diff mbox series

[1/2] github: add workflow to run Coverity scans

Message ID 20220218120042.32102-2-roger.pau@citrix.com (mailing list archive)
State New, archived
Headers show
Series coverity: trigger scan as a github action | expand

Commit Message

Roger Pau Monné Feb. 18, 2022, noon UTC
Add a workflow that performs a build like it's done by osstest
Coverity flight and uploads the result to Coverity for analysis. The
build process is exactly the same as the one currently used in
osstest, and it's also run at the same time (bi-weekly).

This has one big benefit over using osstest: we no longer have to care
about keeping the Coverity tools up to date in osstest.

Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
 .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/coverity.yml

Comments

Andrew Cooper Feb. 18, 2022, 12:21 p.m. UTC | #1
On 18/02/2022 12:00, Roger Pau Monne wrote:
> Add a workflow that performs a build like it's done by osstest
> Coverity flight and uploads the result to Coverity for analysis. The
> build process is exactly the same as the one currently used in
> osstest, and it's also run at the same time (bi-weekly).
>
> This has one big benefit over using osstest: we no longer have to care
> about keeping the Coverity tools up to date in osstest.
>
> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> ---
>  .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
>  1 file changed, 35 insertions(+)
>  create mode 100644 .github/workflows/coverity.yml
>
> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
> new file mode 100644
> index 0000000000..12fc9c782b
> --- /dev/null
> +++ b/.github/workflows/coverity.yml
> @@ -0,0 +1,35 @@
> +name: Coverity Scan
> +
> +# We only want to test official release code, not every pull request.
> +on:
> +  schedule:
> +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
> +
> +jobs:
> +  coverity:
> +    runs-on: ubuntu-latest
> +    steps:
> +    - name: Install build dependencies
> +      run: |
> +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
> +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
> +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
> +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
> +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
> +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
> +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
> +          libtool libfuse-dev liblzma-dev ninja-build \
> +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev

We dropped gettext as a dependency a few releases ago, and we don't need
python3-pip either.  Can fix on commit.

> +    - uses: actions/checkout@v2

I think we want

- uses: actions/checkout@v2
  with:
    ref: staging

Can also fix on commit.

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> (mainly because I
can see that Coverity has done the right thing with this.)

> +    - name: Configure Xen
> +      run: |
> +        ./configure
> +    - name: Pre build stuff
> +      run: |
> +        make -C tools/firmware/etherboot all && make mini-os-dir
> +    - uses: vapier/coverity-scan-action@v1
> +      with:
> +        command: make xen tools && make -C extras/mini-os/
> +        project: XenProject
> +        email: ${{ secrets.COVERITY_SCAN_EMAIL }}
> +        token: ${{ secrets.COVERITY_SCAN_TOKEN }}
Andrew Cooper Feb. 18, 2022, 12:23 p.m. UTC | #2
On 18/02/2022 12:21, Andrew Cooper wrote:
> On 18/02/2022 12:00, Roger Pau Monne wrote:
>> Add a workflow that performs a build like it's done by osstest
>> Coverity flight and uploads the result to Coverity for analysis. The
>> build process is exactly the same as the one currently used in
>> osstest, and it's also run at the same time (bi-weekly).
>>
>> This has one big benefit over using osstest: we no longer have to care
>> about keeping the Coverity tools up to date in osstest.
>>
>> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>> ---
>>  .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
>>  1 file changed, 35 insertions(+)
>>  create mode 100644 .github/workflows/coverity.yml
>>
>> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
>> new file mode 100644
>> index 0000000000..12fc9c782b
>> --- /dev/null
>> +++ b/.github/workflows/coverity.yml
>> @@ -0,0 +1,35 @@
>> +name: Coverity Scan
>> +
>> +# We only want to test official release code, not every pull request.
>> +on:
>> +  schedule:
>> +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
>> +
>> +jobs:
>> +  coverity:
>> +    runs-on: ubuntu-latest
>> +    steps:
>> +    - name: Install build dependencies
>> +      run: |
>> +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
>> +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
>> +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
>> +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
>> +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
>> +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
>> +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
>> +          libtool libfuse-dev liblzma-dev ninja-build \
>> +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
> We dropped gettext as a dependency a few releases ago, and we don't need
> python3-pip either.  Can fix on commit.
>
>> +    - uses: actions/checkout@v2
> I think we want
>
> - uses: actions/checkout@v2
>   with:
>     ref: staging
>
> Can also fix on commit.
>
> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> (mainly because I
> can see that Coverity has done the right thing with this.)
>
>> +    - name: Configure Xen
>> +      run: |
>> +        ./configure

On second thoughts, we can probably --disable-docs here, because it's
just wasted processing time when all we care about is the C.

