-
Notifications
You must be signed in to change notification settings - Fork 55
159 lines (144 loc) · 5.38 KB
/
coverity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Coverity
# Coverity Scan gives relatively low-quality reports and has strict
# rate limits, so we only run it on the main branch on a schedule.
on:
schedule:
- cron: '31 3 * * 1' # Monday at 3h31 UTC
workflow_dispatch:
jobs:
Coverity:
runs-on: ubuntu-latest
env:
CVT_PROJECT: besser82/libxcrypt
# Coverity doesn't have official Github Actions integration yet.
# The steps below were kitbashed together from the contents of
# https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh
# plus some notions from
# https://github.com/ruby/actions-coverity-scan/blob/master/.github/workflows/coverity-scan.yml
steps:
- name: Check for authorization
env:
CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
run: |
if [ -z "$CVT_TOKEN" ]; then
printf '\033[33;1mCoverity Scan token not available.\033[0m\n'
exit 1
fi
AUTH_RES=$(curl -s --form project="$CVT_PROJECT" \
--form token="$CVT_TOKEN" \
https://scan.coverity.com/api/upload_permitted)
if [ "$AUTH_RES" = "Access denied" ]; then
printf '\033[33;1mCoverity Scan API access denied.\033[0m\n'
printf 'Check project name and access token.\n'
exit 1
else
AUTH=$(printf '%s' "$AUTH_RES" | ruby -e "
require 'rubygems'
require 'json'
puts JSON[STDIN.read]['upload_permitted']
")
if [ "$AUTH" = "true" ]; then
echo ok
exit 0
else
WHEN=$(printf '%s' "$AUTH_RES" | ruby -e "
require 'rubygems'
require 'json'
puts JSON[STDIN.read]['next_upload_permitted_at']
")
printf '\033[33;1mCoverity Scan access blocked until %s.\033[0m\n' \
"$WHEN"
exit 1
fi
fi
- name: Checkout repository
uses: actions/checkout@v2
- name: Download Coverity Build Tool
env:
CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
run: |
echo Downloading Coverity tools...
# Put the tools in the parent directory so the build can't
# clobber them by accident.
cd ..
curl --no-progress-meter -o cov-analysis-linux64.tar.gz \
--form token="$CVT_TOKEN" \
--form project="$CVT_PROJECT" \
https://scan.coverity.com/download/cxx/linux64
echo Extracting...
mkdir cov-analysis-linux64
tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
echo done.
if [ -f cov-analysis-linux64/VERSION ]; then
echo ::group::Coverity tool versions
echo + cat cov-analysis-linux64/VERSION
echo
cat cov-analysis-linux64/VERSION
echo ::endgroup::
fi
- name: Versions of build tools
id: build-tools
run: ./build-aux/ci/ci-log-dependency-versions
- name: Get nprocs
run: echo "NPROCS=$((`nproc --all 2>/dev/null || sysctl -n hw.ncpu` * 2))" | tee $GITHUB_ENV
- name: Cache bootstrap
id: cache
uses: actions/cache@v2
with:
path: |
INSTALL
Makefile.in
aclocal.m4
config.h.in
configure
autom4te.cache/**
build-aux/m4/libtool.m4
build-aux/m4/ltoptions.m4
build-aux/m4/ltsugar.m4
build-aux/m4/ltversion.m4
build-aux/m4/lt~obsolete.m4
build-aux/m4-autogen/**
key: autoreconf-${{ steps.build-tools.outputs.autotools-ver }}-${{ hashFiles('autogen.sh', 'configure.ac', 'Makefile.am', 'build-aux/m4/*.m4', 'build-aux/m4-autogen/**') }}
- name: Bootstrap
if: steps.cache.outputs.cache-hit != 'true'
run: ./autogen.sh
- name: Configure
run: ./configure --disable-werror --enable-obsolete-api --enable-hashes=all
- name: Prepare build script
run: |
echo '#! /bin/sh' > cov_make.sh
echo "make -j${{ env.NPROCS }} all" >> cov_make.sh
echo "make -j${{ env.NPROCS }} test-programs" >> cov_make.sh
chmod +x cov_make.sh
- name: Build
run: |
export PATH=$(cd .. && pwd)/cov-analysis-linux64/bin:$PATH
cov-build --dir cov-int ./cov_make.sh
cov-import-scm --dir cov-int --scm git --log cov-int/scm_log.txt
- name: Upload analysis results
env:
CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
CVT_EMAIL: ${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}
run: |
tar czvf cov-int.tar.gz cov-int
printf 'Uploading Coverity Scan Analysis results...\n'
response=$(curl -s --write-out '\n%{http_code}\n' \
--form project="$CVT_PROJECT" \
--form token="$CVT_TOKEN" \
--form email="$CVT_EMAIL" \
--form file=@cov-int.tar.gz \
--form version="${GITHUB_REF}" \
--form description="${GITHUB_SHA}" \
https://scan.coverity.com/builds)
status_code=$(echo "$response" | sed -n '$p')
if [ "$status_code" = "200" ] || [ "$status_code" = "201" ] ; then
printf 'Upload complete.\n'
exit 0
else
TEXT=$(echo "$response" | sed '$d')
printf '\033[33;1mCoverity Scan upload failed:\033[0m\n%s.\n' "$TEXT"
exit 1
fi
- name: Detailed error logs
if: failure()
run: ./build-aux/ci/ci-log-logfiles