freshlybakedca.ke / git
Git fork
fork atom
git / .github / workflows / coverity.yml
at reftables-rust 167 lines 6.7 kB view raw
Johannes Schindelin build(deps): bump actions/checkout from 4 to 5
63541ed9
1name: Coverity 2 3# This GitHub workflow automates submitting builds to Coverity Scan. To enable it, 4# set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see 5# https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON 6# string array containing the names of the branches for which the workflow should be 7# run, e.g. `["main", "next"]`. 8# 9# In addition, two repository secrets must be set (for details how to add secrets, see 10# https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions): 11# `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the 12# email to which the Coverity reports should be sent and the latter can be 13# obtained from the Project Settings tab of the Coverity project). 14# 15# The workflow runs on `ubuntu-latest` by default. This can be overridden by setting 16# the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying 17# the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`. 18# 19# By default, the builds are submitted to the Coverity project `git`. To override this, 20# set the repository variable `COVERITY_PROJECT`. 21 22on: 23 push: 24 25defaults: 26 run: 27 shell: bash 28 29jobs: 30 coverity: 31 if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) 32 strategy: 33 matrix: 34 os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }} 35 runs-on: ${{ matrix.os }} 36 env: 37 COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }} 38 COVERITY_LANGUAGE: cxx 39 COVERITY_PLATFORM: overridden-below 40 steps: 41 - uses: actions/checkout@v5 42 - name: install minimal Git for Windows SDK 43 if: contains(matrix.os, 'windows') 44 uses: git-for-windows/setup-git-for-windows-sdk@v1 45 - run: ci/install-dependencies.sh 46 if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos') 47 env: 48 CI_JOB_IMAGE: ${{ matrix.os }} 49 50 # The Coverity site says the tool is usually updated twice yearly, so the 51 # MD5 of download can be used to determine whether there's been an update. 52 - name: get the Coverity Build Tool hash 53 id: lookup 54 run: | 55 case "${{ matrix.os }}" in 56 *windows*) 57 COVERITY_PLATFORM=win64 58 COVERITY_TOOL_FILENAME=cov-analysis.zip 59 MAKEFLAGS=-j$(nproc) 60 ;; 61 *macos*) 62 COVERITY_PLATFORM=macOSX 63 COVERITY_TOOL_FILENAME=cov-analysis.dmg 64 MAKEFLAGS=-j$(sysctl -n hw.physicalcpu) 65 ;; 66 *ubuntu*) 67 COVERITY_PLATFORM=linux64 68 COVERITY_TOOL_FILENAME=cov-analysis.tgz 69 MAKEFLAGS=-j$(nproc) 70 ;; 71 *) 72 echo '::error::unhandled OS ${{ matrix.os }}' >&2 73 exit 1 74 ;; 75 esac 76 echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV 77 echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV 78 echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV 79 MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ 80 --fail \ 81 --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ 82 --form project="$COVERITY_PROJECT" \ 83 --form md5=1) 84 case $? in 85 0) ;; # okay 86 22) # 40x, i.e. access denied 87 echo "::error::incorrect token or project?" >&2 88 exit 1 89 ;; 90 *) # other error 91 echo "::error::Failed to retrieve MD5" >&2 92 exit 1 93 ;; 94 esac 95 echo "hash=$MD5" >>$GITHUB_OUTPUT 96 97 # Try to cache the tool to avoid downloading 1GB+ on every run. 98 # A cache miss will add ~30s to create, but a cache hit will save minutes. 99 - name: restore the Coverity Build Tool 100 id: cache 101 uses: actions/cache/restore@v4 102 with: 103 path: ${{ runner.temp }}/cov-analysis 104 key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} 105 - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) 106 if: steps.cache.outputs.cache-hit != 'true' 107 run: | 108 curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ 109 --fail --no-progress-meter \ 110 --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \ 111 --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ 112 --form project="$COVERITY_PROJECT" 113 - name: extract the Coverity Build Tool 114 if: steps.cache.outputs.cache-hit != 'true' 115 run: | 116 case "$COVERITY_TOOL_FILENAME" in 117 *.tgz) 118 mkdir $RUNNER_TEMP/cov-analysis && 119 tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis 120 ;; 121 *.dmg) 122 cd $RUNNER_TEMP && 123 attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" && 124 volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" && 125 mkdir cov-analysis && 126 cd cov-analysis && 127 sh "$volume"/cov-analysis-macosx-*.sh && 128 ls -l && 129 hdiutil detach "$volume" 130 ;; 131 *.zip) 132 cd $RUNNER_TEMP && 133 mkdir cov-analysis-tmp && 134 unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME && 135 mv cov-analysis-tmp/* cov-analysis 136 ;; 137 *) 138 echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2 139 exit 1 140 ;; 141 esac 142 - name: cache the Coverity Build Tool 143 if: steps.cache.outputs.cache-hit != 'true' 144 uses: actions/cache/save@v4 145 with: 146 path: ${{ runner.temp }}/cov-analysis 147 key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} 148 - name: build with cov-build 149 run: | 150 export PATH="$PATH:$RUNNER_TEMP/cov-analysis/bin" && 151 cov-configure --gcc && 152 if ! cov-build --dir cov-int make 153 then 154 cat cov-int/build-log.txt 155 exit 1 156 fi 157 - name: package the build 158 run: tar -czvf cov-int.tgz cov-int 159 - name: submit the build to Coverity Scan 160 run: | 161 curl \ 162 --fail \ 163 --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ 164 --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \ 165 --form file=@cov-int.tgz \ 166 --form version='${{ github.sha }}' \ 167 "https://scan.coverity.com/builds?project=$COVERITY_PROJECT"