Some coverity workflow fixes (#4288)

* Don't trigger package builds on push to coverity_scan branch

* Allow out-of-project coverity scans on push to coverity_scan

* Key the cache for the Coverity scan tool based on its MD5

diff --git a/.github/workflows/ci-deb.yml b/.github/workflows/ci-deb.yml
index bf6967d03f6d9f21ffabb46fb55321f613d9974b..d70c41fa911693f6cb1d08f6d22970ab6da96090 100644 (file)
--- a/.github/workflows/ci-deb.yml
+++ b/.github/workflows/ci-deb.yml
@@ -2,6 +2,8 @@ name: CI DEB
 
 on:
   push:
+    branches-ignore:
+      - coverity_scan
   schedule:
     - cron: '0 20 * * *'
 

diff --git a/.github/workflows/ci-rpm.yml b/.github/workflows/ci-rpm.yml
index 3ae63c9c93b1c2b109fce1b04b71ca38c8dd0c74..1f13238f10e5528bad553a3951f039a01c7b3ef6 100644 (file)
--- a/.github/workflows/ci-rpm.yml
+++ b/.github/workflows/ci-rpm.yml
@@ -2,6 +2,8 @@ name: CI RPM
 
 on:
   push:
+    branches-ignore:
+      - coverity_scan
   schedule:
     - cron: '0 20 * * *'
 

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 537eec2375509a19b616f4ea4745fb7bcb6330fb..8dc8b2089b55b6301d456e34a7ba89577135c198 100644 (file)
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -10,7 +10,7 @@ on:
 jobs:
   coverity:
     runs-on: ubuntu-20.04
-    if: github.repository_owner == 'FreeRADIUS'
+    if: github.repository_owner == 'FreeRADIUS' || github.ref == 'refs/heads/coverity_scan'
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -30,21 +30,31 @@ jobs:
           sudo mk-build-deps -irt"apt-get -y --no-install-recommends" debian/control
           sudo mk-build-deps -irt"apt-get -y --no-install-recommends" scripts/ci/extra-packages.debian.control
 
+      - name: Download coverity tool MD5
+        run: |
+          wget https://scan.coverity.com/download/linux64 \
+            --post-data "token=${TOKEN}&project=${OWNER}%2Ffreeradius-server&md5=1" \
+            -O coverity_tool.tar.gz.md5
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          OWNER: ${{ github.repository_owner }}
+
       - name: Cache coverity tool
         uses: actions/cache@v2
         id: cache-coverity
         with:
-          key: coverity-tool-cache-${{ runner.os }}
           path: coverity_tool.tar.gz
+          key: coverity-tool-cache-${{ hashFiles('coverity_tool.tar.gz.md5') }}
 
       - name: Download coverity tool
         if: steps.cache-coverity.outputs.cache-hit != 'true'
         run: |
           wget https://scan.coverity.com/download/linux64 \
-            --post-data "token=${TOKEN}&project=FreeRADIUS%2Ffreeradius-server" \
+            --post-data "token=${TOKEN}&project=${OWNER}%2Ffreeradius-server" \
             -O coverity_tool.tar.gz
         env:
           TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          OWNER: ${{ github.repository_owner }}
 
       - name: Extract coverity tool
         run: |
@@ -70,6 +80,7 @@ jobs:
             --form file=@cov-int.tar.gz \
             --form version="`cat VERSION`" \
             --form description="FreeRADIUS" \
-            https://scan.coverity.com/builds?project=freeradius%2Ffreeradius-server
+            https://scan.coverity.com/builds?project=${OWNER}%2Ffreeradius-server
         env:
           TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          OWNER: ${{ github.repository_owner }}