runs-on: ubuntu-22.04
if: github.repository == 'systemd/systemd'
env:
- COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
- COVERITY_SCAN_NOTIFICATION_EMAIL: ""
- COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
- # Set in repo settings -> secrets -> repository secrets
+ # Set in repo settings -> secrets -> actions
COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
- CURRENT_REF: "${{ github.ref }}"
+ COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
steps:
- name: Repository checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
- - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
- run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> "$GITHUB_ENV"
- - name: Install Coverity tools
- run: tools/get-coverity.sh
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/unit_tests.sh SETUP
- # Preconfigure with meson to prevent Coverity from capturing meson metadata
- - name: Preconfigure the build directory
- run: meson cov-build -Dman=false
- - name: Build
- run: tools/coverity.sh build
- - name: Upload the results
- run: tools/coverity.sh upload
+ - name: Build & upload the results
+ run: tools/coverity.sh
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
-# The official unmodified version of the script can be found at
-# https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh
+set -eux
-set -e
+COVERITY_SCAN_TOOL_BASE="/tmp/coverity-scan-analysis"
+COVERITY_SCAN_PROJECT_NAME="systemd/systemd"
-# Declare build command
-COVERITY_SCAN_BUILD_COMMAND="ninja -C cov-build"
+function coverity_install_script {
+ local platform tool_url tool_archive
-# Environment check
-# Use default values if not set
-SCAN_URL=${SCAN_URL:="https://scan.coverity.com"}
-TOOL_BASE=${TOOL_BASE:="/tmp/coverity-scan-analysis"}
-UPLOAD_URL=${UPLOAD_URL:="https://scan.coverity.com/builds"}
+ platform=$(uname)
+ tool_url="https://scan.coverity.com/download/${platform}"
+ tool_archive="/tmp/cov-analysis-${platform}.tgz"
-# These must be set by environment
-echo -e "\033[33;1mNote: COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN are available on Project Settings page on scan.coverity.com\033[0m"
-[ -z "$COVERITY_SCAN_PROJECT_NAME" ] && echo "ERROR: COVERITY_SCAN_PROJECT_NAME must be set" && exit 1
-[ -z "$COVERITY_SCAN_NOTIFICATION_EMAIL" ] && echo "ERROR: COVERITY_SCAN_NOTIFICATION_EMAIL must be set" && exit 1
-[ -z "$COVERITY_SCAN_BRANCH_PATTERN" ] && echo "ERROR: COVERITY_SCAN_BRANCH_PATTERN must be set" && exit 1
-[ -z "$COVERITY_SCAN_BUILD_COMMAND" ] && echo "ERROR: COVERITY_SCAN_BUILD_COMMAND must be set" && exit 1
-[ -z "$COVERITY_SCAN_TOKEN" ] && echo "ERROR: COVERITY_SCAN_TOKEN must be set" && exit 1
+ set +x # this is supposed to hide COVERITY_SCAN_TOKEN
+ echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
+ wget -nv -O "$tool_archive" "$tool_url" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=${COVERITY_SCAN_TOKEN:?}"
+ set -x
-# Verify this branch should run
-if [[ "${CURRENT_REF^^}" =~ "${COVERITY_SCAN_BRANCH_PATTERN^^}" ]]; then
- echo -e "\033[33;1mCoverity Scan configured to run on branch ${CURRENT_REF}\033[0m"
-else
- echo -e "\033[33;1mCoverity Scan NOT configured to run on branch ${CURRENT_REF}\033[0m"
- exit 1
-fi
-
-# Verify upload is permitted
-AUTH_RES=`curl -s --form project="$COVERITY_SCAN_PROJECT_NAME" --form token="$COVERITY_SCAN_TOKEN" $SCAN_URL/api/upload_permitted`
-if [ "$AUTH_RES" = "Access denied" ]; then
- echo -e "\033[33;1mCoverity Scan API access denied. Check COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN.\033[0m"
- exit 1
-else
- AUTH=`echo $AUTH_RES | jq .upload_permitted`
- if [ "$AUTH" = "true" ]; then
- echo -e "\033[33;1mCoverity Scan analysis authorized per quota.\033[0m"
- else
- WHEN=`echo $AUTH_RES | jq .next_upload_permitted_at`
- echo -e "\033[33;1mCoverity Scan analysis NOT authorized until $WHEN.\033[0m"
- exit 1
- fi
-fi
-
-TOOL_DIR=`find $TOOL_BASE -type d -name 'cov-analysis*'`
-export PATH="$TOOL_DIR/bin:$PATH"
-
-# Disable CCACHE for cov-build to compilation units correctly
-export CCACHE_DISABLE=1
-
-# FUNCTION DEFINITIONS
-# --------------------
-_help()
-{
- # displays help and exits
- cat <<-EOF
- USAGE: $0 [CMD] [OPTIONS]
-
- CMD
- build Issue Coverity build
- upload Upload coverity archive for analysis
- Note: By default, archive is created from default results directory.
