TO-DROP: do not run the regular CI #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Coverity | |
| # This GitHub workflow automates submitting builds to Coverity Scan. To enable it, | |
| # set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see | |
| # https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON | |
| # string array containing the names of the branches for which the workflow should be | |
| # run, e.g. `["main", "next"]`. | |
| # | |
| # In addition, two repository secrets must be set (for details how to add secrets, see | |
| # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions): | |
| # `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the | |
| # email to which the Coverity reports should be sent and the latter can be | |
| # obtained from the Project Settings tab of the Coverity project). | |
| # | |
| # The workflow runs on `ubuntu-latest` by default. This can be overridden by setting | |
| # the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying | |
| # the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`. | |
| # | |
| # By default, the builds are submitted to the Coverity project `git`. To override this, | |
| # set the repository variable `COVERITY_PROJECT`. | |
| on: | |
| push: | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| coverity: | |
| if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) | |
| strategy: | |
| matrix: | |
| os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }} | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }} | |
| COVERITY_LANGUAGE: cxx | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: install minimal Git for Windows SDK | |
| if: contains(matrix.os, 'windows') | |
| uses: git-for-windows/setup-git-for-windows-sdk@v1 | |
| - run: ci/install-dependencies.sh | |
| if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos') | |
| env: | |
| runs_on_pool: ${{ matrix.os }} | |
| - name: debug with tmate | |
| uses: mxschmitt/action-tmate@v3 | |
| with: | |
| detached: true | |
| # The Coverity site says the tool is usually updated twice yearly, so the | |
| # MD5 of download can be used to determine whether there's been an update. | |
| - name: get the Coverity Build Tool hash | |
| id: lookup | |
| run: | | |
| case "${{ matrix.os }}" in | |
| *windows*) | |
| COVERITY_PLATFORM=win64 | |
| COVERITY_TOOL_FILENAME=cov-analysis.zip | |
| MAKEFLAGS=-j$(nproc) | |
| ;; | |
| *macos*) | |
| COVERITY_PLATFORM=macOSX | |
| COVERITY_TOOL_FILENAME=cov-analysis.dmg | |
| MAKEFLAGS=-j$(sysctl -n hw.physicalcpu) | |
| ;; | |
| *ubuntu*) | |
| COVERITY_PLATFORM=linux64 | |
| COVERITY_TOOL_FILENAME=cov-analysis.tgz | |
| MAKEFLAGS=-j$(nproc) | |
| ;; | |
| *) | |
| echo '::error::unhandled OS ${{ matrix.os }}' >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV | |
| echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV | |
| echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV | |
| MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ | |
| -D "$RUNNER_TEMP"/headers.txt \ | |
| --data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=$COVERITY_PROJECT&md5=1") | |
| http_code="$(sed -n 1p <"$RUNNER_TEMP"/headers.txt)" | |
| case "$http_code" in | |
| *200*) ;; # okay | |
| *401*) # access denied | |
| echo "::error::incorrect token or project? ($http_code)" >&2 | |
| exit 1 | |
| ;; | |
| *) # other error | |
| echo "::error::HTTP error $http_code" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| echo "hash=$MD5" >>$GITHUB_OUTPUT | |
| # Try to cache the tool to avoid downloading 1GB+ on every run. | |
| # A cache miss will add ~30s to create, but a cache hit will save minutes. | |
| - name: restore the Coverity Build Tool | |
| id: cache | |
| uses: actions/cache/restore@v3 | |
| with: | |
| path: ${{ runner.temp }}/cov-analysis | |
| key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} | |
| - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: | | |
| curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ | |
| --no-progress-meter \ | |
| --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \ | |
| --data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=$COVERITY_PROJECT" | |
| - name: extract the Coverity Build Tool | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: | | |
| case "$COVERITY_TOOL_FILENAME" in | |
| *.tgz) | |
| mkdir $RUNNER_TEMP/cov-analysis && | |
| tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis | |
| ;; | |
| *.dmg) | |
| cd $RUNNER_TEMP && | |
| attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" && | |
| volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" && | |
| mkdir cov-analysis && | |
| cd cov-analysis && | |
| sh "$volume"/cov-analysis-macosx-*.sh && | |
| ls -l && | |
| hdiutil detach "$volume" | |
| ;; | |
| *.zip) | |
| cd $RUNNER_TEMP && | |
| mkdir cov-analysis-tmp && | |
| unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME && | |
| mv cov-analysis-tmp/* cov-analysis | |
| ;; | |
| *) | |
| echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| - name: cache the Coverity Build Tool | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: actions/cache/save@v3 | |
| with: | |
| path: ${{ runner.temp }}/cov-analysis | |
| key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} | |
| - name: build with cov-build | |
| run: | | |
| export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && | |
| cov-configure --gcc && | |
| cov-build --dir cov-int make | |
| - name: package the build | |
| run: tar -czvf cov-int.tgz cov-int | |
| - name: submit the build to Coverity Scan | |
| run: | | |
| echo curl \ | |
| --form token="${{ secrets.COVERITY_SCAN_TOKEN }}" \ | |
| --form email="${{ secrets.COVERITY_SCAN_EMAIL }}" \ | |
| --form [email protected] \ | |
| --form version="${{ github.sha }}" \ | |
| "https://scan.coverity.com/builds?project=$COVERITY_PROJECT" |