diff options
author | Oneric <oneric@oneric.stub> | 2020-12-07 00:34:00 +0100 |
---|---|---|
committer | Oneric <oneric@oneric.stub> | 2020-12-11 00:01:46 +0100 |
commit | 4cdc10d62d6cee3582bb43e1be2ddf0246f78182 (patch) | |
tree | c5752d387092b455ae1357bc419ce768bb3bd0a0 | |
parent | 7348a77767d77204e56efb5362d1178f4416a8c2 (diff) | |
download | libass-4cdc10d62d6cee3582bb43e1be2ddf0246f78182.tar.bz2 libass-4cdc10d62d6cee3582bb43e1be2ddf0246f78182.tar.xz |
ci: add Coverity to GHA
We need to run Coverity on a clang build, because Coverity's gcc
misreports its version causing ASS_DEPRECATED_ENUM version checks to
falsely suceed, which then causes the build to fail.
Coverity's clang likely also misreports its version, but whatever clang
build Coverity is using happens to work with our current code.
see https://travis-ci.org/github/libass/libass/builds/743655400
Also Coverit's travis script is borked and always returns an error even
on success, because it expects Coverity's server to respond with code
201, but they actually return 200 instead.
To get meaningful job status we are using a custom script based on
Coverity's upstream script and fontforge's Coverity script.
-rw-r--r-- | .github/workflows/ghci.yml | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/.github/workflows/ghci.yml b/.github/workflows/ghci.yml index e6923a4..50fde9e 100644 --- a/.github/workflows/ghci.yml +++ b/.github/workflows/ghci.yml @@ -20,6 +20,10 @@ jobs: - os: ubuntu-18.04 cc: gcc do_distc: yes + # Also run Coverity on a clang build; Coverity's gcc causes issues + - os: ubuntu-18.04 + cc: clang + do_coverity: yes steps: - name: checkout code @@ -56,3 +60,86 @@ jobs: - name: distcheck run: if [ "x${{ matrix.do_distc }}" == "xyes" ] ; then make -j 2 distcheck; fi + + - name: Coverity scan + env: + COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + PROJECT_NAME: libass/libass + NOTIFY_EMAIL: none@example.com + TOOL_URL: https://scan.coverity.com/download/ + UPLOAD_URL: https://scan.coverity.com/builds?project=libass%2Flibass + SCAN_URL: https://scan.coverity.com + RES_DIR: cov-int + run: | + if [ "x${{ matrix.do_coverity }}" = "xyes" ] \ + && [ "x${{ github.repository }}" = "xlibass/libass" ] \ + && [ "x${{ github.event_name }}" != "xpull_request" ] + then + exit_code=0 + echo "Running Coverity ..." + # Remove previous build output + make clean + # The upstream script is borked and always exits with 1 even on success + # To get meaningful success/error status we're using our own script + # but we still wnat to be informed about upstream script changes + if curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh \ + | shasum -a 256 \ + | grep -Eq '^234d71b4a5257a79559e66dd3ba5765576d2af4845da83af4975b77b14ab536b ' + then + echo "" > /dev/null + else + echo "Coverity's upstream travis script changed!"; + exit_code=1 + fi + + # Check if we are within quoata + quota_res="$(curl -s --form project="$PROJECT_NAME" \ + --form token="$COVERITY_SCAN_TOKEN" \ + "$SCAN_URL"/api/upload_permitted)" + if [ "$?" -ne 0 ] || [ "x$quota_res" = "xAccess denied" ] ; then + echo "Coverity denied access or did not respond!" + exit 1 + elif echo "$quota_res" | grep -Eq 'upload_permitted": *true' ; then + echo "Within Coverity quota." + else + echo "Exceeding Coverity quota! Try again later." + exit 0; + fi + + # Download cov tool and make it available + wget -nv "$TOOL_URL""$(uname)" \ + --post-data "project=$PROJECT_NAME&token=$COVERITY_SCAN_TOKEN" \ + -O cov-analysis-tool.tar.gz + mkdir cov-analysis-tool + tar xzf cov-analysis-tool.tar.gz --strip 1 -C cov-analysis-tool + export PATH="$(pwd)/cov-analysis-tool/bin:$PATH" + + # Coverity Build + echo "Starting Coverity build..." + #mkdir "$RES_DIR" # already done by cov-build + COVERITY_UNSUPPORTED=1 cov-build --dir "$RES_DIR" make -j 2 + cov-import-scm --dir "$RES_DIR" --scm git --log "$RES_DIR/scm_log.txt" 2>&1 + + # Submit results to Coverity's server + tar czf libass.tar.gz "$RES_DIR" + upstat="$(curl --silent --write-out "\n%{http_code}\n" \ + --form project="PROJECT_NAME" \ + --form token="$COVERITY_SCAN_TOKEN" \ + --form email="$NOTIFY_EMAIL" \ + --form file=@libass.tar.gz \ + --form version="${{ github.sha }}" \ + --form description="GitHubActions CI build" \ + "$UPLOAD_URL")" + if [ "$?" -ne 0 ] ; then + echo "Upload failed (curl error)" + exit_code=1 + elif echo "$upstat" | tail -n 1 | grep -Eq '^2[0-9]{2}$' ; then + echo "Upload successful." + else + echo "Upload failed (server error)" + exit_code=1 + fi + echo "$upstat" | head + + exit $exit_code + fi |