From ce4db9c2efca0bd89e556e231d940c988d84a606 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 27 Feb 2026 01:09:14 +0100
Subject: [PATCH] GHA/linux: replace scan-build with clang-tidy

`scan-build` is a (Perl) wrapper around clang's built-in `--analyze`
option. Which look similar or identical to clang-tidy checkers under
the `clang-analyzer-*` namespace:
https://clang.llvm.org/docs/ClangStaticAnalyzer.html

Unless somebody has other information, it appears redundant to run
scan-build in parallel with clang-tidy in CI, now that the latter is
working reliably and with good performance for all curl components.

Another scan-build issue is the lack of a markup to suppress false
positives. It ignores `NOLINT`, yet finds the same false positives as
clang-tidy. This happens with scan-build v20+. v18 is silent, but it's
a blocker to upgrade to a newer version.

scan-build may still be a useful when combined with autotools, where
clang-tidy support is incomplete, slow (no parallelism), and uses
a distinct make target, which does not build binaries in the same pass.
But, scan-build also lacks extra checkers that are now enabled for
clang-tidy.

The clang-tidy job is also 30-40s faster than the one it replaced.

Also:
- drop scan-build job configured the same way as a clang-tidy one.
  CI time saved: 6m30s
- bump to clang-20 (from 18) in the replacement job.
- build tests in the replacement job.
  To verify a cmake command-line reconstruction issue only hit in this
  job in CI.
  CI time cost: 1m40s
- replacement job caught a minor, new, issue.
  Ref: b2076d3c2f5386068d9b0199f25a81147784d8ac #20752
- drop unused scan-build logic.

Bug: https://github.com/curl/curl/pull/20732#issuecomment-3963873838
Ref: https://github.com/curl/curl/pull/20732#issuecomment-3967479228

Closes #20751
---
 .github/workflows/linux.yml | 39 +++++++++----------------------------
 1 file changed, 9 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index cc44d7768d..3acd80f261 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -66,7 +66,6 @@ jobs:
       MATRIX_BUILD: ${{ matrix.build.generate && 'cmake' || 'autotools' }}
       MATRIX_INSTALL_PACKAGES: '${{ matrix.build.install_packages }}'
       MATRIX_INSTALL_STEPS: '${{ matrix.build.install_steps }}'
-      MATRIX_MAKE_PREFIX: '${{ matrix.build.make-prefix }}'
     strategy:
       fail-fast: false
       matrix:
@@ -288,35 +287,18 @@ jobs:
               -DUSE_ECH=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON
               -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/usr/bin/clang-tidy-20
 
-          - name: 'scan-build'
-            install_packages: clang clang-tools libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libgss-dev librtmp-dev libgnutls28-dev
-            install_steps: skipall mbedtls-latest-intel rustls wolfssl-opensslextra-intel
-            install_steps_brew: gsasl
-            CC: clang
-            configure-prefix: scan-build
-            make-prefix: scan-build --status-bugs
-            LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib -Wl,-rpath,/home/runner/mbedtls/lib -Wl,-rpath,/home/runner/rustls/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/gsasl/lib
-            PKG_CONFIG_PATH: /home/runner/wolfssl-opensslextra/lib/pkgconfig:/home/runner/mbedtls/lib/pkgconfig:/home/runner/rustls/lib/pkgconfig:/home/linuxbrew/.linuxbrew/opt/gsasl/lib/pkgconfig
-            generate: >-
-              -DCURL_USE_OPENSSL=ON -DCURL_USE_WOLFSSL=ON -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON
-              -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON
-              -DUSE_ECH=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON
-              -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON
-
-          - name: 'scan-build H3 c-ares !examples'
-            install_packages: clang clang-tools libidn2-dev libssh-dev libnghttp2-dev
-            install_steps: skipall
+          - name: 'clang-tidy H3 c-ares !examples'
+            install_packages: clang-20 clang-tidy-20 libidn2-dev libssh-dev libnghttp2-dev
+            install_steps: skiprun
             install_steps_brew: openssl libngtcp2 libnghttp3 c-ares
-            CC: clang
-            configure-prefix: scan-build
-            make-prefix: scan-build --status-bugs
+            CC: clang-20
             LDFLAGS: -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/openssl/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/libngtcp2/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/libnghttp3/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/c-ares/lib
             PKG_CONFIG_PATH: /home/linuxbrew/.linuxbrew/opt/libngtcp2/lib/pkgconfig:/home/linuxbrew/.linuxbrew/opt/libnghttp3/lib/pkgconfig:/home/linuxbrew/.linuxbrew/opt/c-ares/lib/pkgconfig
             generate: >-
               -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/home/linuxbrew/.linuxbrew/opt/openssl -DUSE_NGTCP2=ON
               -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON -DUSE_HTTPSRR=ON -DENABLE_ARES=ON
-              -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON
               -DCURL_DISABLE_VERBOSE_STRINGS=ON
+              -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/usr/bin/clang-tidy-20
 
