workflow_dispatch:
jobs:
- scan-build:
- runs-on: ubuntu-latest
- name: rsync scan-build (clang analyzer)
+ # PINNED run: clang-18 on a pinned runner (ubuntu-24.04, whose apt repos carry
+ # clang-18/clang-tools-18) so the checker set -- and thus the report -- is
+ # deterministic. Informational for now: the tree still has known clang-18
+ # findings, so this surfaces the report without blocking. Once the tree is at
+ # zero for clang-18, re-add --status-bugs to the scan-build step below to turn
+ # this back into a gate.
+ pinned-clang18:
+ runs-on: ubuntu-24.04
+ name: scan-build (clang-18, pinned)
steps:
- uses: actions/checkout@v4
with:
- name: prep
run: |
sudo apt-get update
- sudo apt-get install -y clang clang-tools acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev openssl
+ sudo apt-get install -y clang-18 clang-tools-18 acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev libpopt-dev openssl
- name: configure (under scan-build)
# Run configure under scan-build so its analyzer compiler-wrapper is baked
# into the Makefile's $(CC); --disable-md2man avoids the doc toolchain.
+ run: scan-build-18 ./configure --with-rrsync --disable-md2man
+ - name: scan-build (pinned clang-18)
+ # Informational: no --status-bugs, so existing findings don't fail the
+ # build; the report is summarised and uploaded for triage. Re-add
+ # --status-bugs here (and 'set -o pipefail; ...; exit $status') to gate
+ # once the tree is at zero for clang-18.
+ run: |
+ scan-build-18 -o "$PWD/scan-report" make check-progs -j"$(nproc)" 2>&1 | tee scan-build.out
+ echo '## scan-build (clang-18, pinned)' >>"$GITHUB_STEP_SUMMARY"
+ grep -E 'scan-build: .* bugs? found|scan-build: No bugs found' scan-build.out >>"$GITHUB_STEP_SUMMARY" || true
+ - name: upload report
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: scan-build-report-clang18
+ path: scan-report
+ if-no-files-found: ignore
+
+ # INFORMATIONAL run: whatever clang ubuntu-latest currently ships. Newer
+ # clang releases enable extra, FP-heavy checkers that the gate deliberately
+ # avoids, so this is NOT a gate (no --status-bugs). It surfaces what the
+ # newest analyzer sees -- useful for spotting genuine new findings before a
+ # gate bump -- without blocking merges. continue-on-error keeps a noisy or
+ # broken run from affecting the workflow's required status.
+ informational-latest:
+ runs-on: ubuntu-latest
+ name: scan-build (latest clang, informational)
+ continue-on-error: true
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ - name: prep
+ run: |
+ sudo apt-get update
+ sudo apt-get install -y clang clang-tools acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev libpopt-dev openssl
+ - name: configure (under scan-build)
run: scan-build ./configure --with-rrsync --disable-md2man
- name: scan-build (informational)
- # Static analysis only -- INFORMATIONAL, not a gate. rsync currently has
- # a fair number of reports that are overwhelmingly known false positives
- # (e.g. unix.Chroot "no chdir after chroot", core.NonNullParamChecker
- # against functions that can't actually receive NULL). We publish the
- # HTML report as an artifact and print the bug count to the run summary,
- # but do NOT pass --status-bugs, so this surfaces new analyzer findings
- # without going red on arrival. check-progs builds rsync + the test
- # helpers without needing the man-page toolchain.
run: |
scan-build -o "$PWD/scan-report" make check-progs -j"$(nproc)" 2>&1 | tee scan-build.out
- echo '## scan-build summary' >>"$GITHUB_STEP_SUMMARY"
+ echo '## scan-build informational (latest clang)' >>"$GITHUB_STEP_SUMMARY"
grep -E 'scan-build: .* bugs? found|scan-build: No bugs found' scan-build.out >>"$GITHUB_STEP_SUMMARY" || true
- name: upload report
if: always()
uses: actions/upload-artifact@v4
with:
- name: scan-build-report
+ name: scan-build-report-latest
path: scan-report
if-no-files-found: ignore
projects / thirdparty / rsync.git / commitdiff
