Skip to content

.github/workflows: Introduce static-analysis workflow#1811

Merged
unikraft-bot merged 2 commits intounikraft:staging-1811from
michpappas:michpappas/add-codechecker-workflow
Apr 23, 2026
Merged

.github/workflows: Introduce static-analysis workflow#1811
unikraft-bot merged 2 commits intounikraft:staging-1811from
michpappas:michpappas/add-codechecker-workflow

Conversation

@michpappas
Copy link
Copy Markdown
Member

@michpappas michpappas commented Apr 17, 2026
edited
Loading

Description of Changes

Add a workflow that runs static analysis with CodeChecker. The workflow can be executed standalone, although it's main purpose to act as a CI gate for new findings on PRs. This very first implementation is limited to app-elfloader on qemu/x86_64 built with Clang.

Identifier checks (clang-diagnostic-reserved-identifier / clang-diagnostic-reserved-macro-identifier) are disabled by the newly introduced .codechecker.yml, as unikraft uses the underscore prefix to indicate private scope.

Internally, once static analysis is complete the results are checked against those stored in the CodeChecker remote database for the same configuration. If new findings are introduced the job is failed and the results are shown in its logs as shown below:

image

Upon merge, the results are stored in the remote database resulting into an updated state.

Related Work

#1751, #1809

PR Checklist

  • Read the contribution guidelines regarding submitting new changes to the project;
  • Tested your changes against relevant architectures and platforms;
  • Ran the checkpatch.uk on your commit series before opening this PR;
  • Updated relevant documentation.

@github-actions github-actions Bot added the area/workflows Issue or PR relates to GitHub action workflows label Apr 17, 2026
@michpappas
Copy link
Copy Markdown
Member Author

michpappas commented Apr 17, 2026

Current static analysis failure due to database server domain not registered. Please do not merge until resolved.

@michpappas michpappas requested a review from andreittr April 17, 2026 10:01
andreittr
andreittr approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@andreittr andreittr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I've only some clarifying questions.
(AB & merging blocked pending database server)

Reviewed-by: Andrei Tatar ttr@unikraft.io

Comment thread .github/workflows/static-analysis.yaml Outdated
Comment thread .github/workflows/static-analysis.yaml
@michpappas
codechecker: Add config file
00cf492 
Add .codechecker.yaml and disable identifier checks as unikraft
uses the underscore prefix to indicate private scope.

Signed-off-by: Michalis Pappas <michalis@unikraft.io>
@michpappas michpappas force-pushed the michpappas/add-codechecker-workflow branch from b6638e1 to f1b30fa Compare April 22, 2026 13:37
@michpappas
Copy link
Copy Markdown
Member Author

michpappas commented Apr 22, 2026

Updated static-analysis.yaml to trigger on workflow_run after integration is complete, as on the pull_request trigger GH for PRs originating from remote forks (the norm in Unikraft) blocks access to secrets for security reasons.

Also added a status line in the PR using the GH API, as normally workflow_run triggers don't show on the PR's checks.

Finally, the workflow now runs static analysis on staging and stores the results into the database periodically overnight, and also if triggered manually.

Notice that:

  1. The custom check only appears once static analysis starts.
  2. The static analysis check does not appear in this PR because it does not exist on staging.

@andreittr if this goes well we can later generalize and rename the static analysis workflow to build and analyze an arbitrary application, arch, plat matrix and add helloworld and possibly others.

@michpappas michpappas requested a review from andreittr April 22, 2026 13:53
@michpappas michpappas force-pushed the michpappas/add-codechecker-workflow branch from f1b30fa to 60a6c71 Compare April 22, 2026 15:34
@michpappas
.github/workflows: Introduce static-analysis workflow
b342897 
Add a workflow that runs static analysis with CodeChecker on PRs
acting as a CI gate on new findings. This very first implementation
is limited to app-elfloader on qemu/x86_64 built with Clang.

Checkpatch-Ignore: SPDX_LICENSE_TAG
Signed-off-by: Michalis Pappas <michalis@unikraft.io>
@michpappas michpappas force-pushed the michpappas/add-codechecker-workflow branch from 60a6c71 to b342897 Compare April 23, 2026 03:44
@michpappas
Copy link
Copy Markdown
Member Author

michpappas commented Apr 23, 2026

Changes in last update: Display different message on fail and cancel.

andreittr
andreittr approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@andreittr andreittr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-by: Andrei Tatar ttr@unikraft.io

@andreittr
Copy link
Copy Markdown
Contributor

andreittr commented Apr 23, 2026

Approved-by: Andrei Tatar ttr@unikraft.io

@andreittr andreittr added the merge Label to trigger merge action label Apr 23, 2026
@unikraft-bot unikraft-bot changed the base branch from staging to staging-1811 April 23, 2026 08:48
@unikraft-bot unikraft-bot merged commit 1dc8dde into unikraft:staging-1811 Apr 23, 2026
13 checks passed
unikraft-bot pushed a commit that referenced this pull request Apr 23, 2026
@michpappas @unikraft-bot
codechecker: Add config file
3412f6e 
Add .codechecker.yaml and disable identifier checks as unikraft
uses the underscore prefix to indicate private scope.

Signed-off-by: Michalis Pappas <michalis@unikraft.io>
Approved-by: Andrei Tatar <ttr@unikraft.io>
Reviewed-by: Andrei Tatar <ttr@unikraft.io>
GitHub-Closes: #1811
unikraft-bot pushed a commit that referenced this pull request Apr 23, 2026
@michpappas @unikraft-bot
.github/workflows: Introduce static-analysis workflow
4df5ca9 
Add a workflow that runs static analysis with CodeChecker on PRs
acting as a CI gate on new findings. This very first implementation
is limited to app-elfloader on qemu/x86_64 built with Clang.

Checkpatch-Ignore: SPDX_LICENSE_TAG
Signed-off-by: Michalis Pappas <michalis@unikraft.io>
Approved-by: Andrei Tatar <ttr@unikraft.io>
Reviewed-by: Andrei Tatar <ttr@unikraft.io>
GitHub-Closes: #1811
@unikraft-bot unikraft-bot added ci/merged Merged by CI and removed merge Label to trigger merge action labels Apr 23, 2026
@github-project-automation github-project-automation Bot moved this from 🧊 Icebox to ✅ Done! in Unikraft Core Roadmap Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreittr andreittr andreittr approved these changes

Assignees

@andreittr andreittr

Labels

area/workflows Issue or PR relates to GitHub action workflows ci/merged Merged by CI

Projects

Unikraft Core Roadmap
Status: ✅ Done!

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michpappas @andreittr @unikraft-bot