name: PVS-Studio Static Analysis
on:
  # Automatically run at the end of every day.
  schedule:
    - cron: '0 0 * * *'

jobs:
  build:
    name: Static Analysis
    runs-on: ubuntu-22.04
    env:
      PVS_STUDIO_ANALYSIS_ARCH: x86_64
    if: always() && github.repository == 'SerenityOS/serenity' && github.ref == 'refs/heads/master'
    steps:
      - uses: actions/checkout@v4

      - name: "Configure PVS-Studio Repository"
        run: |
          wget -q -O - https://files.pvs-studio.com/beta/etc/pubkey.txt | sudo apt-key add -
          sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/beta/etc/viva64.list

      - name: "Install Ubuntu dependencies"
        # These packages are already part of the ubuntu-22.04 image:
        # cmake libgmp-dev npm shellcheck
        # Packages below aren't.
        #
        run: |
          wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
          sudo add-apt-repository 'deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-16 main'
          sudo apt-get update
          sudo apt-get install -y clang-format-16 gcc-12 g++-12 libstdc++-12-dev libmpfr-dev libmpc-dev ninja-build unzip pvs-studio

      - name: Check versions
        run: set +e; g++ --version; g++-12 --version; ninja --version;

      - name: Prepare useful stamps
        id: stamps
        shell: cmake -P {0}
        run: |
          string(TIMESTAMP current_date "%Y_%m_%d_%H_%M_%S" UTC)
          # Output everything twice to make it visible both in the logs
          # *and* as actual output variable, in this order.
          message("  set-output name=time::${current_date}")
          message("::set-output name=time::${current_date}")
          message("  set-output name=libc_headers::${{ hashFiles('Userland/Libraries/LibC/**/*.h', 'Userland/Libraries/LibPthread/**/*.h', 'Toolchain/Patches/*.patch', 'Toolchain/Patches/gcc/*.patch', 'Toolchain/BuildGNU.sh') }}")
          message("::set-output name=libc_headers::${{ hashFiles('Userland/Libraries/LibC/**/*.h', 'Userland/Libraries/LibPthread/**/*.h', 'Toolchain/Patches/*.patch', 'Toolchain/Patches/gcc/*.patch', 'Toolchain/BuildGNU.sh') }}")

      - name: Toolchain cache
        # This job should always read the cache, never populate it.
        uses: actions/cache/restore@v4
        id: toolchain-cache
        with:
          path: ${{ github.workspace }}/Toolchain/Local/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}
          # This assumes that *ALL* LibC and LibPthread headers have an impact on the Toolchain.
          # This is wrong, and causes more Toolchain rebuilds than necessary.
          # However, we want to avoid false cache hits at all costs.
          key: ${{ runner.os }}-toolchain-${{ env.PVS_STUDIO_ANALYSIS_ARCH }}-${{ steps.stamps.outputs.libc_headers }}

      - name: Build toolchain
        if: ${{ !steps.toolchain-cache.outputs.cache-hit }}
        run: ARCH="${{ env.PVS_STUDIO_ANALYSIS_ARCH }}" ${{ github.workspace }}/Toolchain/BuildGNU.sh

      - name: Create build directory
        run: |
          mkdir -p ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}
          mkdir -p ${{ github.workspace }}/Build/caches/TZDB
          mkdir -p ${{ github.workspace }}/Build/caches/UCD
          mkdir -p ${{ github.workspace }}/Build/caches/CLDR

      - name: TimeZoneData cache
        uses: actions/cache@v4
        with:
          path: ${{ github.workspace }}/Build/caches/TZDB
          key: TimeZoneData-${{ hashFiles('Meta/CMake/time_zone_data.cmake') }}
      - name: UnicodeData cache
        uses: actions/cache@v4
        with:
          path: ${{ github.workspace }}/Build/caches/UCD
          key: UnicodeData-${{ hashFiles('Meta/CMake/unicode_data.cmake') }}
      - name: UnicodeLocale Cache
        uses: actions/cache@v4
        with:
          path: ${{ github.workspace }}/Build/caches/CLDR
          key: UnicodeLocale-${{ hashFiles('Meta/CMake/locale_data.cmake') }}

