Re: [PATCH v2] .github/workflows: add coverity action

Junio C Hamano <gitster@xxxxxxxxx> · Thu, 21 Sep 2023 16:30:02 -0700

Taylor Blau <me@xxxxxxxxxxxx> writes:

> This fell to the bottom of my queue, but I got back to it today while
> doing some ~~spring~~ fall inbox cleaning :-). Thanks Peff and Johannes
> for helpful review in the first round. Range-diff is below:
>
> Range-diff against v1:
> 1:  f74ae75ddb < -:  ---------- .github/workflows: add coverity action
> -:  ---------- > 1:  b23951c569 .github/workflows: add coverity action

That's a useful range-diff ;-).  Even with --word-diff, range-diff does
not notice that they correspond to each other, without an absurd setting
like --creation-factor=999.

>  .github/workflows/coverity.yml | 22 ++++++++++++++++++++++
>  ci/install-dependencies.sh     |  2 +-
>  ci/lib.sh                      |  2 +-
>  3 files changed, 24 insertions(+), 2 deletions(-)
>  create mode 100644 .github/workflows/coverity.yml
>
> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
> new file mode 100644
> index 0000000000..3ba00b3929
> --- /dev/null
> +++ b/.github/workflows/coverity.yml
> @@ -0,0 +1,22 @@
> +name: Coverity
> +
> +on: [push, pull_request]

This no longer hardcocdes the condition to master and tagged ones,
as ...

> +jobs:
> +  coverity:
> +    if: (vars.ENABLE_COVERITY == 'true') &&
> +      (vars.COVERITY_BRANCHES == '' ||
> +       contains(vars.COVERITY_BRANCHES, github.ref_name) ||
> +       contains(vars.COVERITY_BRANCHES, '*'))

... this lets you control when to run it via the "vars".  This round
also can act on pull-requests in addition to pushes.

> +    runs-on: ubuntu-latest
> +    steps:
> +      - uses: actions/checkout@v3
> +      - run: ci/install-dependencies.sh
> +        env:
> +          jobname: coverity
> +      - uses: vapier/coverity-scan-action@cae3c096a2eb21c431961a49375ac17aea2670ce
> +        with:
> +          email: ${{ secrets.COVERITY_SCAN_EMAIL }}
> +          token: ${{ secrets.COVERITY_SCAN_TOKEN }}
> +          command: make -j8

And the actual implementation is vastly different by just using a
canned one, which requires less maintenance on our end, which is
nice.

> diff --git a/ci/lib.sh b/ci/lib.sh
> index 6fbb5bade1..2ad0ae340e 100755
> --- a/ci/lib.sh
> +++ b/ci/lib.sh
> @@ -227,7 +227,7 @@ export SKIP_DASHED_BUILT_INS=YesPlease
>
>  case "$runs_on_pool" in
>  ubuntu-*)
> -	if test "$jobname" = "linux-gcc-default"
> +	if test "$jobname" = "linux-gcc-default" || test "$jobname" = "coverity"
>  	then
>  		break
>  	fi

This part is new in this iteration, to avoid further customization
that enables more exotic features, which makes sense.