.github/workflows/coverity.yml

   1 name: Coverity
   2
   3 # This GitHub workflow automates submitting builds to Coverity Scan. To enable it,
   4 # set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see
   5 # https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON
   6 # string array containing the names of the branches for which the workflow should be
   7 # run, e.g. `["main", "next"]`.
   8 #
   9 # In addition, two repository secrets must be set (for details how to add secrets, see
  10 # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions):
  11 # `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the
  12 # email to which the Coverity reports should be sent and the latter can be
  13 # obtained from the Project Settings tab of the Coverity project).
  14 #
  15 # The workflow runs on `ubuntu-latest` by default. This can be overridden by setting
  16 # the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying
  17 # the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`.
  18 #
  19 # By default, the builds are submitted to the Coverity project `git`. To override this,
  20 # set the repository variable `COVERITY_PROJECT`.
  21
  22 on:
  23   push:
  24
  25 defaults:
  26   run:
  27     shell: bash
  28
  29 jobs:
  30   coverity:
  31     if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name)
  32     strategy:
  33       matrix:
  34         os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }}
  35     runs-on: ${{ matrix.os }}
  36     env:
  37       COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }}
  38       COVERITY_LANGUAGE: cxx
  39       COVERITY_PLATFORM: overridden-below
  40     steps:
  41       - uses: actions/checkout@v3
  42       - name: install minimal Git for Windows SDK
  43         if: contains(matrix.os, 'windows')
  44         uses: git-for-windows/setup-git-for-windows-sdk@v1
  45       - run: ci/install-dependencies.sh
  46         if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos')
  47         env:
  48           runs_on_pool: ${{ matrix.os }}
  49
  50       # The Coverity site says the tool is usually updated twice yearly, so the
  51       # MD5 of download can be used to determine whether there's been an update.
  52       - name: get the Coverity Build Tool hash
  53         id: lookup
  54         run: |
  55           case "${{ matrix.os }}" in
  56           *windows*)
  57             COVERITY_PLATFORM=win64
  58             COVERITY_TOOL_FILENAME=cov-analysis.zip
  59             MAKEFLAGS=-j$(nproc)
  60             ;;
  61           *macos*)
  62             COVERITY_PLATFORM=macOSX
  63             COVERITY_TOOL_FILENAME=cov-analysis.dmg
  64             MAKEFLAGS=-j$(sysctl -n hw.physicalcpu)
  65             ;;
  66           *ubuntu*)
  67             COVERITY_PLATFORM=linux64
  68             COVERITY_TOOL_FILENAME=cov-analysis.tgz
  69             MAKEFLAGS=-j$(nproc)
  70             ;;
  71           *)
  72             echo '::error::unhandled OS ${{ matrix.os }}' >&2
  73             exit 1
  74             ;;
  75           esac
  76           echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV
  77           echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV
  78           echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV
  79           MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \
  80                    --fail \
  81                    --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
  82                    --form project="$COVERITY_PROJECT" \
  83                    --form md5=1)
  84           case $? in
  85           0) ;; # okay
  86           22) # 40x, i.e. access denied
  87             echo "::error::incorrect token or project?" >&2
  88             exit 1
  89             ;;
  90           *) # other error
  91             echo "::error::Failed to retrieve MD5" >&2
  92             exit 1
  93             ;;
  94           esac
  95           echo "hash=$MD5" >>$GITHUB_OUTPUT
  96
  97       # Try to cache the tool to avoid downloading 1GB+ on every run.
  98       # A cache miss will add ~30s to create, but a cache hit will save minutes.
  99       - name: restore the Coverity Build Tool
 100         id: cache
 101         uses: actions/cache/restore@v3
 102         with:
 103           path: ${{ runner.temp }}/cov-analysis
 104           key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }}
 105       - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}})
 106         if: steps.cache.outputs.cache-hit != 'true'
 107         run: |
 108           curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \
 109             --fail --no-progress-meter \
 110             --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \
 111             --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
 112             --form project="$COVERITY_PROJECT"
 113       - name: extract the Coverity Build Tool
 114         if: steps.cache.outputs.cache-hit != 'true'
 115         run: |
 116           case "$COVERITY_TOOL_FILENAME" in
 117           *.tgz)
 118             mkdir $RUNNER_TEMP/cov-analysis &&
 119             tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis
 120             ;;
 121           *.dmg)
 122             cd $RUNNER_TEMP &&
 123             attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" &&
 124             volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" &&
 125             mkdir cov-analysis &&
 126             cd cov-analysis &&
 127             sh "$volume"/cov-analysis-macosx-*.sh &&
 128             ls -l &&
 129             hdiutil detach "$volume"
 130             ;;
 131           *.zip)
 132             cd $RUNNER_TEMP &&
 133             mkdir cov-analysis-tmp &&
 134             unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME &&
 135             mv cov-analysis-tmp/* cov-analysis
 136             ;;
 137           *)
 138             echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2
 139             exit 1
 140             ;;
 141           esac
 142       - name: cache the Coverity Build Tool
 143         if: steps.cache.outputs.cache-hit != 'true'
 144         uses: actions/cache/save@v3
 145         with:
 146           path: ${{ runner.temp }}/cov-analysis
 147           key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }}
 148       - name: build with cov-build
 149         run: |
 150           export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" &&
 151           cov-configure --gcc &&
 152           cov-build --dir cov-int make
 153       - name: package the build
 154         run: tar -czvf cov-int.tgz cov-int
 155       - name: submit the build to Coverity Scan
 156         run: |
 157           curl \
 158             --fail \
 159             --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
 160             --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \
 161             --form file=@cov-int.tgz \
 162             --form version='${{ github.sha }}' \
 163             "https://scan.coverity.com/builds?project=$COVERITY_PROJECT"