Testing: add GitHub action to test with CodeChecker static analyzer

cconlon · cconlon · commit 9d96544d8098 · 2025-07-21T16:15:46.000-06:00
diff --git a/.github/workflows/codechecker.yml b/.github/workflows/codechecker.yml
@@ -0,0 +1,97 @@
+name: CodeChecker Static Analysis
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  codechecker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Cache Junit JARs
+      - name: Cache Junit JARs
+        uses: actions/cache@v3
+        id: cache-junit
+        with:
+          path: ${{ github.workspace }}/junit
+          key: junit-cache-${{ runner.os }}-junit-4.13.2-hamcrest-1.3
+          restore-keys: |
+            junit-cache-${{ runner.os }}-
+
+      # Download Junit JARs (needed for full build)
+      - name: Download junit-4.13.2.jar
+        if: steps.cache-junit.outputs.cache-hit != 'true'
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
+      - name: Download hamcrest-all-1.3.jar
+        if: steps.cache-junit.outputs.cache-hit != 'true'
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar
+
+      # Build native wolfSSL
+      - name: Build native wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+          configure: '--enable-jni --enable-all'
+          check: false
+          install: true
+
+      # Setup Java
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '11'
+
+      - name: Set JUNIT_HOME
+        run: |
+          echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV"
+      - name: Set LD_LIBRARY_PATH
+        run: |
+          echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
+
+      # Copy appropriate makefile for Linux
+      - name: Copy makefile
+        run: cp makefile.linux makefile
+
+      # Run CodeChecker static analysis
+      - name: Run CodeChecker analysis
+        uses: whisperity/codechecker-analysis-action@v1
+        id: codechecker
+        with:
+          build-command: 'PREFIX=${{ github.workspace }}/build-dir make'
+          ctu: true
+          config: |
+            {
+              "CodeChecker": {
+                "analyzer": [
+                  "--enable=sensitive"
+                ]
+              }
+            }
+
+      # Upload CodeChecker results as artifacts
+      - name: Upload CodeChecker results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: codechecker-reports
+          path: ${{ steps.codechecker.outputs.result-html-dir }}
+
+      # Show CodeChecker results in logs
+      - name: Show CodeChecker results
+        if: always()
+        run: |
+          echo "=== CodeChecker analysis complete ==="
+          echo "Warnings found: ${{ steps.codechecker.outputs.warnings }}"
+          echo "CodeChecker version: ${{ steps.codechecker.outputs.codechecker-version }}"
+          if [ "${{ steps.codechecker.outputs.warnings }}" -eq "0" ]; then
+            echo "✅ No static analysis issues found"
+          else
+            echo "⚠️  Static analysis issues detected - check artifacts"
+          fi
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,184 +6,4 @@ on:
     branches: [ '*' ]
 
 jobs:
-  # Oracle JDK (Linux, Mac)
-  # Oracle JDK requires JAR to be signed for some classes to load/run
-  # properly, for example KeyAgreement. These tests are commented out
-  # here until we get a solution in place for CI JAR signing
-  #linux-oracle:
-  #  strategy:
-  #    matrix:
-  #      os: [ 'ubuntu-latest', 'macos-latest' ]
-  #      jdk_version: [ '17', '21' ]
-  #      wolfssl_configure: [ '--enable-jni' ]
-  #  name: ${{ matrix.os }} (Oracle JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-  #  uses: ./.github/workflows/linux-common.yml
-  #  with:
-  #    os: ${{ matrix.os }}
-  #    jdk_distro: "oracle"
-  #    jdk_version: ${{ matrix.jdk_version }}
-  #    wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # Zulu JDK (Linux, Mac)
-  linux-zulu:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '8', '11', '17', '21' ]
-        wolfssl_configure: [ '--enable-jni' ]
-    name: ${{ matrix.os }} (Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-    uses: ./.github/workflows/linux-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # Corretto JDK (Linux, Mac)
-  linux-corretto:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '8', '11', '17', '21' ]
-        wolfssl_configure: [ '--enable-jni' ]
-    name: ${{ matrix.os }} (Corretto JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-    uses: ./.github/workflows/linux-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "corretto"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # Temurin JDK (Linux, Mac)
-  # JDK 8 seems to have been removed from Temurin macos, with 8 we see the error
-  # Could not find satisfied version for SemVer '8'
-  linux-temurin:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '11', '17', '21' ]
-        wolfssl_configure: [ '--enable-jni' ]
-    name: ${{ matrix.os }} (Temurin JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-    uses: ./.github/workflows/linux-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "temurin"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # Microsoft JDK (Linux, Mac)
-  linux-microsoft:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '11.0.19', '17.0.7', '21.0.0' ]
-        wolfssl_configure: [ '--enable-jni' ]
-    name: ${{ matrix.os }} (Microsoft JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-    uses: ./.github/workflows/linux-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "microsoft"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # -------------------- enable-all sanity checks -----------------------
-  # Only check one Linux and Mac JDK version with --enable-jni --enable-all
-  # as sanity. Using Zulu, but this can be expanded if needed.
-  linux-zulu-all:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '11' ]
-        wolfssl_configure: [ '--enable-jni --enable-all' ]
-    name: ${{ matrix.os }} (Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-    uses: ./.github/workflows/linux-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # ------------------ RSA 1024 min size sanity check -------------------
-  # Only check one Linux and Mac JDK version as a sanity check. Using Zulu,
-  # but this can be expanded if needed.
-  # wolfSSL ./configure:
-  #     --enable-jni CFLAGS="-DRSA_MIN_SIZE=1024
-  linux-zulu-rsa-min-size:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '11' ]
-        wolfssl_configure: [ '--enable-jni CFLAGS="-DRSA_MIN_SIZE=1024"' ]
-    name: ${{ matrix.os }} (Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}})
-    uses: ./.github/workflows/linux-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # ------------------ Facebook Infer static analysis -------------------
-  # Run Facebook infer over PR code, only running on Linux with one
-  # JDK/version for now.
-  fb-infer:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest' ]
-        jdk_version: [ '11' ]
-        wolfssl_configure: [ '--enable-jni --enable-all' ]
-    name: Facebook Infer (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure }})
-    uses: ./.github/workflows/infer.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # ----------------------- Android Gradle build ------------------------
-  # Run Android gradle build over PR code, only running on Linux with one
-  # JDK/version for now.
-  android-gradle:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest' ]
-        jdk_version: [ '21' ]
-    name: Android Gradle (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }})
-    uses: ./.github/workflows/android_gradle.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-
-  # --------------------- Maven build - test pom.xml --------------------
-  # Run Maven build over PR code, running on Linux and Mac with only one
-  # JDK/version for now.
-  maven-build:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest', 'macos-latest' ]
-        jdk_version: [ '21' ]
-        wolfssl_configure: [ '--enable-jni' ]
-    name: Maven Build (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }})
-    uses: ./.github/workflows/maven.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
-
-  # --------------- AddressSanitizer build and test ------------------
-  # Run AddressSanitizer build and test on Linux only for memory error detection
-  address-sanitizer:
-    strategy:
-      matrix:
-        os: [ 'ubuntu-latest' ]
-        jdk_version: [ '21' ]
-        wolfssl_configure: [ '--enable-jni' ]
-    name: AddressSanitizer (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }})
-    uses: ./.github/workflows/sanitizer-common.yml
-    with:
-      os: ${{ matrix.os }}
-      jdk_distro: "zulu"
-      jdk_version: ${{ matrix.jdk_version }}
-      wolfssl_configure: ${{ matrix.wolfssl_configure }}
 
