From ad45b4f4e245fed807c11533c7efedde995c5919 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Fri, 21 Mar 2025 19:27:22 +0100
Subject: [PATCH 1/2] Make GitHub Actions apply Clang Static Analyzer

---
 .github/workflows/clang-static-analyzer.yml | 90 +++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 .github/workflows/clang-static-analyzer.yml

diff --git a/.github/workflows/clang-static-analyzer.yml b/.github/workflows/clang-static-analyzer.yml
new file mode 100644
index 00000000..ae1778c1
--- /dev/null
+++ b/.github/workflows/clang-static-analyzer.yml
@@ -0,0 +1,90 @@
+#                          __  __            _
+#                       ___\ \/ /_ __   __ _| |_
+#                      / _ \\  /| '_ \ / _` | __|
+#                     |  __//  \| |_) | (_| | |_
+#                      \___/_/\_\ .__/ \__,_|\__|
+#                               |_| XML parser
+#
+# Copyright (c) 2025 Sebastian Pipping <sebastian@pipping.org>
+# Licensed under the MIT license:
+#
+# Permission is  hereby granted,  free of charge,  to any  person obtaining
+# a  copy  of  this  software   and  associated  documentation  files  (the
+# "Software"),  to  deal in  the  Software  without restriction,  including
+# without  limitation the  rights  to use,  copy,  modify, merge,  publish,
+# distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons  to whom  the Software  is  furnished to  do so,  subject to  the
+# following conditions:
+#
+# The above copyright  notice and this permission notice  shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE  SOFTWARE  IS  PROVIDED  "AS  IS",  WITHOUT  WARRANTY  OF  ANY  KIND,
+# EXPRESS  OR IMPLIED,  INCLUDING  BUT  NOT LIMITED  TO  THE WARRANTIES  OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+# NO EVENT SHALL THE AUTHORS OR  COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+# DAMAGES OR  OTHER LIABILITY, WHETHER  IN AN  ACTION OF CONTRACT,  TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+# USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+name: Enforce Clang Static Analyzer (scan-build) clean code
+
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: '0 2 * * 5'  # Every Friday at 2am
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  clang_static_analyzer:
+    name: Enforce Clang Static Analyzer (scan-build) clean code
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+
+    - name: Install Clang 19 (including scan-build)
+      run: |-
+        set -x
+        source /etc/os-release
+        wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
+        sudo add-apt-repository "deb https://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-19 main"
+        sudo apt-get update  # due to new repository
+        sudo apt-get install --yes --no-install-recommends -V \
+            clang-19 \
+            clang-tools-19
+        echo /usr/lib/llvm-19/bin >>"${GITHUB_PATH}"
+
+    - name: Build using scan-build
+      run: |
+        set -x
+
+        clang --version | head -n1
+        clang++ --version | head -n1
+
+        available_checkers="$(scan-build --help | grep -o '^ [+ ] [^. ]\+\.[^ ]\+' | sed 's,^.\{3\},,' | sort)"
+        [[ "$(wc -l <<<"${available_checkers}")" -ge 103 ]]  # self-test
+
+        enabled_checkers="$(grep -v \
+            -e '^optin\.performance\.Padding$' \
+            -e '^security\.insecureAPI\.strcpy$' \
+            <<<"${available_checkers}")"
+        [[ "$(wc -l <<<"${enabled_checkers}")" -ge 101 ]]  # self-test
+
+        scan-build \
+            -o html/ \
+            $(sed 's,^,-enable-checker ,' <<<"${enabled_checkers}") \
+            sh -c 'cmake -S expat/ -B build/ && make -C build -j$(nproc) VERBOSE=1'
+
+        rmdir html || false 'The report directory is non-empty, i.e. Clang Static Analyzer found an issue! Please download and inspect the zip file artifact attached to this CI run. Thanks!'
+
+    - name: Store scan-build report
+      if: always()
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.1
+      with:
+        name: expat_scan_build_report_${{ github.sha }}
+        path: html/
+        if-no-files-found: ignore

From 6a56fd6f9e8858a7ceac2f3cd397d4955f7422dc Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Fri, 21 Mar 2025 19:34:18 +0100
Subject: [PATCH 2/2] Changes: Document #987

---
 expat/Changes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/expat/Changes b/expat/Changes
index 9b9524db..5d273ee8 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -45,6 +45,7 @@ Release 2.7.1 ??? ????? ?? ????
             #986  Address compiler warnings
 
         Infrastructure:
+            #987  CI: Enforce Clang Static Analyzer clean code
             #981  CI: Cover compilation with musl
        #983 #984  CI: Cover compilation with 32bit Emscripten
        #976 #977  CI: Protect against fuzzer files missing from future