~Andrew
Roger Pau Monné Feb. 18, 2022, 12:27 p.m. UTC | #3
On Fri, Feb 18, 2022 at 12:21:34PM +0000, Andrew Cooper wrote:
> On 18/02/2022 12:00, Roger Pau Monne wrote:
> > Add a workflow that performs a build like it's done by osstest
> > Coverity flight and uploads the result to Coverity for analysis. The
> > build process is exactly the same as the one currently used in
> > osstest, and it's also run at the same time (bi-weekly).
> >
> > This has one big benefit over using osstest: we no longer have to care
> > about keeping the Coverity tools up to date in osstest.
> >
> > Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> > ---
> >  .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
> >  1 file changed, 35 insertions(+)
> >  create mode 100644 .github/workflows/coverity.yml
> >
> > diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
> > new file mode 100644
> > index 0000000000..12fc9c782b
> > --- /dev/null
> > +++ b/.github/workflows/coverity.yml
> > @@ -0,0 +1,35 @@
> > +name: Coverity Scan
> > +
> > +# We only want to test official release code, not every pull request.
> > +on:
> > +  schedule:
> > +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
> > +
> > +jobs:
> > +  coverity:
> > +    runs-on: ubuntu-latest
> > +    steps:
> > +    - name: Install build dependencies
> > +      run: |
> > +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
> > +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
> > +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
> > +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
> > +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
> > +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
> > +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
> > +          libtool libfuse-dev liblzma-dev ninja-build \
> > +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
> 
> We dropped gettext as a dependency a few releases ago, and we don't need
> python3-pip either.  Can fix on commit.
> 
> > +    - uses: actions/checkout@v2
> 
> I think we want
> 
> - uses: actions/checkout@v2
>   with:
>     ref: staging

I've assumed we wanted master as that at least functional per the
testing done in osstest. But maybe it's indeed better to use staging
in order to catch issues before they reach master.

I'm fine with this.

Thanks, Roger.
Andrew Cooper Feb. 18, 2022, 12:58 p.m. UTC | #4
On 18/02/2022 12:27, Roger Pau Monne wrote:
> On Fri, Feb 18, 2022 at 12:21:34PM +0000, Andrew Cooper wrote:
>> On 18/02/2022 12:00, Roger Pau Monne wrote:
>>> Add a workflow that performs a build like it's done by osstest
>>> Coverity flight and uploads the result to Coverity for analysis. The
>>> build process is exactly the same as the one currently used in
>>> osstest, and it's also run at the same time (bi-weekly).
>>>
>>> This has one big benefit over using osstest: we no longer have to care
>>> about keeping the Coverity tools up to date in osstest.
>>>
>>> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>> ---
>>>  .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
>>>  1 file changed, 35 insertions(+)
>>>  create mode 100644 .github/workflows/coverity.yml
>>>
>>> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
>>> new file mode 100644
>>> index 0000000000..12fc9c782b
>>> --- /dev/null
>>> +++ b/.github/workflows/coverity.yml
>>> @@ -0,0 +1,35 @@
>>> +name: Coverity Scan
>>> +
>>> +# We only want to test official release code, not every pull request.
>>> +on:
>>> +  schedule:
>>> +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
>>> +
>>> +jobs:
>>> +  coverity:
>>> +    runs-on: ubuntu-latest
>>> +    steps:
>>> +    - name: Install build dependencies
>>> +      run: |
>>> +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
>>> +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
>>> +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
>>> +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
>>> +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
>>> +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
>>> +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
>>> +          libtool libfuse-dev liblzma-dev ninja-build \
>>> +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
>> We dropped gettext as a dependency a few releases ago, and we don't need
>> python3-pip either.  Can fix on commit.
>>
>>> +    - uses: actions/checkout@v2
>> I think we want
>>
>> - uses: actions/checkout@v2
>>   with:
>>     ref: staging
> I've assumed we wanted master as that at least functional per the
> testing done in osstest. But maybe it's indeed better to use staging
> in order to catch issues before they reach master.

IIRC, OSSTest has Coverity following smoke, but these days we're far
better are not breaking the build now that Gitlab CI is in place.

But it might be prudent to check that if the build fails, we don't
submit a partial result to Coverity.

The difference between staging and master is purely how early we get the
report.

