From 5553271274f4426ac18fc98087f91670ec4d4305 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Tue, 16 Jun 2026 07:54:07 +1000
Subject: [PATCH] ci: run scan-build on pinned clang-18 + latest clang
 (informational)

Split the scan-build workflow into two non-gating jobs, each uploading
its HTML report as an artifact:

- pinned-clang18: clang-18 / clang-tools-18 on ubuntu-24.04, so the
  checker set -- and thus the report -- is deterministic.
- informational-latest: whatever clang ubuntu-latest ships, to surface
  what newer analyzers see.

Both are informational (no --status-bugs): the tree still has known
clang-18 findings, so the run reports without blocking the build.  Once
the tree is at zero for clang-18, re-add --status-bugs to the pinned job
to turn it back into a gate.  Installs libpopt-dev so configure finds
popt under the scan-build compiler wrapper.
---
 .github/workflows/scan-build.yml | 63 +++++++++++++++++++++++++-------
 1 file changed, 49 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml
index 23c1b73c..42cb07b8 100644
--- a/.github/workflows/scan-build.yml
+++ b/.github/workflows/scan-build.yml
@@ -14,9 +14,15 @@ on:
   workflow_dispatch:
 
 jobs:
-  scan-build:
-    runs-on: ubuntu-latest
-    name: rsync scan-build (clang analyzer)
+  # PINNED run: clang-18 on a pinned runner (ubuntu-24.04, whose apt repos carry
+  # clang-18/clang-tools-18) so the checker set -- and thus the report -- is
+  # deterministic.  Informational for now: the tree still has known clang-18
+  # findings, so this surfaces the report without blocking.  Once the tree is at
+  # zero for clang-18, re-add --status-bugs to the scan-build step below to turn
+  # this back into a gate.
+  pinned-clang18:
+    runs-on: ubuntu-24.04
+    name: scan-build (clang-18, pinned)
     steps:
     - uses: actions/checkout@v4
       with:
@@ -24,28 +30,57 @@ jobs:
     - name: prep
       run: |
         sudo apt-get update
-        sudo apt-get install -y clang clang-tools acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev openssl
+        sudo apt-get install -y clang-18 clang-tools-18 acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev libpopt-dev openssl
     - name: configure (under scan-build)
       # Run configure under scan-build so its analyzer compiler-wrapper is baked
       # into the Makefile's $(CC); --disable-md2man avoids the doc toolchain.
+      run: scan-build-18 ./configure --with-rrsync --disable-md2man
+    - name: scan-build (pinned clang-18)
+      # Informational: no --status-bugs, so existing findings don't fail the
+      # build; the report is summarised and uploaded for triage.  Re-add
+      # --status-bugs here (and 'set -o pipefail; ...; exit $status') to gate
+      # once the tree is at zero for clang-18.
+      run: |
+        scan-build-18 -o "$PWD/scan-report" make check-progs -j"$(nproc)" 2>&1 | tee scan-build.out
+        echo '## scan-build (clang-18, pinned)' >>"$GITHUB_STEP_SUMMARY"
+        grep -E 'scan-build: .* bugs? found|scan-build: No bugs found' scan-build.out >>"$GITHUB_STEP_SUMMARY" || true
+    - name: upload report
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: scan-build-report-clang18
+        path: scan-report
+        if-no-files-found: ignore
+
+  # INFORMATIONAL run: whatever clang ubuntu-latest currently ships.  Newer
+  # clang releases enable extra, FP-heavy checkers that the gate deliberately
+  # avoids, so this is NOT a gate (no --status-bugs).  It surfaces what the
+  # newest analyzer sees -- useful for spotting genuine new findings before a
+  # gate bump -- without blocking merges.  continue-on-error keeps a noisy or
+  # broken run from affecting the workflow's required status.
+  informational-latest:
+    runs-on: ubuntu-latest
+    name: scan-build (latest clang, informational)
+    continue-on-error: true
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang clang-tools acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev libpopt-dev openssl
+    - name: configure (under scan-build)
       run: scan-build ./configure --with-rrsync --disable-md2man
     - name: scan-build (informational)
-      # Static analysis only -- INFORMATIONAL, not a gate.  rsync currently has
-      # a fair number of reports that are overwhelmingly known false positives
-      # (e.g. unix.Chroot "no chdir after chroot", core.NonNullParamChecker
-      # against functions that can't actually receive NULL).  We publish the
-      # HTML report as an artifact and print the bug count to the run summary,
-      # but do NOT pass --status-bugs, so this surfaces new analyzer findings
-      # without going red on arrival.  check-progs builds rsync + the test
-      # helpers without needing the man-page toolchain.
       run: |
         scan-build -o "$PWD/scan-report" make check-progs -j"$(nproc)" 2>&1 | tee scan-build.out
-        echo '## scan-build summary' >>"$GITHUB_STEP_SUMMARY"
+        echo '## scan-build informational (latest clang)' >>"$GITHUB_STEP_SUMMARY"
         grep -E 'scan-build: .* bugs? found|scan-build: No bugs found' scan-build.out >>"$GITHUB_STEP_SUMMARY" || true
     - name: upload report
       if: always()
       uses: actions/upload-artifact@v4
       with:
-        name: scan-build-report
+        name: scan-build-report-latest
         path: scan-report
         if-no-files-found: ignore
-- 
2.47.3