From patchwork Mon Sep 25 11:50:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13397678 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 631BACE7A94 for ; Mon, 25 Sep 2023 11:51:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230461AbjIYLvR (ORCPT ); Mon, 25 Sep 2023 07:51:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229972AbjIYLvO (ORCPT ); Mon, 25 Sep 2023 07:51:14 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 091D9FB for ; Mon, 25 Sep 2023 04:51:06 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-40566f89f6eso31793165e9.3 for ; Mon, 25 Sep 2023 04:51:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695642664; x=1696247464; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=6gv/rM5RlRYRigHiGPittPda0/aQ+AfiS+auuOA5Fa0=; b=WX6UuqKOuHLKxuQf7UhwFo55srlzmCmHXZ1hkaTkdJyQqx7slnz5vg/aFXdbKe1Kek h6AjLnAu+MKWt7zwv7QvInGJpAOuMNGvh2bNKbJeA50VX9Y0B9vATL7O8vB+M90TlWn/ NZX+w2XA1+zrOlYo7ijTb/j6H/CVeVaRoxR5Yyx0aJyDhg57PVbrfJZZoY8JDvueqEIg BrJlDm52H3JIKPUm5B5KAO1Fd/gPvjOA3I8K9NurncQSoszX4L+N+Lwkyv4ffFPkm+2U UyZEg1+Kr0BDsqxQNN8YMLsdKcJ8mPoPDeLyg+CdB7/BWJKjiP/meryofMlRyVqmgXUm 5GuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695642664; x=1696247464; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6gv/rM5RlRYRigHiGPittPda0/aQ+AfiS+auuOA5Fa0=; b=lRL1ftCxHrvXFlVkVATpXZqz/Q3Y/wl8EIlnJtXQbqSej+O5KrmY0LIUwCV13ovV3g ZPsNAGhknUlIPbKXd55t5U3+NlMd9ZeuuRXFvtlsUFbgVYnjf63kGxELbXv/Q2HSH8vp I79u+mP+Zv8txvndeHIAU4T01RnxAl+EE4xmXYtKhEQU6AmAurRHHt/cf/13NporPkr7 /7W5RoTmnqDOvNSWJAK+mtv68VJt8COibMWWWRX3GpEvzWlt6pBzU/ABbekbj5ndszDl pNbP+k0KjBL07IBl0JrG8z628YnMvnPTvtL5Ru/hvzG/RGQX0kxOlzT7sMHO/VQwIF+s 1hLA== X-Gm-Message-State: AOJu0Yz+489SXvITtPEVaSSVhzukqIDN0ODroFQbJBogHFt94nCg3wKn v5TYRlBCCHg7lLuJKCS13dPiQ5jtbEc= X-Google-Smtp-Source: AGHT+IGKBEWzazrD4wyEyCHz1pGRZhL7OGGaLWMCRFp8fRd8HgdJxc9xPOIdNJCGcJdwQgZ4WAerLA== X-Received: by 2002:a7b:c415:0:b0:3fe:1b4e:c484 with SMTP id k21-20020a7bc415000000b003fe1b4ec484mr6009169wmi.5.1695642664258; Mon, 25 Sep 2023 04:51:04 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id j9-20020a05600c300900b003fe407ca05bsm10788791wmh.37.2023.09.25.04.51.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Sep 2023 04:51:04 -0700 (PDT) Message-ID: <46fb6b583d362e0984fdee337650ac81d3b7c09e.1695642662.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Mon, 25 Sep 2023 11:50:57 +0000 Subject: [PATCH v2 1/6] ci: add a GitHub workflow to submit Coverity scans Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Jeff King , Johannes Schindelin , Johannes Schindelin Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Johannes Schindelin From: Johannes Schindelin Coverity is a static analysis tool that detects and generates reports on various security and code quality issues. It is particularly useful when diagnosing memory safety issues which may be used as part of exploiting a security vulnerability. Coverity's website provides a service that accepts "builds" (which contains the object files generated during a standard build as well as a database generated by Coverity's scan tool). Let's add a GitHub workflow to automate all of this. To avoid running it without appropriate Coverity configuration (e.g. the token required to use Coverity's services), the job only runs when the repository variable "ENABLE_COVERITY_SCAN_FOR_BRANCHES" has been configured accordingly (see https://docs.github.com/en/actions/learn-github-actions/variables for details how to configure repository variables): It is expected to be a valid JSON array of branch strings, e.g. `["main", "next"]`. In addition, this workflow requires two repository secrets: - COVERITY_SCAN_EMAIL: the email to send the report to, and - COVERITY_SCAN_TOKEN: the Coverity token (look in the Project Settings tab of your Coverity project). Note: The initial version of this patch used `vapier/coverity-scan-action` to benefit from that Action's caching of the Coverity tool, which is rather large. Sadly, that Action only supports Linux, and we want to have the option of building on Windows, too. Besides, in the meantime Coverity requires `cov-configure` to be runantime, and that Action was not adjusted accordingly, i.e. it seems not to be maintained actively. Therefore it would seem prudent to implement the steps manually instead of using that Action. Initial-patch-by: Taylor Blau Signed-off-by: Johannes Schindelin --- .github/workflows/coverity.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 00000000000..d8d1e328578 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,58 @@ +name: Coverity + +# This GitHub workflow automates submitting builds to Coverity Scan. To enable it, +# set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see +# https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON +# string array containing the names of the branches for which the workflow should be +# run, e.g. `["main", "next"]`. +# +# In addition, two repository secrets must be set (for details how to add secrets, see +# https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions): +# `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the +# email to which the Coverity reports should be sent and the latter can be +# obtained from the Project Settings tab of the Coverity project). + +on: + push: + +jobs: + coverity: + if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) + runs-on: ubuntu-latest + env: + COVERITY_PROJECT: git + COVERITY_LANGUAGE: cxx + COVERITY_PLATFORM: linux64 + steps: + - uses: actions/checkout@v3 + - run: ci/install-dependencies.sh + env: + runs_on_pool: ubuntu-latest + + - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) + run: | + curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ + --fail --no-progress-meter \ + --output $RUNNER_TEMP/cov-analysis.tgz \ + --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ + --form project="$COVERITY_PROJECT" + - name: extract the Coverity Build Tool + run: | + mkdir $RUNNER_TEMP/cov-analysis && + tar -xzf $RUNNER_TEMP/cov-analysis.tgz --strip 1 -C $RUNNER_TEMP/cov-analysis + - name: build with cov-build + run: | + export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && + cov-configure --gcc && + cov-build --dir cov-int make -j$(nproc) + - name: package the build + run: tar -czvf cov-int.tgz cov-int + - name: submit the build to Coverity Scan + run: | + curl \ + --fail \ + --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ + --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \ + --form file=@cov-int.tgz \ + --form version='${{ github.sha }}' \ + "https://scan.coverity.com/builds?project=$COVERITY_PROJECT"