- To provide custom archive or results directory, see --result-dir
- and --tar options below.
-
- OPTIONS
- -h,--help Display this menu and exits
-
- Applicable to build command
- ---------------------------
- -o,--out-dir Specify Coverity intermediate directory (defaults to 'cov-int')
- -t,--tar bool, archive the output to .tgz file (defaults to false)
-
- Applicable to upload command
- ----------------------------
- -d, --result-dir Specify result directory if different from default ('cov-int')
- -t, --tar ARCHIVE Use custom .tgz archive instead of intermediate directory or pre-archived .tgz
- (by default 'analysis-result.tgz'
- EOF
- return;
-}
-
-_pack()
-{
- RESULTS_ARCHIVE=${RESULTS_ARCHIVE:-'analysis-results.tgz'}
-
- echo -e "\033[33;1mTarring Coverity Scan Analysis results...\033[0m"
- tar czf $RESULTS_ARCHIVE $RESULTS_DIR
- SHA=`git rev-parse --short HEAD`
-
- PACKED=true
+ mkdir -p "$COVERITY_SCAN_TOOL_BASE"
+ pushd "$COVERITY_SCAN_TOOL_BASE"
+ tar xzf "$tool_archive"
+ popd
}
+function run_coverity {
+ local results_dir tool_dir results_archive sha response status_code
-_build()
-{
- echo -e "\033[33;1mRunning Coverity Scan Analysis Tool...\033[0m"
- local _cov_build_options=""
- #local _cov_build_options="--return-emit-failures 8 --parse-error-threshold 85"
- eval "${COVERITY_SCAN_BUILD_COMMAND_PREPEND}"
- COVERITY_UNSUPPORTED=1 cov-build --dir $RESULTS_DIR $_cov_build_options sh -c "$COVERITY_SCAN_BUILD_COMMAND"
- cov-import-scm --dir $RESULTS_DIR --scm git --log $RESULTS_DIR/scm_log.txt
+ results_dir="cov-int"
+ tool_dir=$(find "$COVERITY_SCAN_TOOL_BASE" -type d -name 'cov-analysis*')
+ results_archive="analysis-results.tgz"
+ sha=$(git rev-parse --short HEAD)
- if [ $? != 0 ]; then
- echo -e "\033[33;1mCoverity Scan Build failed: $TEXT.\033[0m"
- return 1
- fi
-
- [ -z $TAR ] || [ $TAR = false ] && return 0
+ meson -Dman=false build
+ COVERITY_UNSUPPORTED=1 "$tool_dir/bin/cov-build" --dir "$results_dir" sh -c "ninja -C ./build -v"
+ "$tool_dir/bin/cov-import-scm" --dir "$results_dir" --scm git --log "$results_dir/scm_log.txt"
- if [ "$TAR" = true ]; then
- _pack
- fi
-}
+ tar czf "$results_archive" "$results_dir"
-
-_upload()
-{
- # pack results
- [ -z $PACKED ] || [ $PACKED = false ] && _pack
-
- # Upload results
+ set +x # this is supposed to hide COVERITY_SCAN_TOKEN
echo -e "\033[33;1mUploading Coverity Scan Analysis results...\033[0m"
response=$(curl \
- --silent --write-out "\n%{http_code}\n" \
- --form project=$COVERITY_SCAN_PROJECT_NAME \
- --form token=$COVERITY_SCAN_TOKEN \
