Coverity [https://scan.coverity.com/] is a powerful static analysis tool that helps prevent vulnerabilities. It is free to use by open source projects, and Git benefits from this, as well as Git for Windows. As is the case with many powerful tools, using Coverity comes with its own set of challenges, one of which being that submitting a build is quite laborious. The help with this, the Git for Windows project has an Azure Pipeline for several years already to automate submitting builds to Coverity Scan: https://dev.azure.com/git-for-windows/git/_build/index?definitionId=35 It is time to move this automation off of Azure Pipelines, and I thought that the Git project itself might as well benefit from this workflow. Since Coverity build submissions require access (and a token to authenticate), this workflow is skipped by default. To enable it, the repository variable [https://docs.github.com/en/actions/learn-github-actions/variables] ENABLE_COVERITY_SCAN_FOR_BRANCHES needs to be added. Its value needs to be a JSON string array containing the branch names, e.g. ["master", "next"]. Further, two repository secrets [https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions] need to be set: COVERITY_SCAN_EMAIL and COVERITY_SCAN_TOKEN. An example run in the Git for Windows project can be admired here: https://github.com/git-for-windows/git/actions/runs/6272393351/job/17033838405 To prove out that it would also work with the git Coverity project and building on operating systems other than Windows, I added two throw-away commits disabling the actual submission of the build to Coverity Scan (and also the main.yml CI to save on electrons) and pushed the branch to my fork. The ubuntu-latest run [https://github.com/dscho/git/actions/runs/6272014876/job/17032859462], the windows-latest run [https://github.com/dscho/git/actions/runs/6272014876/job/17032859234] and the macos-latest run [https://github.com/dscho/git/actions/runs/6272014876/job/17032710138] all worked as expected. This patch series is based on that Azure Pipeline, the support code in https://github.com/git-for-windows/build-extra/blob/0e0b919073fb/please.sh#L835-L968, and is very loosely inspired by https://lore.kernel.org/git/4590e1381feb8962cadf2b40b22086531d662ef8.1692675172.git.me@xxxxxxxxxxxx/ (but you may not know it from comparing the patches because they look so vastly different). The reason why this patch series is so different is quite sad because I got very excited about the simplicity of using the GitHub Action vapier/coverity-scan-action. On paper, this Action looks really neat, but its implementation left me wanting, in particular because it does not even work (cov-configure must be called these days, and that Action simply does not, causing the entire build to fail), lacks support for Windows and macOS, fails to cache the Coverity Tool if the build fails for reasons unrelated to downloading & extracting the tool, and the activity in its issue tracker suggests to me that it is neither used nor maintained actively. This patch series is based on v2.42.0, but would apply literally everywhere because it adds a new file and modifies no existing one. Johannes Schindelin (6): ci: add a GitHub workflow to submit Coverity scans coverity: cache the Coverity Build Tool coverity: allow overriding the Coverity project coverity: support building on Windows coverity: allow running on macOS coverity: detect and report when the token or project is incorrect .github/workflows/coverity.yml | 159 +++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 .github/workflows/coverity.yml base-commit: 43c8a30d150ecede9709c1f2527c8fba92c65f40 Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1588%2Fdscho%2Fcoverity-workflow-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1588/dscho/coverity-workflow-v1 Pull-Request: https://github.com/gitgitgadget/git/pull/1588 -- gitgitgadget
