Coverity (Ubuntu 22.04, Python 3.11) #375
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Coverity (Ubuntu 22.04, Python 3.11) | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # run daily at 00:00 | |
| - cron: '0 0 * * *' | |
| pull_request: | |
| paths: | |
| - '.github/workflows/coverity.yml' | |
| permissions: read-all # Required by https://github.com/ossf/scorecard/blob/e23b8ad91fd6a64a0a971ca4fc0a4d1650725615/docs/checks.md#token-permissions | |
| concurrency: | |
| group: ${{ github.ref }}-genai-cov-linux | |
| cancel-in-progress: true | |
| env: | |
| PYTHON_VERSION: '3.11' | |
| OV_BRANCH: ${{ github.base_ref || github.event.merge_group.base_ref || github.ref }} | |
| jobs: | |
| openvino_download: | |
| name: Download OpenVINO | |
| outputs: | |
| status: ${{ steps.openvino_download.outcome }} | |
| ov_artifact_name: ${{ steps.openvino_download.outputs.ov_artifact_name }} | |
| ov_wheel_source: ${{ steps.openvino_download.outputs.ov_wheel_source }} | |
| docker_tag: ${{ steps.get_docker_tag.outputs.docker_tag }} | |
| timeout-minutes: 10 | |
| defaults: | |
| run: | |
| shell: bash | |
| runs-on: aks-linux-medium | |
| container: | |
| image: 'openvinogithubactions.azurecr.io/openvino_provider:0.1.0' | |
| volumes: | |
| - /mount:/mount | |
| - ${{ github.workspace }}:${{ github.workspace }} | |
| steps: | |
| - uses: openvinotoolkit/openvino/.github/actions/openvino_provider@master | |
| id: openvino_download | |
| with: | |
| platform: ubuntu22 | |
| commit_packages_to_provide: wheels | |
| # latest_available_commit fails with libopenvino_intel_npu_compiler.so: cannot open shared object file on Manylinux 2_28. Ticket: 181511 | |
| revision: 8f1e6829dc8eecdb9fca2a95d9271f35b780ddaa | |
| # Set specific revision and uncomment to use OV from its PR build: | |
| # branch_name: master | |
| # event_name: pull_request | |
| - name: Clone docker tag from OpenVINO repo | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| repository: 'openvinotoolkit/openvino' | |
| path: 'openvino' | |
| ref: ${{ env.OV_BRANCH }} | |
| sparse-checkout: | | |
| .github/dockerfiles/docker_tag | |
| - name: Save docker tag to output | |
| id: get_docker_tag | |
| run: | | |
| docker_tag=$(cat openvino/.github/dockerfiles/docker_tag) | |
| echo "docker_tag=$docker_tag" >> $GITHUB_OUTPUT | |
| coverity_build: | |
| name: Build for coverity | |
| needs: [ openvino_download ] | |
| timeout-minutes: 20 | |
| defaults: | |
| run: | |
| shell: bash | |
| runs-on: aks-linux-16-cores-64gb | |
| container: | |
| image: openvinogithubactions.azurecr.io/ov_build/ubuntu_22_04_x64:${{ needs.openvino_download.outputs.docker_tag }} | |
| volumes: | |
| - /mount:/mount | |
| options: -v ${{ github.workspace }}:${{ github.workspace }} | |
| env: | |
| CMAKE_GENERATOR: Unix Makefiles | |
| OV_INSTALL_DIR: ${{ github.workspace }}/ov | |
| INSTALL_DIR: ${{ github.workspace }}/install | |
| BUILD_DIR: ${{ github.workspace }}/build | |
| BUILD_TYPE: Release | |
| COV_TOOL_DIR: ${{ github.workspace }}/coverity_tool | |
| steps: | |
| - name: Clone openvino.genai | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| path: openvino.genai | |
| - name: Download OpenVINO package | |
| uses: akashchi/download-artifact@d59a9c15fec3fdb7c9adf09464124d00f9c11415 | |
| with: | |
| name: ${{ needs.openvino_download.outputs.ov_artifact_name }} | |
| path: ${{ env.OV_INSTALL_DIR }} | |
| merge-multiple: true | |
| - name: Restore Coverity Tool | |
