG_CONFIG_PATH="$(brew --prefix libnghttp3)/lib/pkgconfig:$(brew --prefix libngtcp2)/lib/pkgconfig:$(brew --prefix gsasl)/lib/pkgconfig" cmake -B _bld2 -G Ninja \ -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR="$(brew --prefix openssl)" -DUSE_NGTCP2=ON \ + -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON \ -DUSE_LIBRTMP=ON -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON - cmake --build _bld2 --verbose - cmake --build _bld2 --verbose --target servers + cmake --build _bld2 + cmake --build _bld2 --target servers _bld1/src/curl --disable --version _bld2/src/curl --disable --version diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 7aa7bc5707..969b460d1d 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -215,18 +215,31 @@ jobs: configure: --without-ssl --enable-debug --disable-http --disable-smtp --disable-imap --disable-unity - name: 'clang-tidy' - install_packages: clang-tidy libkrb5-dev - install_steps: skipall wolfssl-opensslextra wolfssh - configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-opensslextra/lib --with-wolfssl=/home/runner/wolfssl-opensslextra --with-wolfssh=/home/runner/wolfssh --with-openssl --enable-ech --with-gssapi --enable-ssls-export + install_packages: clang-tidy libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev + install_steps: skipall mbedtls rustls wolfssl-opensslextra + install_steps_brew: gsasl make-custom-target: tidy - - - name: 'scanbuild' - install_packages: clang-tools clang libssl-dev libssh2-1-dev - install_steps: skipall - configure: --with-openssl --enable-debug --with-libssh2 --disable-unity + PKG_CONFIG_PATH: /home/linuxbrew/.linuxbrew/opt/gsasl/lib/pkgconfig + LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/gsasl/lib + configure: >- + --with-wolfssl=/home/runner/wolfssl-opensslextra --with-openssl --with-rustls --with-mbedtls=/home/runner/mbedtls --with-gnutls --with-libgsasl + --with-librtmp --with-libssh2 --with-libidn2 + --enable-ech --with-gssapi --enable-ssls-export + + - name: 'scan-build' + install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev + install_steps: skipall mbedtls rustls wolfssl-opensslextra + install_steps_brew: gsasl CC: clang configure-prefix: scan-build make-prefix: scan-build --status-bugs + PKG_CONFIG_PATH: /home/linuxbrew/.linuxbrew/opt/gsasl/lib/pkgconfig + LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/gsasl/lib + configure: >- + --with-wolfssl=/home/runner/wolfssl-opensslextra --with-openssl --with-rustls --with-mbedtls=/home/runner/mbedtls --with-gnutls --with-libgsasl + --with-librtmp --with-libssh2 --with-libidn2 + --enable-ech --with-gssapi --enable-ssls-export + --disable-debug --disable-unity - name: 'address-sanitizer' install_packages: libssh2-1-dev clang libssl-dev libubsan1 libasan8 libtsan2 @@ -296,6 +309,7 @@ jobs: - name: 'install prereqs' if: ${{ matrix.build.container == null && !contains(matrix.build.name, 'i686') }} env: + INSTALL_PACKAGES_BREW: '${{ matrix.build.install_steps_brew }}' INSTALL_PACKAGES: >- ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'stunnel4' || '' }} ${{ contains(matrix.build.install_steps, 'pytest') && 'apache2 apache2-dev libnghttp2-dev vsftpd dante-server' || '' }} @@ -309,6 +323,7 @@ jobs: libpsl-dev zlib1g-dev libbrotli-dev libzstd-dev \ ${INSTALL_PACKAGES} \ ${MATRIX_INSTALL_PACKAGES} + [ -n "${INSTALL_PACKAGES_BREW}" ] && /home/linuxbrew/.linuxbrew/bin/brew install ${INSTALL_PACKAGES_BREW} python3 -m venv ~/venv - name: 'install prereqs' diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index be8565303e..0fd9d20f5b 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -281,10 +281,27 @@ jobs: generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON -DUSE_APPLE_IDN=ON -DUSE_NGTCP2=ON - name: 'MultiSSL AppleIDN clang-tidy +examples' compiler: clang - install: llvm brotli zstd gnutls nettle mbedtls gsasl rtmpdump fish - install_steps: clang-tidy - generate: -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DCURL_DEFAULT_SSL_BACKEND=openssl -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DENABLE_ARES=ON -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON -DUSE_APPLE_IDN=ON -DUSE_SSLS_EXPORT=ON -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON + install: llvm brotli zstd gnutls nettle libressl krb5 mbedtls gsasl rustls-ffi rtmpdump libssh fish + install_steps: clang-tidy skiprun chkprefill: _chkprefill + generate: >- + -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DCURL_DEFAULT_SSL_BACKEND=openssl + -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON -DENABLE_ARES=ON -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON + -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON -DUSE_APPLE_IDN=ON -DUSE_SSLS_EXPORT=ON + -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5 + -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy + -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON + + - name: 'HTTP/3 clang-tidy' + compiler: clang + install: llvm brotli zstd libnghttp3 libngtcp2 openldap heimdal + install_steps: clang-tidy skipall + generate: >- + -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DUSE_NGTCP2=ON + -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib + -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal + -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy + - name: 'quictls +static libssh +examples' install: quictls libssh generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/quictls -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON @@ -340,7 +357,7 @@ jobs: env: INSTALL_PACKAGES: >- ${{ matrix.build.generate && 'ninja' || 'automake libtool' }} - ${{ !contains(matrix.build.install_steps, 'clang-tidy') && 'nghttp2 stunnel' || '' }} + ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'nghttp2 stunnel' || '' }} ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} run: | @@ -459,6 +476,7 @@ jobs: fi - name: 'build tests' + if: ${{ !contains(matrix.build.install_steps, 'skipall') }} run: | if [ "${MATRIX_BUILD}" = 'cmake' ]; then cmake --build bld --verbose --target testdeps @@ -467,14 +485,14 @@ jobs: fi - name: 'install test prereqs' - if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') }} + if: ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') }} run: | python3 -m venv ~/venv source ~/venv/bin/activate python3 -m pip install -r tests/requirements.txt - name: 'run tests' - if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') }} + if: ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') }} timeout-minutes: ${{ contains(matrix.build.install_steps, 'torture') && 20 || 10 }} env: TEST_TARGET: ${{ contains(matrix.build.install_steps, 'torture') && 'test-torture' || 'test-ci' }} @@ -496,13 +514,13 @@ jobs: fi - name: 'install pytest prereqs' - if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') && contains(matrix.build.install_steps, 'pytest') }} + if: ${{ contains(matrix.build.install_steps, 'pytest') }} run: | source ~/venv/bin/activate python3 -m pip install -r tests/http/requirements.txt - name: 'run pytest' - if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') && contains(matrix.build.install_steps, 'pytest') }} + if: ${{ contains(matrix.build.install_steps, 'pytest') }} env: PYTEST_ADDOPTS: '--color=yes' PYTEST_XDIST_AUTO_NUM_WORKERS: 4