      - name: Create build environment
        working-directory: ${{ github.workspace }}
        run: |
          cmake -S Meta/CMake/Superbuild -B Build/superbuild -GNinja \
            -DSERENITY_ARCH=${{ env.PVS_STUDIO_ANALYSIS_ARCH }} \
            -DSERENITY_TOOLCHAIN=GNU \
            -DCMAKE_C_COMPILER=gcc-12 \
            -DCMAKE_CXX_COMPILER=g++-12 \
            -DENABLE_PCI_IDS_DOWNLOAD=OFF \
            -DENABLE_USB_IDS_DOWNLOAD=OFF

      - name: Build generated sources so they are available for analysis.
        working-directory: ${{ github.workspace }}
        # Note: The superbuild will create the Build/arch directory when doing the
        #       configure step for the serenity ExternalProject, as that's the configured
        #       binary directory for that project.
        run: |
          ninja -C Build/superbuild serenity-configure
          cmake -B Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
          ninja -C Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} all_generated

      - name: Configure PVS-Studio License
        env:
          MAIL: ${{ secrets.PVS_STUDIO_MAIL }}
          KEY: ${{ secrets.PVS_STUDIO_KEY }}
        run: pvs-studio-analyzer credentials $MAIL $KEY

      - name: Run PVS-Studio Analyzer
        working-directory: ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}
        run: pvs-studio-analyzer analyze -o project.plog --compiler ${{ env.PVS_STUDIO_ANALYSIS_ARCH }}-pc-serenity-g++ --compiler ${{ env.PVS_STUDIO_ANALYSIS_ARCH }}-pc-serenity-gcc -j2

      # Suppress Rules:
      # - v530: The return value of function 'release_value' is required to be utilized.
      #    Our TRY(..) macro seems to breaks this rule and trigger weird behavior in PVS Studio.
      #
      # - v677: Custom declaration of a standard '<example>' type. The declaration from system header files should be used instead.
      #    This rule doesn't make sense for Serenity, as we are the system headers.
      #
      # - v1061: Extending the 'std' namespace may result in undefined behavior.
      #    We have no choice, some features of C++ require us to.
      #
      # - V1052: Declaring virtual methods in a class marked as 'final' is pointless.
      #    This rule contradicts the serenity style rules.
      #
      # - False Positives:
      #    v591:  Non-void function should return a value.
      #    v603:  Object was created but is not being used.
      #    v1047: Lifetime of the lambda is greater than lifetime of the local variable captured by reference.
      #    v1076: Code contains invisible characters that may alter its logic.
      #
      - name: Filter PVS Log
        working-directory: ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}
        run: |
          pvs-studio-analyzer suppress -v530 -v591 -v603 -v677 -v1047 -v1052 -v1061  -v1076 project.plog
          pvs-studio-analyzer filter-suppressed project.plog

      - name: Print PVS Log
        run: plog-converter -a 'GA:1,2;64:1;OP:1,2,3' -t errorfile ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}/project.plog | GREP_COLOR='01;31' grep -E --color=always 'error:|$' | GREP_COLOR='01;33' grep -E --color=always 'warning:|$'

      - name: Convert PVS Log to SARIF
        run: plog-converter -a 'GA:1,2;64:1;OP:1,2,3' -o project.sarif -t sarif ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}/project.plog

      - uses: actions/upload-artifact@v4
        with:
          path: ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}/project.plog

      - uses: actions/upload-artifact@v4
        with:
          path: ${{ github.workspace }}/project.sarif

      - name: Upload SARIF results file
        uses: github/codeql-action/upload-sarif@v3
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: project.sarif