Merge pull request #3275 from HiFiPhile/dwc2_iso_incomp #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static Analysis | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [ master ] | |
| paths: | |
| - 'src/**' | |
| - 'examples/**' | |
| - 'hw/bsp/**' | |
| - '.github/workflows/static_analysis.yml' | |
| pull_request: | |
| branches: [ master ] | |
| paths: | |
| - 'src/**' | |
| - 'examples/**' | |
| - 'hw/bsp/**' | |
| - '.github/workflows/static_analysis.yml' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| # pull-requests: write | |
| # checks: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| CodeQL: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'metro_m4_express' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: 'c-cpp' | |
| queries: security-and-quality | |
| - name: Build | |
| run: | | |
| mkdir -p build | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: CodeQL | |
| upload: false | |
| id: analyze | |
| - name: Filter SARIF report | |
| uses: advanced-security/filter-sarif@v1 | |
| with: | |
| patterns: | | |
| -hw/mcu/** | |
| -lib/** | |
| input: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif | |
| output: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ steps.analyze.outputs.sarif-output }} | |
| category: CodeQL | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: codeql-${{ matrix.board }} | |
| path: ${{ steps.analyze.outputs.sarif-output }} | |
| PVS-Studio: | |
| # Only run on non-forked PR since secrets token is required | |
| if: github.repository_owner == 'hathach' && github.event.pull_request.head.repo.fork == false | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'raspberry_pi_pico' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Install Tools | |
| run: | | |
| wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add - | |
| sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list | |
| sudo apt update | |
| sudo apt install pvs-studio | |
| pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }} | |
| pvs-studio-analyzer --version | |
| - name: Analyze | |
| run: | | |
| mkdir -p build | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| pvs-studio-analyzer analyze -f build/compile_commands.json -R .PVS-Studio/.pvsconfig -j4 --security-related-issues --misra-cpp-version 2008 --misra-c-version 2023 --use-old-parser -e lib/ -e hw/mcu/ -e */iar/cxarm/ -e pico-sdk/ | |
| plog-converter -t sarif -o pvs-studio-${{ matrix.board }}.sarif PVS-Studio.log | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: pvs-studio-${{ matrix.board }}.sarif | |
| category: PVS-Studio | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: pvs-studio-${{ matrix.board }} | |
| path: pvs-studio-${{ matrix.board }}.sarif | |
| SonarQube: | |
| # Only run on non-forked PR since secrets token is required | |
| if: github.repository_owner == 'hathach' && github.event.pull_request.head.repo.fork == false | |
| runs-on: ubuntu-latest | |
| env: | |
| BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'stm32h743eval' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Install Build Wrapper | |
| uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6 | |
| - name: Run Build Wrapper | |
| run: | | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel | |
| build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build build/ | |
| - name: SonarQube Scan | |
| uses: SonarSource/sonarqube-scan-action@v6 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| with: | |
| # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options | |
| args: > | |
| --define sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json | |
| IAR-CStat: | |
| # Only run on non-forked PR since secrets token is required | |
| #if: github.repository_owner == 'hathach' && github.event.pull_request.head.repo.fork == false | |
| if: false | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'b_g474e_dpow1' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-iar' | |
| - name: Install CMake 4.2 | |
| run: | | |
| # IAR CSTAT requires CMake >= 4.1 | |
| wget -q https://github.com/Kitware/CMake/releases/download/v4.2.0-rc1/cmake-4.2.0-rc1-linux-x86_64.tar.gz | |
| tar -xzf cmake-4.2.0-rc1-linux-x86_64.tar.gz | |
| echo "${{ github.workspace }}/cmake-4.2.0-rc1-linux-x86_64/bin" >> $GITHUB_PATH | |
| - name: Build and run IAR C-STAT Analysis | |
| env: | |
| IAR_LMS_BEARER_TOKEN: ${{ secrets.IAR_LMS_BEARER_TOKEN }} | |
| run: | | |
| # CMake run post build to generate C-STAT SARIF report | |
| cmake --version | |
| mkdir -p build | |
| cmake examples/device/cdc_msc -B build -G Ninja -DBOARD=${{ matrix.board }} -DTOOLCHAIN=iar -DIAR_CSTAT=1 -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| # Merge sarif files for codeql upload | |
| npm i -g @microsoft/sarif-multitool | |
| npx @microsoft/sarif-multitool merge --merge-runs --output-file iar-cstat-${{ matrix.board }}.sarif build/cstat_sarif/*.sarif | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: iar-cstat-${{ matrix.board }}.sarif | |
| category: IAR-CStat | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: iar-cstat-${{ matrix.board }} | |
| path: iar-cstat-${{ matrix.board }}.sarif |