add pvs-studio analyze to ci

.github/workflows/build.yml

@@ -219,7 +219,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Download Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: cmake-build
           merge-multiple: true

.github/workflows/build_util.yml

@@ -20,6 +20,10 @@ on:
         required: false
         default: false
         type: boolean
+      analyze-pvs:
+        required: false
+        default: false
+        type: boolean
       os:
         required: false
         type: string
@@ -68,6 +72,28 @@ jobs:
           fi
         shell: bash
 
+      - name: PVS-Studio analyze
+        if: ${{ inputs.analyze-pvs }}
+        run: |
+          wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add -
+          sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list
+          sudo apt update
+          sudo apt install pvs-studio
+          pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }}
+          mkdir -p sarif-reports
+          for build_dir in cmake-build/cmake-build-*; do
+            BOARD=${build_dir#cmake-build/cmake-build-}
+            pvs-studio-analyzer analyze -f ${build_dir}/compile_commands.json -j -o ${build_dir}/pvs-report.log --exclude-path hw/mcu/ --exclude-path lib/
+            plog-converter -t sarif -o sarif-reports/${BOARD}.sarif ${build_dir}/pvs-report.log
+          done
+
+      - name: PVS-Studio upload SARIF
+        if: ${{ inputs.analyze-pvs }}
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: sarif-reports/
+          category: PVS-Studio
+
       - name: Upload Artifacts for Hardware Testing
         if: ${{ inputs.upload-artifacts }}
         uses: actions/upload-artifact@v4

.github/workflows/static_analysis.yml

@@ -0,0 +1,43 @@
+name: Static Analysis
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+#  SonarQube:
+#    name: Build and analyze
+#    runs-on: ubuntu-latest
+#    env:
+#      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+#    steps:
+#      - uses: actions/checkout@v4
+#        with:
+#          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+#      - name: Install Build Wrapper
+#        uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6
+#      - name: Run Build Wrapper
+#        run: |
+#          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build --preset ${{ env.BOARD }} -t ${{ env.EXAMPLE }}
+#      - name: SonarQube Scan
+#        uses: SonarSource/sonarqube-scan-action@v6
+#        env:
+#          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+#        with:
+#          args: >
+#            --define "sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
+  PVS-Studio:
+    uses: ./.github/workflows/build_util.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        board:
+          - 'stm32h743eval'
+    with:
+      build-system: 'cmake'
+      toolchain: 'arm-gcc'
+      build-args: '-b${{ matrix.board }}'
+      one-per-family: true
+      analyze-pvs: true