~Andrew
Roger Pau Monné Feb. 18, 2022, 1:36 p.m. UTC | #5
On Fri, Feb 18, 2022 at 12:23:47PM +0000, Andrew Cooper wrote:
> On 18/02/2022 12:21, Andrew Cooper wrote:
> > On 18/02/2022 12:00, Roger Pau Monne wrote:
> >> Add a workflow that performs a build like it's done by osstest
> >> Coverity flight and uploads the result to Coverity for analysis. The
> >> build process is exactly the same as the one currently used in
> >> osstest, and it's also run at the same time (bi-weekly).
> >>
> >> This has one big benefit over using osstest: we no longer have to care
> >> about keeping the Coverity tools up to date in osstest.
> >>
> >> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
> >> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> >> ---
> >>  .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
> >>  1 file changed, 35 insertions(+)
> >>  create mode 100644 .github/workflows/coverity.yml
> >>
> >> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
> >> new file mode 100644
> >> index 0000000000..12fc9c782b
> >> --- /dev/null
> >> +++ b/.github/workflows/coverity.yml
> >> @@ -0,0 +1,35 @@
> >> +name: Coverity Scan
> >> +
> >> +# We only want to test official release code, not every pull request.
> >> +on:
> >> +  schedule:
> >> +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
> >> +
> >> +jobs:
> >> +  coverity:
> >> +    runs-on: ubuntu-latest
> >> +    steps:
> >> +    - name: Install build dependencies
> >> +      run: |
> >> +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
> >> +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
> >> +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
> >> +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
> >> +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
> >> +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
> >> +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
> >> +          libtool libfuse-dev liblzma-dev ninja-build \
> >> +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
> > We dropped gettext as a dependency a few releases ago, and we don't need
> > python3-pip either.  Can fix on commit.
> >
> >> +    - uses: actions/checkout@v2
> > I think we want
> >
> > - uses: actions/checkout@v2
> >   with:
> >     ref: staging
> >
> > Can also fix on commit.
> >
> > Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> (mainly because I
> > can see that Coverity has done the right thing with this.)
> >
> >> +    - name: Configure Xen
> >> +      run: |
> >> +        ./configure
> 
> On second thoughts, we can probably --disable-docs here, because it's
> just wasted processing time when all we care about is the C.

We do not build the docs already, because the build command is `make
xen tools`.

Thanks, Roger.
Brian Olson Feb. 18, 2022, 1:38 p.m. UTC | #6
Can someone please tell me how to remove my email account from this 
list? Thank you.

On 2/18/22 07:36, Roger Pau Monné wrote:
> On Fri, Feb 18, 2022 at 12:23:47PM +0000, Andrew Cooper wrote:
>> On 18/02/2022 12:21, Andrew Cooper wrote:
>>> On 18/02/2022 12:00, Roger Pau Monne wrote:
>>>> Add a workflow that performs a build like it's done by osstest
>>>> Coverity flight and uploads the result to Coverity for analysis. The
>>>> build process is exactly the same as the one currently used in
>>>> osstest, and it's also run at the same time (bi-weekly).
>>>>
>>>> This has one big benefit over using osstest: we no longer have to care
>>>> about keeping the Coverity tools up to date in osstest.
>>>>
>>>> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>>> ---
>>>>   .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
>>>>   1 file changed, 35 insertions(+)
>>>>   create mode 100644 .github/workflows/coverity.yml
>>>>
>>>> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
>>>> new file mode 100644
>>>> index 0000000000..12fc9c782b
>>>> --- /dev/null
>>>> +++ b/.github/workflows/coverity.yml
>>>> @@ -0,0 +1,35 @@
>>>> +name: Coverity Scan
>>>> +
>>>> +# We only want to test official release code, not every pull request.
>>>> +on:
>>>> +  schedule:
>>>> +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
>>>> +
>>>> +jobs:
>>>> +  coverity:
>>>> +    runs-on: ubuntu-latest
>>>> +    steps:
>>>> +    - name: Install build dependencies
>>>> +      run: |
>>>> +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
>>>> +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
>>>> +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
>>>> +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
>>>> +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
>>>> +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
>>>> +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
>>>> +          libtool libfuse-dev liblzma-dev ninja-build \
>>>> +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
>>> We dropped gettext as a dependency a few releases ago, and we don't need
>>> python3-pip either.  Can fix on commit.
>>>
>>>> +    - uses: actions/checkout@v2
>>> I think we want
>>>
>>> - uses: actions/checkout@v2
>>>    with:
>>>      ref: staging
>>>
>>> Can also fix on commit.
>>>
>>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> (mainly because I
>>> can see that Coverity has done the right thing with this.)
>>>
>>>> +    - name: Configure Xen
>>>> +      run: |
>>>> +        ./configure
>> On second thoughts, we can probably --disable-docs here, because it's
>> just wasted processing time when all we care about is the C.
> We do not build the docs already, because the build command is `make
> xen tools`.
>
> Thanks, Roger.
>
Andrew Cooper Feb. 18, 2022, 2:04 p.m. UTC | #7
On 18/02/2022 13:38, Brian Olson wrote:
> Can someone please tell me how to remove my email account from this
> list? Thank you.

