| blob | 48341e81f49066836c838a7c6d38aa6be046ec69 |
1 name: Coverity
3 # This GitHub workflow automates submitting builds to Coverity Scan. To enable it,
4 # set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see
5 # https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON
6 # string array containing the names of the branches for which the workflow should be
7 # run, e.g. `["main", "next"]`.
8 #
9 # In addition, two repository secrets must be set (for details how to add secrets, see
10 # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions):
11 # `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the
12 # email to which the Coverity reports should be sent and the latter can be
13 # obtained from the Project Settings tab of the Coverity project).
14 #
15 # The workflow runs on `ubuntu-latest` by default. This can be overridden by setting
16 # the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying
17 # the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`.
18 #
19 # By default, the builds are submitted to the Coverity project `git`. To override this,
20 # set the repository variable `COVERITY_PROJECT`.
22 on:
23 push:
25 defaults:
26 run:
27 shell: bash
29 jobs:
30 coverity:
31 if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name)
32 strategy:
33 matrix:
34 os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }}
35 runs-on: ${{ matrix.os }}
36 env:
37 COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }}
38 COVERITY_LANGUAGE: cxx
39 COVERITY_PLATFORM: overridden-below
40 steps:
41 - uses: actions/checkout@v4
42 - name: install minimal Git for Windows SDK
43 if: contains(matrix.os, 'windows')
44 uses: git-for-windows/setup-git-for-windows-sdk@v1
45 - run: ci/install-dependencies.sh
46 if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos')
47 env:
48 distro: ${{ matrix.os }}
50 # The Coverity site says the tool is usually updated twice yearly, so the
51 # MD5 of download can be used to determine whether there's been an update.
52 - name: get the Coverity Build Tool hash
53 id: lookup
54 run: |
55 case "${{ matrix.os }}" in
56 *windows*)
57 COVERITY_PLATFORM=win64
58 COVERITY_TOOL_FILENAME=cov-analysis.zip
59 MAKEFLAGS=-j$(nproc)
60 ;;
61 *macos*)
62 COVERITY_PLATFORM=macOSX
63 COVERITY_TOOL_FILENAME=cov-analysis.dmg
64 MAKEFLAGS=-j$(sysctl -n hw.physicalcpu)
65 ;;
66 *ubuntu*)
67 COVERITY_PLATFORM=linux64
68 COVERITY_TOOL_FILENAME=cov-analysis.tgz
69 MAKEFLAGS=-j$(nproc)
70 ;;
71 *)
72 echo '::error::unhandled OS ${{ matrix.os }}' >&2
73 exit 1
74 ;;
75 esac
76 echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV
77 echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV
78 echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV
79 MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \
80 --fail \
81 --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
82 --form project="$COVERITY_PROJECT" \
83 --form md5=1)
84 case $? in
85 0) ;; # okay
86 22) # 40x, i.e. access denied
87 echo "::error::incorrect token or project?" >&2
88 exit 1
89 ;;
90 *) # other error
91 echo "::error::Failed to retrieve MD5" >&2
92 exit 1
93 ;;
94 esac
95 echo "hash=$MD5" >>$GITHUB_OUTPUT
97 # Try to cache the tool to avoid downloading 1GB+ on every run.
98 # A cache miss will add ~30s to create, but a cache hit will save minutes.
99 - name: restore the Coverity Build Tool
100 id: cache
101 uses: actions/cache/restore@v4
102 with:
103 path: ${{ runner.temp }}/cov-analysis
104 key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }}
105 - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}})
106 if: steps.cache.outputs.cache-hit != 'true'
107 run: |
108 curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \
109 --fail --no-progress-meter \
110 --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \
111 --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
112 --form project="$COVERITY_PROJECT"
113 - name: extract the Coverity Build Tool
114 if: steps.cache.outputs.cache-hit != 'true'
115 run: |
116 case "$COVERITY_TOOL_FILENAME" in
117 *.tgz)
118 mkdir $RUNNER_TEMP/cov-analysis &&
119 tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis
120 ;;
121 *.dmg)
122 cd $RUNNER_TEMP &&
123 attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" &&
124 volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" &&
125 mkdir cov-analysis &&
126 cd cov-analysis &&
127 sh "$volume"/cov-analysis-macosx-*.sh &&
128 ls -l &&
129 hdiutil detach "$volume"
130 ;;
131 *.zip)
132 cd $RUNNER_TEMP &&
133 mkdir cov-analysis-tmp &&
134 unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME &&
135 mv cov-analysis-tmp/* cov-analysis
136 ;;
137 *)
138 echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2
139 exit 1
140 ;;
141 esac
142 - name: cache the Coverity Build Tool
143 if: steps.cache.outputs.cache-hit != 'true'
144 uses: actions/cache/save@v4
145 with:
146 path: ${{ runner.temp }}/cov-analysis
147 key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }}
148 - name: build with cov-build
149 run: |
150 export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" &&
151 cov-configure --gcc &&
152 cov-build --dir cov-int make
153 - name: package the build
154 run: tar -czvf cov-int.tgz cov-int
155 - name: submit the build to Coverity Scan
156 run: |
157 curl \
158 --fail \
159 --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
160 --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \
161 --form file=@cov-int.tgz \
162 --form version='${{ github.sha }}' \
163 "https://scan.coverity.com/builds?project=$COVERITY_PROJECT"