Coverity is a static analysis tool that detects and generates reports on various security and code quality issues. It is particularly useful when diagnosing memory safety issues which may be used as part of exploiting a security vulnerability. Coverity's website provides a service accepts "builds" (which is the output of running `cov-build` on your project, which invokes `make` with additional magic) as input and generates reports as output. In order to generate a report, we have to first compile Git and then upload the build archive to Coverity. This Action generates and uploads a build archive to Coverity when a GitHub repository has done the following: - Configured the "COVERITY_SCAN_EMAIL" and "COVERITY_SCAN_TOKEN" repository secrets. Tokens are found on the "Project Settings" page at [1]. Tokens may be added as repository secrets on GitHub repositories by following the guide at [2]. - Enabled Coverity builds by (in addition to the above) creating a repository variable called `ENABLE_COVERITY`. Repository variables (which are different than secrets) can be added according to the guide at [3]. This enables Coverity to automatically report on new changes pushed to the configured branch set, which is specified via the `COVERITY_BRANCHES` repository variable. The implementation is mostly straightforward. Though note that we could upload the build archive to Coverity directly with a straightforward curl request. But using the vapier/coverity-scan Action comes with some additional niceties, such as caching the (rather large) Coverity tool download between runs. If the repository does not have the `ENABLE_COVERITY` variable set, or the list of branches specified by `COVERITY_BRANCHES` does not contain the branch being pushed to, this Action is a no-op. [1]: https://scan.coverity.com/projects/NAME?tab=project_settings [2]: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions [3]: https://docs.github.com/en/actions/learn-github-actions/variables Helped-by: Jeff King <peff@xxxxxxxx> Helped-by: Johannes Schindelin <Johannes.Schindelin@xxxxxx> Signed-off-by: Taylor Blau <me@xxxxxxxxxxxx> --- This fell to the bottom of my queue, but I got back to it today while doing some ~~spring~~ fall inbox cleaning :-). Thanks Peff and Johannes for helpful review in the first round. Range-diff is below: Range-diff against v1: 1: f74ae75ddb < -: ---------- .github/workflows: add coverity action -: ---------- > 1: b23951c569 .github/workflows: add coverity action .github/workflows/coverity.yml | 22 ++++++++++++++++++++++ ci/install-dependencies.sh | 2 +- ci/lib.sh | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000000..3ba00b3929 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,22 @@ +name: Coverity + +on: [push, pull_request] + +jobs: + coverity: + if: (vars.ENABLE_COVERITY == 'true') && + (vars.COVERITY_BRANCHES == '' || + contains(vars.COVERITY_BRANCHES, github.ref_name) || + contains(vars.COVERITY_BRANCHES, '*')) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - run: ci/install-dependencies.sh + env: + jobname: coverity + - uses: vapier/coverity-scan-action@cae3c096a2eb21c431961a49375ac17aea2670ce + with: + email: ${{ secrets.COVERITY_SCAN_EMAIL }} + token: ${{ secrets.COVERITY_SCAN_TOKEN }} + command: make -j8 + diff --git a/ci/install-dependencies.sh b/ci/install-dependencies.sh index 4f407530d3..7e100ee63f 100755 --- a/ci/install-dependencies.sh +++ b/ci/install-dependencies.sh @@ -74,7 +74,7 @@ Documentation) test -n "$ALREADY_HAVE_ASCIIDOCTOR" || sudo gem install --version 1.5.8 asciidoctor ;; -linux-gcc-default) +linux-gcc-default|coverity) sudo apt-get -q update sudo apt-get -q -y install $UBUNTU_COMMON_PKGS ;; diff --git a/ci/lib.sh b/ci/lib.sh index 6fbb5bade1..2ad0ae340e 100755 --- a/ci/lib.sh +++ b/ci/lib.sh @@ -227,7 +227,7 @@ export SKIP_DASHED_BUILT_INS=YesPlease case "$runs_on_pool" in ubuntu-*) - if test "$jobname" = "linux-gcc-default" + if test "$jobname" = "linux-gcc-default" || test "$jobname" = "coverity" then break fi -- 2.42.0.242.gc844f407a1