Use https://lists.xenproject.org/mailman/listinfo/xen-devel to unsubscribe.

~Andrew
Andrew Cooper Feb. 18, 2022, 2:04 p.m. UTC | #8
On 18/02/2022 13:36, Roger Pau Monne wrote:
> On Fri, Feb 18, 2022 at 12:23:47PM +0000, Andrew Cooper wrote:
>> On 18/02/2022 12:21, Andrew Cooper wrote:
>>> On 18/02/2022 12:00, Roger Pau Monne wrote:
>>>> Add a workflow that performs a build like it's done by osstest
>>>> Coverity flight and uploads the result to Coverity for analysis. The
>>>> build process is exactly the same as the one currently used in
>>>> osstest, and it's also run at the same time (bi-weekly).
>>>>
>>>> This has one big benefit over using osstest: we no longer have to care
>>>> about keeping the Coverity tools up to date in osstest.
>>>>
>>>> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>>> ---
>>>>  .github/workflows/coverity.yml | 35 ++++++++++++++++++++++++++++++++++
>>>>  1 file changed, 35 insertions(+)
>>>>  create mode 100644 .github/workflows/coverity.yml
>>>>
>>>> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
>>>> new file mode 100644
>>>> index 0000000000..12fc9c782b
>>>> --- /dev/null
>>>> +++ b/.github/workflows/coverity.yml
>>>> @@ -0,0 +1,35 @@
>>>> +name: Coverity Scan
>>>> +
>>>> +# We only want to test official release code, not every pull request.
>>>> +on:
>>>> +  schedule:
>>>> +    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
>>>> +
>>>> +jobs:
>>>> +  coverity:
>>>> +    runs-on: ubuntu-latest
>>>> +    steps:
>>>> +    - name: Install build dependencies
>>>> +      run: |
>>>> +        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
>>>> +          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
>>>> +          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
>>>> +          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
>>>> +          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
>>>> +          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
>>>> +          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
>>>> +          libtool libfuse-dev liblzma-dev ninja-build \
>>>> +          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
>>> We dropped gettext as a dependency a few releases ago, and we don't need
>>> python3-pip either.  Can fix on commit.
>>>
>>>> +    - uses: actions/checkout@v2
>>> I think we want
>>>
>>> - uses: actions/checkout@v2
>>>   with:
>>>     ref: staging
>>>
>>> Can also fix on commit.
>>>
>>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> (mainly because I
>>> can see that Coverity has done the right thing with this.)
>>>
>>>> +    - name: Configure Xen
>>>> +      run: |
>>>> +        ./configure
>> On second thoughts, we can probably --disable-docs here, because it's
>> just wasted processing time when all we care about is the C.
> We do not build the docs already, because the build command is `make
> xen tools`.
>
> Thanks, Roger.

Good point.

~Andrew
diff mbox series

Patch

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 0000000000..12fc9c782b
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,35 @@ 
+name: Coverity Scan
+
+# We only want to test official release code, not every pull request.
+on:
+  schedule:
+    - cron: '18 9 * * WED,SUN' # Bi-weekly at 9:18 UTC
+
+jobs:
+  coverity:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install build dependencies
+      run: |
+        sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \
+          iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \
+          make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \
+          libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \
+          libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \
+          ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \
+          libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \
+          libtool libfuse-dev liblzma-dev ninja-build \
+          kpartx python3-dev python3-pip golang python-dev libsystemd-dev
+    - uses: actions/checkout@v2
+    - name: Configure Xen
+      run: |
+        ./configure
+    - name: Pre build stuff
+      run: |
+        make -C tools/firmware/etherboot all && make mini-os-dir
+    - uses: vapier/coverity-scan-action@v1
+      with:
+        command: make xen tools && make -C extras/mini-os/
+        project: XenProject
+        email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+        token: ${{ secrets.COVERITY_SCAN_TOKEN }}