.github/workflows/code-qa-coverity.yml

name: Code QA - Coverity


on:
  workflow_dispatch:

  push:
    branches:
      - coverity-scan
    tags:
      - '*'
    paths-ignore:
      - '.github/**'
      - '.gitignore'
      - 'ChangeLog'
      - 'COPYING'
      - 'configure.scan'
      - 'packaging/**'
      - 'dev-tools/**'
#      - '!dev-tools/libexec/get-release-*.sh'
      - 'doc/**'
      - 'etc/**'
      - 'install/**'
      - 'lib/*/IMPORT.defs'
      - 'lib/*/LICENSE'
      - 'README.md'


jobs:
  code-qa-coverity:

    name: Static code analysis
    runs-on: ubuntu-20.04
    container: ciready/ubuntu:20.04-ci-c

    steps:


      ### Fetch the code
      #
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0   # Shallow clones should be disabled for a better relevancy of analysis

      # Work around the fix for CVE-2022-24765
      - run: git config --global --add safe.directory $GITHUB_WORKSPACE || true


      ### Install build environment tools
      #
      - run: ./dev-tools/install-dev-software.sh


      ### Download and install coverity
      #
      - name: Download the Coverity Build Tool
        run: |
          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=a2o%2Fsnoopy" -O cov-analysis-linux64.tar.gz
          mkdir cov-analysis-linux64
          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
        working-directory: /opt
        env:
          COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}


      ### Configure
      #
      - run: ./bootstrap.sh
      - run: ./configure --enable-option-checking=fatal --enable-everything


      ### Build with cov-build
      #
      - name: Build with cov-build
        run: |
          export PATH=/opt/cov-analysis-linux64/bin:$PATH
          cov-build \
            --dir cov-int \
            make


      ### Submit to Coverity Scan
      #
      - name: Submit the result to Coverity Scan
        run: |
          RELEASE_TAG=`./dev-tools/libexec/get-release-tag.sh`
          tar -czf cov-int.tar.gz cov-int
          curl \
            --form project=a2o%2Fsnoopy \
            --form token=$COVERITY_SCAN_TOKEN \
            --form email=$COVERITY_SCAN_EMAIL \
            --form version=$RELEASE_TAG \
            --form description=$RELEASE_TAG \
            --form file=@cov-int.tar.gz \
            https://scan.coverity.com/builds?project=a2o%2Fsnoopy
          echo "Submission tag: $RELEASE_TAG"
        env:
          COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
          COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}