ci: add CodeChecker static analysis workflow

ardera · ardera · commit 5e5cc513428e · 2025-06-21T13:16:00.000+02:00
Only diagnose flutter-pi sources by default.

The diagnosis results are uploaded as an HTML workflow artifact for
debugging.

Also, remove the old (unused) CodeQL workflow, which had a lot of
hard to disable false positives.
diff --git a/.codechecker.json b/.codechecker.json
@@ -0,0 +1,22 @@
+{
+    "analyze": [
+        "-d",
+        "clang-diagnostic-reserved-macro-identifier",
+        "-d",
+        "clang-diagnostic-reserved-identifier",
+        "-d",
+        "cert-err33-c",
+        "-d",
+        "clang-diagnostic-sign-compare",
+        "-d",
+        "clang-diagnostic-implicit-int-float-conversion",
+        "-d",
+        "clang-diagnostic-switch-enum",
+        "--analyzers",
+        "clangsa",
+        "clang-tidy",
+        "gcc",
+        "-i",
+        ".codechecker.skipfile"
+    ]
+}
diff --git a/.codechecker.skipfile b/.codechecker.skipfile
@@ -0,0 +1,2 @@
++*/flutter-pi/src
+-*
diff --git a/.github/workflows/codeql-buildscript.sh b/.github/workflows/codeql-buildscript.sh
@@ -1,6 +1,23 @@
 #!/usr/bin/env bash
 
-sudo apt install -y cmake libgl1-mesa-dev libgles2-mesa-dev libegl1-mesa-dev libdrm-dev libgbm-dev ttf-mscorefonts-installer fontconfig libsystemd-dev libinput-dev libudev-dev  libxkbcommon-dev
-mkdir build && cd build
-cmake ..
-make -j`nproc`
+# gstreamer and libc++ want different versions of libunwind-dev.
+# We explicitly install the version that gstreamer wants so
+# we don't get install errors.
+
+sudo apt-get install -y --no-install-recommends \
+    git cmake pkg-config ninja-build clang clang-tools \
+    libgl-dev libgles-dev libegl-dev libvulkan-dev libdrm-dev libgbm-dev libsystemd-dev libinput-dev libudev-dev libxkbcommon-dev \
+    libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev \
+    libunwind-dev
+
+$WRAPPER cmake \
+    -S . -B build \
+    -GNinja \
+    -DCMAKE_BUILD_TYPE=Debug \
+    -DBUILD_GSTREAMER_VIDEO_PLAYER_PLUGIN=ON \
+    -DBUILD_GSTREAMER_AUDIO_PLAYER_PLUGIN=ON \
+    -DENABLE_VULKAN=ON \
+    -DENABLE_SESSION_SWITCHING=ON \
+    -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
+
+$WRAPPER cmake --build build
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/fail_on_warning.py b/.github/workflows/fail_on_warning.py
@@ -20,13 +20,18 @@ def codeql_sarif_contain_error(filename):
                 rule_index = res['rule']['index']
             else:
                 continue
+
             try:
                 rule_level = rules_metadata[rule_index]['defaultConfiguration']['level']
-            except IndexError as e:
-                print(e, rule_index, len(rules_metadata))
-            else:
-                if rule_level == 'error':
-                    return True
+            except LookupError:
+                # According to the SARIF schema (https://www.schemastore.org/schemas/json/sarif-2.1.0-rtm.6.json),
+                # the defalt level is "warning" if not specified.
+                rule_level = 'warning'
+                
+            if rule_level == 'error':
+                return True
+            elif rule_level == 'warning':
+                return True
     return False
 
 if __name__ == "__main__":
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -0,0 +1,58 @@
+name: "Static Analysis"
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  schedule:
+    - cron: '0 0 * * *'
+  pull_request:
+    branches: '*'
+
+jobs:
+  codechecker:
+    name: CodeChecker
+
+    # Use latest Ubuntu 24.04 for latest GCC.
+    # CodeChecker requires gcc >= 13.0.0.
+    # ubuntu-latest is ubuntu 22.04 (atm)
+    runs-on: ubuntu-24.04
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: recursive
+
+    - name: Install Deps, Configure and Build
+      run: |
+        ./.github/workflows/codeql-buildscript.sh
+
+    - name: Run CodeChecker
+      uses: ardera/CodeChecker-Action@master
+      id: codechecker
+      with:
+        ctu: true
+        logfile: ${{ github.workspace }}/build/compile_commands.json
+        config: ${{ github.workspace }}/.codechecker.json
+
+    - uses: actions/upload-artifact@v4
+      id: upload
+      with:
+        name: "CodeChecker Bug Reports"
+        path: ${{ steps.codechecker.outputs.result-html-dir }}
+
+    - name: Fail on Warnings
+      if: ${{ steps.codechecker.outputs.warnings == 'true' }}
+      run: |
+        cat <<EOF >>$GITHUB_STEP_SUMMARY
+        ## ⚠️ CodeChecker found warnings
+        Please see the 'CodeChecker Bug Reports' artifact for more details:
+        - ${{ steps.upload.outputs.artifact-url }}
+        EOF
+
+        exit 1
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 /.vscode
 /build
 /out
+/.codechecker
 
 # CMake docs says it should not be checked in.
 CMakeUserPresets.json
