Hi Peff, On Fri, 8 Oct 2021, Jeff King wrote: > On Fri, Oct 08, 2021 at 09:51:33AM +0200, Johannes Schindelin wrote: > > > FWIW I have set up an Azure Pipeline to keep Git for Windows' `main` > > branch covered by Coverity: > > > > https://dev.azure.com/git-for-windows/git/_build?definitionId=35 > > > > It essentially calls into this scripted code: > > https://github.com/git-for-windows/build-extra/blob/4676f286a1ec830a5038b32400808a353dc6c48d/please.sh#L1820-L1915 > > Do you have any objection to adding something like the Action I showed > eariler? It would do nothing in git-for-windows/git unless you set up > the right environment, so there shouldn't be any downside. No objection. I'd just ask to use `${{github.repository}}` instead of hard-coding `peff/git`, and to really not run the workflow unless configured. So something like this: name: coverity-scan on: push: - master - next - seen jobs: coverity: runs-on: ubuntu-latest env: COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} if: env.COVERITY_SCAN_TOKEN != '' && env.COVERITY_SCAN_EMAIL != '' steps: - uses: actions/checkout@v2 - run: ci/install-dependencies.sh - name: Download Coverity Build Tool run: | wget -q https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$GITHUB_REPOSITORY" -O cov-analysis-linux64.tar.gz mkdir cov-analysis-linux64 tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 - name: Build with cov-build run: | export PATH=$(pwd)/cov-analysis-linux64/bin:$PATH cov-build --dir cov-int make - name: Submit the result to Coverity Scan run: | tar czvf git.tgz cov-int curl \ --form project=$GITHUB_REPOSITORY \ --form token=$COVERITY_SCAN_TOKEN \ --form email=$COVERITY_SCAN_EMAIL \ --form file=@git.tgz \ --form version=$(git rev-parse HEAD) \ --form description="$(./git version)" \ https://scan.coverity.com/builds?project=$GITHUB_REPOSITORY Note the `jobs.coverity.if` attribute. This is what will let the entire job be skipped unless the secrets are set up. I am very much in favor of having this in git/git. Do you want to provide the commit message, or do you want me to shepher this? > I admit I was not really planning to try to suppress the false positives > as you've done here; my plan was to just keep an eye on the "new" > entries (having already gone through the existing ones years ago). I think we will _have_ to suppress the false positives at some point, as something like 9 out of 10 new reports I receive are about these, and it takes time to analyze & dismiss them. In general, I have no trouble finding more fun things to do with my time. Ciao, Dscho
