CI: Overhaul Coverity Scan (OSGeo#3566)

This attempts to fix the problems with the previously submitted Coverity Scanning action. Basic building functionality is borrowed from our ubuntu.yml, and Coverity functionality is borrowed from PROJ's coverity-scan.yml. The needed secrets are COVERITY_PASSPHRASE (the token used to submit builds) and COVERITY_USER (user email). --------- Co-authored-by: Nicklas Larsson <n_larsson@yahoo.com>
nilason · Apr 9, 2024 · 88f73e2 · 88f73e2
1 parent e61e86a
commit 88f73e2
Showing 1 changed file with 61 additions and 13 deletions.
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -4,18 +4,66 @@ on:
   schedule:
     - cron: '48 5 * * *' # Run at 05:48
     # Coverity will let GRASS do a scan a maximum of twice per day, so this schedule will help GRASS fit within that limit with some additional space for manual runs
-
+permissions:
+  contents: read
+  # action based off of https://github.com/OSGeo/PROJ/blob/905c9a6c2da3dc6b7aa2c89d3ab78d9d1a9cd070/.github/workflows/coverity-scan.yml
 jobs:
-  build:
-    runs-on: [ ubuntu-latest ]
+  coverity:
+    runs-on: ubuntu-22.04
+    if: github.repository == 'OSGeo/grass'
     steps:
-      - name: Checkout Source
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Coverity Scan
-        uses: synopsys-sig/synopsys-action@cef5e38596faf5d2787bbff78a5d7255a9f7682b # v1.8.0
-        with:
-          ### SCANNING: Required fields
-          coverity_url: ${{ secrets.COVERITY_URL }}               # The URL to Coverity
-          coverity_user: ${{ secrets.COVERITY_USER }}             # The user for the Coverity project
-          coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} # The password for the Coverity user
-          coverity_version: '2023.6.2'                            # The version for Coverity Scan
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Get dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y wget git gawk findutils
+          xargs -a <(awk '! /^ *(#|$)/' ".github/workflows/apt.txt") -r -- \
+              sudo apt-get install -y --no-install-recommends --no-install-suggests
+      - name: Create installation directory
+        run: |
+          mkdir $HOME/install
+          
+      - name: Download Coverity Build Tool
+        run: |
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=grass" -O cov-analysis-linux64.tar.gz
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        env:
+          TOKEN: ${{ secrets.COVERITY_PASSPHRASE }}
+      - name: Set number of cores for compilation
+        run: |
+          echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV
+
+      - name: Set LD_LIBRARY_PATH for compilation
+        run: |
+          echo "LD_LIBRARY_PATH=$HOME/install/lib" >> $GITHUB_ENV
+
+      - name: Print build environment variables
+        run: |
+          printenv | sort
+          gcc --version
+          ldd --version
+      - name: Build with cov-build
+        env:
+          CFLAGS: -fPIC -Wvla
+          CXXFLAGS: -fPIC
+        run: |
+          pwd
+          export PATH=`pwd`/cov-analysis-linux64/bin:$PATH
+          cov-build --dir cov-int .github/workflows/build_ubuntu-22.04_without_x.sh $HOME/install
+      - name: Submit to Coverity Scan
+        run: |
+          tar czvf grass.tgz cov-int
+          curl \
+            --form project=grass \
+            --form token=$TOKEN \
+            --form email=$EMAIL \
+            --form file=@grass.tgz \
+            --form version=main \
+            --form description="`git rev-parse --abbrev-ref HEAD` `git rev-parse --short HEAD`" \
+            https://scan.coverity.com/builds?project=grass
+        env:
+          TOKEN: ${{ secrets.COVERITY_PASSPHRASE }}
+          EMAIL: ${{ secrets.COVERITY_USER }}
+