1 files changed, 79 insertions, 0 deletions

diff --git a/.github/workflows/neozip-analyze.yml b/.github/workflows/neozip-analyze.yml
new file mode 100644
index 0000000000..b167f423e8
--- /dev/null
+++ b/.github/workflows/neozip-analyze.yml
@@ -0,0 +1,79 @@
+name: "neozip: Static Analysis"
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  gcc-analyzer:
+    name: GCC-14
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          show-progress: 'false'
+
+      - name: Install packages
+        run: sudo apt-get install -y gcc-14
+
+      - name: Generate project files
+        run: |
+          cmake -S neozip -B build \
+            -DCMAKE_BUILD_TYPE=Release \
+            -DBUILD_SHARED_LIBS=OFF \
+            -DWITH_FUZZERS=OFF \
+            -DWITH_CODE_COVERAGE=OFF \
+            -DWITH_MAINTAINER_WARNINGS=OFF
+        env:
+          CC: gcc-14
+          CFLAGS: >-
+            -fanalyzer
+            -Werror
+            -Wanalyzer-double-fclose
+            -Wanalyzer-double-free
+            -Wanalyzer-exposure-through-output-file
+            -Wanalyzer-file-leak
+            -Wanalyzer-free-of-non-heap
+            -Wanalyzer-malloc-leak
+            -Wanalyzer-null-argument
+            -Wanalyzer-null-dereference
+            -Wanalyzer-possible-null-argument
+            -Wanalyzer-possible-null-dereference
+            -Wanalyzer-stale-setjmp-buffer
+            -Wanalyzer-tainted-array-index
+            -Wanalyzer-unsafe-call-within-signal-handler
+            -Wanalyzer-use-after-free
+            -Wanalyzer-use-of-pointer-in-stale-stack-frame
+          CI: true
+
+      - name: Compile source code
+        run: cmake --build build -j5 --config Release > /dev/null
+
+  clang-analyzer:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          show-progress: 'false'
+
+      - name: Install packages
+        run: sudo apt-get install -y clang-tools
+
+      - name: Generate project files
+        run: |
+          scan-build --status-bugs \
+            cmake -S neozip -B build \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DBUILD_SHARED_LIBS=OFF \
+              -DWITH_FUZZERS=OFF \
+              -DWITH_CODE_COVERAGE=OFF \
+              -DWITH_MAINTAINER_WARNINGS=OFF
+        env:
+          CI: true
+
+      - name: Compile source code
+        run: |
+          scan-build --status-bugs \
+            cmake --build build -j5 --config Release > /dev/null