Hi Peff & Taylor, On Wed, 20 Oct 2021, Jeff King wrote: > On Wed, Oct 20, 2021 at 02:27:30PM +0200, Johannes Schindelin wrote: > > > On Fri, 8 Oct 2021, Jeff King wrote: > > > > > On Fri, Oct 08, 2021 at 09:51:33AM +0200, Johannes Schindelin wrote: > > > > > > > FWIW I have set up an Azure Pipeline to keep Git for Windows' > > > > `main` branch covered by Coverity: > > > > > > > > https://dev.azure.com/git-for-windows/git/_build?definitionId=35 > > > > > > > > It essentially calls into this scripted code: > > > > https://github.com/git-for-windows/build-extra/blob/4676f286a1ec830a5038b32400808a353dc6c48d/please.sh#L1820-L1915 > > > > > > Do you have any objection to adding something like the Action I > > > showed eariler? It would do nothing in git-for-windows/git unless > > > you set up the right environment, so there shouldn't be any > > > downside. > > > > No objection. I'd just ask to use `${{github.repository}}` instead of > > hard-coding `peff/git`, and to really not run the workflow unless > > configured. So something like this: > > Yep, those were directions I was planning to take it. > > > I am very much in favor of having this in git/git. Do you want to provide > > the commit message, or do you want me to shepher this? > > I'd be just as happy if you did (I hadn't even looked at it since my > earlier email). > > It sounds like Taylor is volunteering to set up the Coverity side for > git.git, and I can help him with getting those COVERITY_* variables into > the GitHub environment. Given the challenges with Coverity (false positives, lack of support on Synopsys' side, severely limited access to the reports), and given the renewed efforts by OSTIF that focus not on Coverity but on CodeQL, I am in favor of abandoning the idea to integrate Coverity in our GitHub workflow. Regarding CodeQL, I am still uncertain what level of integration we will end up with, and the contacts I am working with are currently all on vacation, but I am confident that we will have an easier time going forward with static analysis using CodeQL instead of Coverity. Ciao, Dscho