           - name: 'address-sanitizer'
             install_packages: clang-20 libssl-dev libssh-dev libidn2-dev libnghttp2-dev libubsan1 libasan8 libtsan2
@@ -793,14 +775,12 @@ jobs:
           LDFLAGS: '${{ matrix.build.LDFLAGS }}'
           LIBS: '${{ matrix.build.LIBS }}'
           MATRIX_CONFIGURE: '${{ matrix.build.configure }}'
-          MATRIX_CONFIGURE_PREFIX: '${{ matrix.build.configure-prefix }}'
           MATRIX_GENERATE: '${{ matrix.build.generate }}'
           MATRIX_PKG_CONFIG_PATH: '${{ matrix.build.PKG_CONFIG_PATH }}'
         run: |
           [[ "${MATRIX_INSTALL_STEPS}" = *'awslc'* ]] && sudo apt-get -o Dpkg::Use-Pty=0 purge libssl-dev
           [ -n "${MATRIX_PKG_CONFIG_PATH}" ] && export PKG_CONFIG_PATH="${MATRIX_PKG_CONFIG_PATH}"
           if [ "${MATRIX_BUILD}" = 'cmake' ]; then
-            ${MATRIX_CONFIGURE_PREFIX} \
             cmake -B bld -G Ninja \
               -DCMAKE_INSTALL_PREFIX="$HOME"/curl-install \
               -DCMAKE_C_COMPILER_TARGET="$(uname -m)-pc-linux-gnu" -DBUILD_STATIC_LIBS=ON \
@@ -808,7 +788,6 @@ jobs:
               ${MATRIX_GENERATE}
           else
             mkdir bld && cd bld && \
-            ${MATRIX_CONFIGURE_PREFIX} \
             ../configure --prefix="$HOME"/curl-install --enable-unity --enable-warnings --enable-werror --disable-static \
               --disable-dependency-tracking --enable-option-checking=fatal \
               ${MATRIX_CONFIGURE}
@@ -829,9 +808,9 @@ jobs:
       - name: 'build'
         run: |
           if [ "${MATRIX_BUILD}" = 'cmake' ]; then
-            ${MATRIX_MAKE_PREFIX} cmake --build bld --verbose
+            cmake --build bld --verbose
           else
-            ${MATRIX_MAKE_PREFIX} make -C bld V=1
+            make -C bld V=1
           fi
 
       - name: 'single-use function check'
@@ -933,7 +912,7 @@ jobs:
         if: ${{ !contains(matrix.build.install_packages, 'valgrind') && !contains(matrix.build.name, '!examples') }}
         run: |
           if [ "${MATRIX_BUILD}" = 'cmake' ]; then
-            ${MATRIX_MAKE_PREFIX} cmake --build bld --verbose --target curl-examples-build
+            cmake --build bld --verbose --target curl-examples-build
           else
-            ${MATRIX_MAKE_PREFIX} make -C bld V=1 examples
+            make -C bld V=1 examples
           fi