Workflow (by @smitesh-sutaria via schedule) #166
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Device Plugin: Coverity Scan" | |
| run-name: "Workflow (by @${{ github.actor }} via ${{ github.event_name }})" | |
| on: | |
| # Allow this to also be manually scheduled against a specific branch | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| description: 'Branch to run on' | |
| required: true | |
| default: 'main' | |
| schedule: | |
| # Run at 01:35 UTC every day | |
| # Chosen arbitrarily and could be moved - 01:30 UTC is generally after workday ends in US and before it starts in India | |
| - cron: "35 1 * * *" | |
| push: | |
| tags: | |
| - "*" | |
| permissions: read-all | |
| jobs: | |
| coverity: | |
| name: Coverity | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| shell: bash -noprofile --norc -eo pipefail {0} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| # [email protected] released 2024 October 23. SHA pinned for enhanced security | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 # All history, not just latest commit | |
| ref: ${{ github.event.pull_request.head.sha }} # Check out the actual commit, not a fake merge commit | |
| - name: Setup Tools & Common Variables | |
| uses: ./.github/actions/setup-tools | |
| - name: Load coverity from cache | |
| id: cache-coverity | |
| if: github.ref_type != 'tag' | |
| # The cache is disabled for tags which zizmor can't accurately detect. This cache is not used at all for release artifacts. | |
| # [email protected] released 2025 March 19. SHA pinned for enhanced security | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # zizmor: ignore[cache-poisoning] | |
| env: | |
| cache-name: cache-coverity | |
| with: | |
| path: $HOME/coverity | |
| # Update coverity each month | |
| key: coverity-$(date +%Y%m) | |
| - name: Debug COVERITY_TOKEN | |
| run: | | |
| if [ -z "$COVERITY_TOKEN" ]; then | |
| echo "COVERITY_TOKEN is not set" | |
| exit 1 | |
| else | |
| echo "COVERITY_TOKEN is set" | |
| fi | |
| env: | |
| COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} | |
| - name: Download coverity | |
| if: ${{ steps.cache-coverity.outputs.cache-hit != 'true' }} | |
| env: | |
| COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} | |
| run: | | |
| cd $HOME | |
| wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_TOKEN&project=open-edge-platform%2Fedge-desktop-virtualization" -O coverity.tgz | |
| tar zxf coverity.tgz | |
| mv -T cov-analysis-linux64-* coverity | |
| - name: Add coverity to PATH | |
| run: | | |
| echo "$HOME/coverity/bin" >> $GITHUB_PATH | |
| - name: Show coverity version | |
| run: | | |
| coverity --version | |
| - name: Run coverity build | |
| working-directory: device-plugins-for-kubernetes | |
| run: | | |
| cov-build --dir $HOME/cov-int ./build.sh --ver "$EDV_VERSION" --repo "localhost" | |
| - name: Create coverity results tarball | |
| run: | | |
| cd $HOME | |
| tail cov-int/build-log.txt | |
| tar zcf cov-int.tgz cov-int | |
| - name: Create coverity build | |
| env: | |
| COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} | |
| run: | | |
| cd $HOME | |
| ls -hal cov-int.tgz | |
| echo "NOTE: If size above is > 500 MB, this will fail and need to be restructured to use the more advanced coverity API" | |
| curl --form token=$COVERITY_TOKEN \ | |
| --form [email protected] \ | |
| --form [email protected] \ | |
| --form version="$EDV_VERSION" \ | |
| --form description="Coverity build for edge-desktop-virtualization@$EDV_VERSION" \ | |
| https://scan.coverity.com/builds?project=open-edge-platform%2Fedge-desktop-virtualization |