GHA: new workflow to submit scan to Coverity Scan service

Not on every push due to submit limits. Use caching to not submit a scan for the same git commit twice. Since we have many days without pushes to master this saves a lot of Github and Coverity resources. v2: - add caching to not submit redundant scans Change-Id: I302ccc82f9d5c43b58350bbbf7f16ad1c559248f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20230911110735.34491-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-05-28 04:03:29 -04:00 · 2023-09-11 13:07:35 +02:00 · 2023-09-11 13:07:35 +02:00 · 607ae9b821
commit 607ae9b821
parent b7eea48708
1 changed files with 69 additions and 0 deletions
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@ -0,0 +1,69 @@
+name: coverity-scan
+on:
+  schedule:
+    - cron: '0 20 * * *' # Daily at 20:00 UTC
+  workflow_dispatch:
+
+jobs:
+  latest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check submission cache
+        id: check_submit
+        uses: actions/cache/restore@v3
+        with:
+          path: |
+            cov-int
+          key: check-submit-${{ github.sha }}
+
+      - name: Install dependencies
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libssl-dev libpkcs11-helper1-dev softhsm2 gnutls-bin
+
+      - name: Checkout OpenVPN
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        uses: actions/checkout@v3
+
+      - name: Download Coverity Build Tool
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        run: |
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=OpenVPN%2Fopenvpn" -O cov-analysis-linux64.tar.gz
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+
+      - name: autoconf
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        run: autoreconf -fvi
+      - name: configure
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        run: ./configure --enable-pkcs11
+
+      - name: Build with cov-build
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        run: |
+          PATH=`pwd`/cov-analysis-linux64/bin:$PATH
+          cov-build --dir cov-int make
+
+      - name: Submit the result to Coverity Scan
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        run: |
+          tar czvf openvpn.tgz cov-int
+          curl --form token=$TOKEN \
+          --form email=$EMAIL \
+          --form file=@openvpn.tgz \
+          --form version="$GITHUB_SHA" \
+          --form description="master" \
+          https://scan.coverity.com/builds?project=OpenVPN%2Fopenvpn
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}
+
+      - name: Cache submission
+        if: steps.check_submit.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v3
+        with:
+          path: |
+            cov-int
+          key: ${{ steps.check_submit.outputs.cache-primary-key }}