| if: github.event_name == 'pull_request' | |
| id: cache-coverity | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ env.COV_TOOL_DIR }} | |
| key: coverity-${{ runner.os }}-${{ github.sha }} | |
| restore-keys: coverity-${{ runner.os }} | |
| - name: Download coverity tool | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| wget -q https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.COVERITY_SECRET_TOKEN }}&project=openvino.genai" -O coverity_tool.tgz | |
| mkdir -p ${{ env.COV_TOOL_DIR }} | |
| pigz -dc coverity_tool.tgz | tar --strip-components=1 -xf - -C ${{ env.COV_TOOL_DIR }} | |
| - name: Create config file for coverity build | |
| run: | | |
| ${{ env.COV_TOOL_DIR }}/bin/cov-configure --delete-compiler-config template-python-config-0 | |
| ${{ env.COV_TOOL_DIR }}/bin/cov-configure --python --no-capture-config-files --version 3 | |
| - name: Create build.sh | |
| run: | | |
| echo """ | |
| mkdir -p ${{ github.workspace }}/build | |
| cmake -DCMAKE_BUILD_TYPE=${BUILD_TYPE} -DBUILD_TOKENIZERS=NO -DOpenVINO_DIR=${OV_INSTALL_DIR}/runtime/cmake/ -DCMAKE_C_COMPILER_LAUNCHER= -DCMAKE_CXX_COMPILER_LAUNCHER= -B${BUILD_DIR} ${{ github.workspace }}/openvino.genai | |
| cmake --build ${BUILD_DIR} --config ${BUILD_TYPE} --parallel $(nproc) | |
| """ > build.sh | |
| - name: Build for coverity | |
| run: | | |
| ${{ env.COV_TOOL_DIR }}/bin/cov-build --config ${{ env.COV_TOOL_DIR }}/config/coverity_config.xml --tmpdir cov_temp --dir ${BUILD_DIR}/cov-int sh build.sh | |
| - name: Pack for analysis submission | |
| run: tar -cvf - cov-int | pigz > openvino-genai.tgz | |
| working-directory: ${{ env.BUILD_DIR }} | |
| - name: Submit to coverity | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| apt-get update && apt-get install -y curl jq | |
| pushd ${BUILD_DIR} | |
| curl -X POST -d token=${{ secrets.COVERITY_SECRET_TOKEN }} \ | |
| -d email=${{ secrets.COVERITY_USER }} \ | |
| -d file_name="openvino-genai.tgz" \ | |
| -d version="${{ github.sha }}" \ | |
| -d description="https://github.com/openvinotoolkit/openvino.genai/actions/runs/${{ github.run_id }}" \ | |
| https://scan.coverity.com/projects/30357/builds/init | tee response | |
| upload_url=$(jq -r '.url' response) | |
| build_id=$(jq -r '.build_id' response) | |
| curl -X PUT \ | |
| --header 'Content-Type: application/json' \ | |
| --upload-file openvino-genai.tgz \ | |
| $upload_url | |
| curl -X PUT \ | |
| -d token=${{ secrets.COVERITY_SECRET_TOKEN }} \ | |
| https://scan.coverity.com/projects/30357/builds/$build_id/enqueue | |
| popd | |
| - name: Show Coverity configure logs | |
| continue-on-error: true | |
| run: ${{ env.COV_TOOL_DIR }}/bin/cov-configure -c ${{ env.COV_TOOL_DIR }}/config/coverity_config.xml -lscc text | |
| - name: Save Coverity Tool | |
| if: always() && github.event_name == 'schedule' | |
| uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| key: coverity-${{ runner.os }}-${{ github.sha }} | |
| path: ${{ env.COV_TOOL_DIR }} | |
| - name: Upload Coverity build log | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| if: always() | |
| with: | |
| name: coverity_logs | |
| path: ${{ env.BUILD_DIR }}/cov-int/build-log.txt | |
| if-no-files-found: 'error' | |
| - name: Upload Coverity build archive | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| if: always() | |
| with: | |
| name: coverity_archive | |
| path: ${{ env.BUILD_DIR }}/openvino-genai.tgz | |
| if-no-files-found: 'error' |