From d0634f4a669c86063e2765891bfdec17719f40c2 Mon Sep 17 00:00:00 2001
From: Oneric <oneric@oneric.stub>
Date: Mon, 7 Dec 2020 00:34:00 +0100
Subject: ci: add Coverity to GHA

We need to run Coverity on a clang build, because Coverity's gcc
misreports its version causing ASS_DEPRECATED_ENUM version checks to
falsely suceed, which then causes the build to fail.
Coverity's clang likely also misreports its version, but whatever clang
build Coverity is using happens to work with our current code.
Coverity's gcc failing:
  https://travis-ci.org/github/libass/libass/builds/743655400
Coverity's clang succeeding:
  https://travis-ci.org/github/libass/libass/builds/740511824

Also Coverity's travis script is borked and always returns an error even
on success, because it expects Coverity's server to respond with code
201, but they actually return 200 instead.
To get meaningful job status we are using a custom script based on
Coverity's upstream script and fontforge's Coverity script.
---
 .github/workflows/ghci.yml | 88 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/.github/workflows/ghci.yml b/.github/workflows/ghci.yml
index bd9b0fb..669ebd6 100644
--- a/.github/workflows/ghci.yml
+++ b/.github/workflows/ghci.yml
@@ -20,6 +20,10 @@ jobs:
           - os: ubuntu-18.04
             cc: gcc
             do_distc: yes
+          # Run Coverity on a clang build; Coverity's gcc causes issues
+          - os: ubuntu-18.04
+            cc: clang
+            do_coverity: yes
 
     steps:
       - name: checkout code
@@ -56,3 +60,87 @@ jobs:
 
       - name: distcheck
         run: if [ "x${{ matrix.do_distc }}" = "xyes" ] ; then make -j 2 distcheck; fi
+
+      - name: Coverity scan
+        env:
+          COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          PROJECT_NAME: libass/libass
+          NOTIFY_EMAIL: none@example.com
+          TOOL_URL: https://scan.coverity.com/download/
+          UPLOAD_URL: https://scan.coverity.com/builds?project=libass%2Flibass
+          SCAN_URL: https://scan.coverity.com
+          RES_DIR: cov-int
+        run: |
+          if [ "x${{ matrix.do_coverity }}" = "xyes" ] \
+             && [ "x${{ github.repository }}" = "xlibass/libass" ] \
+             && [ "x${{ github.event_name }}" != "xpull_request" ]
+          then
+            exit_code=0
+            echo "Running Coverity ..."
+            # Remove previous build output
+            make clean
+            # The upstream script is borked and always exits with 1 even on success
+            # To get meaningful success/error status we're using our own script
+            # but we still want to be informed about upstream script changes
+            if curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh \
+                | shasum -a 256 \
+                | grep -Eq '^234d71b4a5257a79559e66dd3ba5765576d2af4845da83af4975b77b14ab536b '
+            then
+               : remote unchanged
+            else
+              echo "Coverity's travis script changed!"
+              exit_code=1
+            fi
+
+            # Check if we are within quoata
+            quota_res="$(curl -s --form project="$PROJECT_NAME" \
+                                 --form token="$COVERITY_SCAN_TOKEN" \
+                                 "$SCAN_URL"/api/upload_permitted)"
+            if [ "$?" -ne 0 ] || [ "x$quota_res" = "xAccess denied" ] ; then
+              echo "Coverity denied access or did not respond!"
+              exit 1
+            elif echo "$quota_res" | grep -Eq 'upload_permitted": *true' ; then
+              echo "Within Coverity quota."
+            else
+              echo "Exceeding Coverity quota! Try again later."
+              echo "$quota_res" | grep -Eo 'next_upload_permitted_at":[^,}]*'
+              exit 0
+            fi
+
+            # Download cov tool and make it available
+            wget -nv "$TOOL_URL""$(uname)" \
+                 --post-data "project=$PROJECT_NAME&token=$COVERITY_SCAN_TOKEN" \
+                 -O cov-analysis-tool.tar.gz
+            mkdir cov-analysis-tool
+            tar xzf cov-analysis-tool.tar.gz --strip 1 -C cov-analysis-tool
+            export PATH="$(pwd)/cov-analysis-tool/bin:$PATH"
+
+            # Coverity Build
+            echo "Starting Coverity build..."
+            #mkdir "$RES_DIR" # already done by cov-build
+            COVERITY_UNSUPPORTED=1 cov-build --dir "$RES_DIR" make -j 2
+            cov-import-scm --dir "$RES_DIR" --scm git --log "$RES_DIR/scm_log.txt" 2>&1
+
+            # Submit results to Coverity's server
+            tar czf libass.tar.gz "$RES_DIR"
+            upstat="$(curl --silent --write-out "\n%{http_code}\n" \
+                       --form project="PROJECT_NAME"               \
+                       --form token="$COVERITY_SCAN_TOKEN"         \
+                       --form email="$NOTIFY_EMAIL"                \
+                       --form file=@libass.tar.gz                  \
+                       --form version="${{ github.sha }}"          \
+                       --form description="GitHubActions CI build" \
+                        "$UPLOAD_URL")"
+            if [ "$?" -ne 0 ] ; then
+              echo "Upload failed (curl error)"
+              exit_code=1
+            elif echo "$upstat" | tail -n 1 | grep -Eq '^2[0-9]{2}$' ; then
+              echo "Upload successful."
+            else
+              echo "Upload failed (server error)"
+              exit_code=1
+            fi
+            echo "$upstat" | head
+
+            exit $exit_code
+          fi
-- 
cgit v1.2.3