fixup! ci: add a GitHub workflow to submit Coverity scans #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Coverity | |
| on: | |
| push: | |
| jobs: | |
| coverity: | |
| if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) | |
| strategy: | |
| matrix: | |
| os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }} | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: install minimal Git for Windows SDK | |
| if: contains(matrix.os, 'windows') | |
| uses: git-for-windows/setup-git-for-windows-sdk@v1 | |
| - run: ci/install-dependencies.sh | |
| if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos') | |
| env: | |
| runs_on_pool: ${{ matrix.os }} | |
| - name: debug with tmate | |
| uses: mxschmitt/action-tmate@v3 | |
| with: | |
| detached: true | |
| # The following is copy/edited from vapier/coverity-scan-action because | |
| # that composite Action currently only supports Linux. | |
| # The Coverity site says the tool is usually updated twice yearly, so the | |
| # MD5 of download can be used to determine whether there's been an update. | |
| - name: get Coverity Build Tool hash | |
| id: lookup | |
| shell: bash | |
| env: | |
| TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
| run: | | |
| BUILD_LANGUAGE: cxx | |
| case "${{ matrix.os }}" in | |
| *windows*) | |
| BUILD_PLATFORM=win64 | |
| TOOL_FILENAME=cov-analysis.zip | |
| MAKEFLAGS=-j$(nproc) | |
| ;; | |
| *macos*) | |
| BUILD_PLATFORM=macOSX | |
| TOOL_FILENAME=cov-analysis.dmg | |
| MAKEFLAGS=-j$(sysctl -n hw.physicalcpu) | |
| ;; | |
| *ubuntu*) | |
| BUILD_PLATFORM=linux64 | |
| TOOL_FILENAME=cov-analysis.tgz | |
| MAKEFLAGS=-j$(nproc) | |
| ;; | |
| *) | |
| echo '::error::unhandled OS ${{ matrix.os }}' >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| echo "language=$BUILD_LANGUAGE" >>$GITHUB_OUTPUT | |
| echo "platform=$BUILD_PLATFORM" >>$GITHUB_OUTPUT | |
| echo "filename=$TOOL_FILENAME" >>$GITHUB_OUTPUT | |
| echo "make-flags=$MAKEFLAGS" >>$GITHUB_OUTPUT | |
| MD5=$(curl https://scan.coverity.com/download/$BUILD_LANGUAGE/$BUILD_PLATFORM \ | |
| --data "token=$TOKEN&project=${{ github.repository_owner }}&md5=1"); \ | |
| echo "hash=$MD5" >>$GITHUB_OUTPUT | |
| # Try to cache the tool to avoid downloading 1GB+ archive on every run. | |
| # Cache miss will add ~30s to create, but cache hit will save minutes. | |
| - name: restore Coverity Build Tool | |
| id: cache | |
| uses: actions/cache/restore@v3 | |
| with: | |
| path: ${{ runner.temp }}/cov-analysis | |
| key: cov-build-${{ steps.lookup.outputs.language }}-${{ steps.lookup.outputs.platform }}-${{ steps.lookup.outputs.hash }} | |
| - name: download Coverity Build Tool (${{ steps.lookup.outputs.language }} / ${{ steps.lookup.outputs.platform }}) | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| shell: bash | |
| env: | |
| TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
| run: | | |
| curl https://scan.coverity.com/download/${{ steps.lookup.outputs.language }}/${{ steps.lookup.outputs.platform }} \ | |
| --no-progress-meter \ | |
| --output $RUNNER_TEMP/${{ steps.lookup.outputs.filename }} \ | |
| --data "token=$TOKEN&project=${{ github.repository_owner }}" | |
| - name: extract Coverity Build Tool | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| shell: bash | |
| run: | | |
| case "${{ steps.lookup.outputs.filename }}" in | |
| *.tgz) | |
| mkdir $RUNNER_TEMP/cov-analysis && | |
| tar -xzf $RUNNER_TEMP/${{ steps.lookup.outputs.filename }} --strip 1 -C $RUNNER_TEMP/cov-analysis | |
| ;; | |
| *.dmg) | |
| cd $RUNNER_TEMP && | |
| attach="$(hdiutil attach ${{ steps.lookup.outputs.filename }})" && | |
| volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" && | |
| sh "$volume"/cov-analysis-macosx-*.sh && | |
| ls -l && | |
| mv cov-analysis-macosx-* cov-analysis && | |
| hdiutil detach "$volume" | |
| ;; | |
| *.zip) | |
| cd $RUNNER_TEMP && | |
| mkdir cov-analysis-tmp && | |
| unzip -d cov-analysis-tmp ${{ steps.lookup.outputs.filename }} && | |
| mv cov-analysis-tmp/* cov-analysis | |
| ;; | |
| *) | |
| echo "::error::unhandled archive type: ${{ steps.lookup.outputs.filename }}" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| - name: cache Coverity Build Tool | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: actions/cache/save@v3 | |
| with: | |
| path: ${{ runner.temp }}/cov-analysis | |
| key: cov-build-${{ steps.lookup.outputs.language }}-${{ steps.lookup.outputs.platform }}-${{ steps.lookup.outputs.hash }} | |
| - name: build with cov-build | |
| shell: bash | |
| run: | | |
| export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && | |
| cov-configure --gcc && | |
| cov-build --dir cov-int make ${{ steps.lookup.outputs.make-flags }} | |
| - name: archive results | |
| shell: bash | |
| run: tar -czvf cov-int.tgz cov-int | |
| - name: submit results to Coverity Scan | |
| run: | | |
| echo curl \ | |
| --form token="$TOKEN" \ | |
| --form email="${{ secrets.COVERITY_SCAN_EMAIL }}" \ | |
| --form file=@cov-int.tgz \ | |
| --form version="${{ github.sha }}" \ | |
| "https://scan.coverity.com/builds?project=${{ github.repository_owner }}" | |
| shell: bash | |
| env: | |
| TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} |