- --form email=$COVERITY_SCAN_NOTIFICATION_EMAIL \
- --form file=@$RESULTS_ARCHIVE \
- --form version=$SHA \
- --form description="Travis CI build" \
- $UPLOAD_URL)
+ --silent --write-out "\n%{http_code}\n" \
+ --form project="$COVERITY_SCAN_PROJECT_NAME" \
+ --form token="${COVERITY_SCAN_TOKEN:?}" \
+ --form email="${COVERITY_SCAN_NOTIFICATION_EMAIL:?}" \
+ --form file="@$results_archive" \
+ --form version="$sha" \
+ --form description="Daily build" \
+ https://scan.coverity.com/builds)
printf "\033[33;1mThe response is\033[0m\n%s\n" "$response"
status_code=$(echo "$response" | sed -n '$p')
- # Coverity Scan used to respond with 201 on successfully receiving analysis results.
- # Now for some reason it sends 200 and may change back in the foreseeable future.
- # See https://github.com/pmem/pmdk/commit/7b103fd2dd54b2e5974f71fb65c81ab3713c12c5
if [ "$status_code" != "200" ]; then
- TEXT=$(echo "$response" | sed '$d')
- echo -e "\033[33;1mCoverity Scan upload failed: $TEXT.\033[0m"
- exit 1
+ echo -e "\033[33;1mCoverity Scan upload failed: $(echo "$response" | sed '$d').\033[0m"
+ return 1
fi
-
- echo -e "\n\033[33;1mCoverity Scan Analysis completed successfully.\033[0m"
- exit 0
+ set -x
}
-# PARSE COMMAND LINE OPTIONS
-# --------------------------
-
-case $1 in
- -h|--help)
- _help
- exit 0
- ;;
- build)
- CMD='build'
- TEMP=`getopt -o ho:t --long help,out-dir:,tar -n '$0' -- "$@"`
- _ec=$?
- [[ $_ec -gt 0 ]] && _help && exit $_ec
- shift
- ;;
- upload)
- CMD='upload'
- TEMP=`getopt -o hd:t: --long help,result-dir:tar: -n '$0' -- "$@"`
- _ec=$?
- [[ $_ec -gt 0 ]] && _help && exit $_ec
- shift
- ;;
- *)
- _help && exit 1 ;;
-esac
-
-RESULTS_DIR='cov-int'
-
-eval set -- "$TEMP"
-if [ $? != 0 ] ; then exit 1 ; fi
-
-# extract options and their arguments into variables.
-if [[ $CMD == 'build' ]]; then
- TAR=false
- while true ; do
- case $1 in
- -h|--help)
- _help
- exit 0
- ;;
- -o|--out-dir)
- RESULTS_DIR="$2"
- shift 2
- ;;
- -t|--tar)
- TAR=true
- shift
- ;;
- --) _build; shift ; break ;;
- *) echo "Internal error" ; _help && exit 6 ;;
- esac
- done
-
-elif [[ $CMD == 'upload' ]]; then
- while true ; do
- case $1 in
- -h|--help)
- _help
- exit 0
- ;;
- -d|--result-dir)
- CHANGE_DEFAULT_DIR=true
- RESULTS_DIR="$2"
- shift 2
- ;;
- -t|--tar)
- RESULTS_ARCHIVE="$2"
- [ -z $CHANGE_DEFAULT_DIR ] || [ $CHANGE_DEFAULT_DIR = false ] && PACKED=true
- shift 2
- ;;
- --) _upload; shift ; break ;;
- *) echo "Internal error" ; _help && exit 6 ;;
- esac
- done
-
-fi
+coverity_install_script
+run_coverity
projects / thirdparty / systemd.git / commitdiff
