ci: add Coverity to GHA

We need to run Coverity on a clang build, because Coverity's gcc misreports its version causing ASS_DEPRECATED_ENUM version checks to falsely suceed, which then causes the build to fail. Coverity's clang likely also misreports its version, but whatever clang build Coverity is using happens to work with our current code. see https://travis-ci.org/github/libass/libass/builds/743655400 Also Coverit's travis script is borked and always returns an error even on success, because it expects Coverity's server to respond with code 201, but they actually return 200 instead. To get meaningful job status we are using a custom script based on Coverity's upstream script and fontforge's Coverity script.
author: Oneric <oneric@oneric.stub> 2020-12-07 00:34:00 +0100
committer: Oneric <oneric@oneric.stub> 2020-12-11 00:01:46 +0100
commit: 4cdc10d62d6cee3582bb43e1be2ddf0246f78182 (patch)
tree: c5752d387092b455ae1357bc419ce768bb3bd0a0
parent: 7348a77767d77204e56efb5362d1178f4416a8c2 (diff)
download: libass-4cdc10d62d6cee3582bb43e1be2ddf0246f78182.tar.bz2
libass-4cdc10d62d6cee3582bb43e1be2ddf0246f78182.tar.xz
1 files changed, 87 insertions, 0 deletions
diff --git a/.github/workflows/ghci.yml b/.github/workflows/ghci.yml
index e6923a4..50fde9e 100644
--- a/.github/workflows/ghci.yml
+++ b/.github/workflows/ghci.yml
@@ -20,6 +20,10 @@ jobs:
           - os: ubuntu-18.04
             cc: gcc
             do_distc: yes
+          # Also run Coverity on a clang build; Coverity's gcc causes issues
+          - os: ubuntu-18.04
+            cc: clang
+            do_coverity: yes
 
     steps:
       - name: checkout code
@@ -56,3 +60,86 @@ jobs:
 
       - name: distcheck
         run: if [ "x${{ matrix.do_distc }}" == "xyes" ] ; then make -j 2 distcheck; fi
+
+      - name: Coverity scan
+        env:
+          COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          PROJECT_NAME: libass/libass
+          NOTIFY_EMAIL: none@example.com
+          TOOL_URL: https://scan.coverity.com/download/
+          UPLOAD_URL: https://scan.coverity.com/builds?project=libass%2Flibass
+          SCAN_URL: https://scan.coverity.com
+          RES_DIR: cov-int
+        run: |
+          if [ "x${{ matrix.do_coverity }}" = "xyes" ] \
+             && [ "x${{ github.repository }}" = "xlibass/libass" ] \
+             && [ "x${{ github.event_name }}" != "xpull_request" ]
+          then
+            exit_code=0
+            echo "Running Coverity ..."
+            # Remove previous build output
+            make clean
+            # The upstream script is borked and always exits with 1 even on success
+            # To get meaningful success/error status we're using our own script
+            # but we still wnat to be informed about upstream script changes 
+            if curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh \
+                | shasum -a 256 \
+                | grep -Eq '^234d71b4a5257a79559e66dd3ba5765576d2af4845da83af4975b77b14ab536b '
+            then
+               echo "" > /dev/null 
+            else
+              echo "Coverity's upstream travis script changed!";
+              exit_code=1
+            fi
+
+            # Check if we are within quoata
+            quota_res="$(curl -s --form project="$PROJECT_NAME" \
+                                 --form token="$COVERITY_SCAN_TOKEN" \
+                                 "$SCAN_URL"/api/upload_permitted)"
+            if [ "$?" -ne 0 ] || [ "x$quota_res" = "xAccess denied" ] ; then
+              echo "Coverity denied access or did not respond!"
+              exit 1
+            elif echo "$quota_res" | grep -Eq 'upload_permitted": *true' ; then
+              echo "Within Coverity quota."
+            else
+              echo "Exceeding Coverity quota! Try again later."
+              exit 0;
+            fi
+
+            # Download cov tool and make it available
+            wget -nv "$TOOL_URL""$(uname)" \
+                 --post-data "project=$PROJECT_NAME&token=$COVERITY_SCAN_TOKEN" \
+                 -O cov-analysis-tool.tar.gz
+            mkdir cov-analysis-tool
+            tar xzf cov-analysis-tool.tar.gz --strip 1 -C cov-analysis-tool
+            export PATH="$(pwd)/cov-analysis-tool/bin:$PATH"
+
+            # Coverity Build
+            echo "Starting Coverity build..."
+            #mkdir "$RES_DIR" # already done by cov-build
+            COVERITY_UNSUPPORTED=1 cov-build --dir "$RES_DIR" make -j 2
+            cov-import-scm --dir "$RES_DIR" --scm git --log "$RES_DIR/scm_log.txt" 2>&1
+
+            # Submit results to Coverity's server
+            tar czf libass.tar.gz "$RES_DIR"
+            upstat="$(curl --silent --write-out "\n%{http_code}\n" \
+                       --form project="PROJECT_NAME"               \
+                       --form token="$COVERITY_SCAN_TOKEN"         \
+                       --form email="$NOTIFY_EMAIL"                \
+                       --form file=@libass.tar.gz                  \
+                       --form version="${{ github.sha }}"          \
+                       --form description="GitHubActions CI build" \
+                        "$UPLOAD_URL")"
+            if [ "$?" -ne 0 ] ; then
+              echo "Upload failed (curl error)"
+              exit_code=1
+            elif echo "$upstat" | tail -n 1 | grep -Eq '^2[0-9]{2}$' ; then
+              echo "Upload successful."
+            else
+              echo "Upload failed (server error)"
+              exit_code=1
+            fi
+            echo "$upstat" | head
+
+            exit $exit_code
+          fi
author	Oneric <oneric@oneric.stub>	2020-12-07 00:34:00 +0100
committer	Oneric <oneric@oneric.stub>	2020-12-11 00:01:46 +0100
commit	4cdc10d62d6cee3582bb43e1be2ddf0246f78182 (patch)
tree	c5752d387092b455ae1357bc419ce768bb3bd0a0
parent	7348a77767d77204e56efb5362d1178f4416a8c2 (diff)
download	libass-4cdc10d62d6cee3582bb43e1be2ddf0246f78182.tar.bz2 libass-4cdc10d62d6cee3582bb43e1be2ddf0246f78182.tar.xz