.github/workflows/quality.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

name: Code Quality

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]

jobs:
  lint:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install dependencies
      run: |
        sudo apt-get update
        sudo apt-get install -y \
          clang-format \
          cppcheck \
          shellcheck \
          libxml2-utils \
          desktop-file-utils

    - name: Check C/C++ code formatting
      run: |
        # Find all C/C++ files and check formatting
        echo "::warning::Code formatting check - this is informational only"
        find src/ -name "*.c" -o -name "*.h" | while read file; do
          echo "Checking format of $file"
          if ! clang-format --dry-run "$file" > /dev/null 2>&1; then
            echo "::warning file=$file::Code formatting issues found in $file"
          fi
        done || true

    - name: Run cppcheck
      run: |
        echo "::warning::Running cppcheck analysis - issues will be reported as warnings"
        cppcheck --enable=warning,style,performance,portability,information \
                 --suppress=missingIncludeSystem \
                 --suppress=unusedFunction \
                 --inline-suppr \
                 --template='{file}:{line}: {severity}: {message}' \
                 src/ 2>&1 | while IFS= read -r line; do
          if [[ $line =~ ^(.+):([0-9]+):[[:space:]]*([^:]+):[[:space:]]*(.+)$ ]]; then
            file="${BASH_REMATCH[1]}"
            lineno="${BASH_REMATCH[2]}"
            severity="${BASH_REMATCH[3]}"
            message="${BASH_REMATCH[4]}"
            echo "::warning file=$file,line=$lineno::$severity: $message"
          else
            echo "$line"
          fi
        done || true

    - name: Check shell scripts
      run: |
        echo "::warning::Running shellcheck analysis - issues will be reported as warnings"
        find . -name "*.sh" -type f | while read -r file; do
          echo "Checking shell script: $file"
          if ! shellcheck "$file"; then
            echo "::warning file=$file::Shellcheck found issues in $file"
          fi
        done || true

    - name: Validate desktop files
      run: |
        echo "::warning::Validating desktop files - issues will be reported as warnings"
        find . -name "*.desktop.in" -type f | while read -r file; do
          echo "Validating $file"
          # Basic validation - desktop-file-validate would need the processed .desktop file
          if ! xmllint --noout --nonet --quiet "$file" 2>/dev/null; then
            echo "::warning file=$file::Desktop file validation issues found in $file"
          fi
        done || true

    - name: Check XML files
      run: |
        echo "::warning::Validating XML files - issues will be reported as warnings"
        find . -name "*.xml" -type f | while read -r file; do
          echo "Validating XML: $file"
          if ! xmllint --noout "$file" 2>/dev/null; then
            echo "::warning file=$file::XML validation issues found in $file"
          fi
        done || true

    - name: Check for common issues
      run: |
        echo "::warning::Checking for common code issues - issues will be reported as warnings"
        
        # Check for trailing whitespace
        if grep -r '[[:space:]]$' src/ --exclude-dir=.git; then
          echo "::warning::Found trailing whitespace in source files"
        fi
        
        # Check for tabs in source files (if project prefers spaces)
        if grep -r $'\t' src/ --include="*.c" --include="*.h" --exclude-dir=.git; then
          echo "::warning::Found tabs in source files - consider using spaces for consistency"
        fi
        
        # Always succeed
        true

  security:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run security checks
      run: |
        echo "::warning::Running security analysis - issues will be reported as warnings"
        echo "Checking for potential security issues..."
        
        # Look for dangerous functions
        if grep -r '\(strcpy\|sprintf\|gets\|strcat\)(' src/ --include="*.c"; then
          echo "::warning::Found potentially unsafe functions - consider using safer alternatives"
        fi
        
        # Check for TODO/FIXME comments that might indicate security issues
        if grep -r 'TODO.*\(security\|vulner\|exploit\)' src/; then
          echo "::warning::Found security-related TODO comments"
        fi
        
        if grep -r 'FIXME.*\(security\|vulner\|exploit\)' src/; then
          echo "::warning::Found security-related FIXME comments"
        fi
        
        echo "Security check completed"
        # Always succeed
        true