| name: Coverity |
| |
| # This GitHub workflow automates submitting builds to Coverity Scan. To enable it, |
| # set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see |
| # https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON |
| # string array containing the names of the branches for which the workflow should be |
| # run, e.g. `["main", "next"]`. |
| # |
| # In addition, two repository secrets must be set (for details how to add secrets, see |
| # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions): |
| # `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the |
| # email to which the Coverity reports should be sent and the latter can be |
| # obtained from the Project Settings tab of the Coverity project). |
| # |
| # The workflow runs on `ubuntu-latest` by default. This can be overridden by setting |
| # the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying |
| # the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`. |
| # |
| # By default, the builds are submitted to the Coverity project `git`. To override this, |
| # set the repository variable `COVERITY_PROJECT`. |
| |
| on: |
| push: |
| |
| defaults: |
| run: |
| shell: bash |
| |
| jobs: |
| coverity: |
| if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) |
| strategy: |
| matrix: |
| os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }} |
| runs-on: ${{ matrix.os }} |
| env: |
| COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }} |
| COVERITY_LANGUAGE: cxx |
| COVERITY_PLATFORM: overridden-below |
| steps: |
| - uses: actions/checkout@v3 |
| - name: install minimal Git for Windows SDK |
| if: contains(matrix.os, 'windows') |
| uses: git-for-windows/setup-git-for-windows-sdk@v1 |
| - run: ci/install-dependencies.sh |
| if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos') |
| env: |
| runs_on_pool: ${{ matrix.os }} |
| |
| # The Coverity site says the tool is usually updated twice yearly, so the |
| # MD5 of download can be used to determine whether there's been an update. |
| - name: get the Coverity Build Tool hash |
| id: lookup |
| run: | |
| case "${{ matrix.os }}" in |
| *windows*) |
| COVERITY_PLATFORM=win64 |
| COVERITY_TOOL_FILENAME=cov-analysis.zip |
| MAKEFLAGS=-j$(nproc) |
| ;; |
| *macos*) |
| COVERITY_PLATFORM=macOSX |
| COVERITY_TOOL_FILENAME=cov-analysis.dmg |
| MAKEFLAGS=-j$(sysctl -n hw.physicalcpu) |
| ;; |
| *ubuntu*) |
| COVERITY_PLATFORM=linux64 |
| COVERITY_TOOL_FILENAME=cov-analysis.tgz |
| MAKEFLAGS=-j$(nproc) |
| ;; |
| *) |
| echo '::error::unhandled OS ${{ matrix.os }}' >&2 |
| exit 1 |
| ;; |
| esac |
| echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV |
| echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV |
| echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV |
| MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ |
| --fail \ |
| --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ |
| --form project="$COVERITY_PROJECT" \ |
| --form md5=1) |
| case $? in |
| 0) ;; # okay |
| 22) # 40x, i.e. access denied |
| echo "::error::incorrect token or project?" >&2 |
| exit 1 |
| ;; |
| *) # other error |
| echo "::error::Failed to retrieve MD5" >&2 |
| exit 1 |
| ;; |
| esac |
| echo "hash=$MD5" >>$GITHUB_OUTPUT |
| |
| # Try to cache the tool to avoid downloading 1GB+ on every run. |
| # A cache miss will add ~30s to create, but a cache hit will save minutes. |
| - name: restore the Coverity Build Tool |
| id: cache |
| uses: actions/cache/restore@v3 |
| with: |
| path: ${{ runner.temp }}/cov-analysis |
| key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} |
| - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) |
| if: steps.cache.outputs.cache-hit != 'true' |
| run: | |
| curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ |
| --fail --no-progress-meter \ |
| --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \ |
| --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ |
| --form project="$COVERITY_PROJECT" |
| - name: extract the Coverity Build Tool |
| if: steps.cache.outputs.cache-hit != 'true' |
| run: | |
| case "$COVERITY_TOOL_FILENAME" in |
| *.tgz) |
| mkdir $RUNNER_TEMP/cov-analysis && |
| tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis |
| ;; |
| *.dmg) |
| cd $RUNNER_TEMP && |
| attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" && |
| volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" && |
| mkdir cov-analysis && |
| cd cov-analysis && |
| sh "$volume"/cov-analysis-macosx-*.sh && |
| ls -l && |
| hdiutil detach "$volume" |
| ;; |
| *.zip) |
| cd $RUNNER_TEMP && |
| mkdir cov-analysis-tmp && |
| unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME && |
| mv cov-analysis-tmp/* cov-analysis |
| ;; |
| *) |
| echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2 |
| exit 1 |
| ;; |
| esac |
| - name: cache the Coverity Build Tool |
| if: steps.cache.outputs.cache-hit != 'true' |
| uses: actions/cache/save@v3 |
| with: |
| path: ${{ runner.temp }}/cov-analysis |
| key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} |
| - name: build with cov-build |
| run: | |
| export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && |
| cov-configure --gcc && |
| cov-build --dir cov-int make |
| - name: package the build |
| run: tar -czvf cov-int.tgz cov-int |
| - name: submit the build to Coverity Scan |
| run: | |
| curl \ |
| --fail \ |
| --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ |
| --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \ |
| --form file=@cov-int.tgz \ |
| --form version='${{ github.sha }}' \ |
| "https://scan.coverity.com/builds?project=$COVERITY_PROJECT" |