-
Notifications
You must be signed in to change notification settings - Fork 46
140 lines (134 loc) · 4.63 KB
/
coverity-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
---
name: Coverity Scan
on:
pull_request_target:
branches: ["main"]
types:
- synchronize
- labeled
schedule:
- cron: '41 3 * * 0'
jobs:
scheduled:
if: ${{ github.event_name == 'schedule' }}
name: Recurrent Coverity Scan
runs-on: ubuntu-22.04
container: fedora:latest
steps:
- name: Install Dependencies
run: |
dnf -y install git gcc meson pkgconf-pkg-config \
openssl-devel openssl \
nss-softokn nss-tools nss-softokn-devel
- name: Checkout Repository
uses: actions/checkout@v4
- name: Setup
run: |
meson setup builddir
env:
CC: gcc
- name: Check for changes
run: |
echo "RUN_COV=0" >> $GITHUB_ENV;
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
DIFF=`git log --since=1week | wc -l`
if [ x${DIFF} != "x0" ]; then
echo "RUN_COV=1" >> $GITHUB_ENV;
fi
- name: Coverity Scan
if: env.RUN_COV == 1
uses: vapier/coverity-scan-action@v1
with:
project: "PKCS%2311+Provider"
email: ${{ secrets.COVERITY_SCAN_EMAIL }}
token: ${{ secrets.COVERITY_SCAN_TOKEN }}
on-labeled-pr:
if: ${{ contains(github.event.action, 'labeled') && contains(github.event.*.labels.*.name, 'covscan') }}
name: Coverity Scan on PR
runs-on: ubuntu-latest
permissions:
pull-requests: write
container: fedora:latest
steps:
- name: Install Dependencies
run: |
dnf -y install git gcc meson pkgconf-pkg-config \
openssl-devel openssl \
nss-softokn nss-tools nss-softokn-devel \
gh
- name: Checkout Repository
uses: actions/checkout@v4
with:
ref: ${{github.event.pull_request.head.sha}}
- name: Setup
run: |
meson setup builddir
env:
CC: gcc
- name: Coverity Scan
uses: vapier/coverity-scan-action@v1
with:
project: "PKCS%2311+Provider"
email: ${{ secrets.COVERITY_SCAN_EMAIL }}
token: ${{ secrets.COVERITY_SCAN_TOKEN }}
- name: Remove Label
if: always()
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.number }}
run: gh pr edit "$NUMBER" --remove-label "covscan"
on-no-covscan-labeled-pr:
if: ${{ contains(github.event.action, 'labeled') && contains(github.event.*.labels.*.name, 'covscan-ok') }}
name: Coverity Scan on PR
runs-on: ubuntu-latest
steps:
- name: Coverity Scan Marked Successful
run: echo "Dummy action to report all ok and mark covscan as handled"
on-synchronize-no-source-changes:
if: ${{ contains(github.event.action, 'synchronize') && ! contains(github.event.*.labels.*.name, 'covscan-ok') }}
name: Coverity Scan on PR
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check changed files
id: changed-sources
uses: tj-actions/changed-files@v44
with:
files: |
src/**
- name: Coverity Scan not needed
if: steps.changed-sources.outputs.any_changed == 'false'
run: |
echo "No Source files changed, no covscan needed"
- name: Coverity Scan is needed
if: steps.changed-sources.outputs.any_changed == 'true'
run: |
echo "Source files changed, covscan is needed"
on-synchronize-covscan-ok:
if: ${{ contains(github.event.action, 'synchronize') && contains(github.event.*.labels.*.name, 'covscan-ok') }}
name: Coverity Scan on PR
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check changed files
id: changed-sources
uses: tj-actions/changed-files@v44
with:
base_sha: ${{ github.event.before }}
files: |
src/**
continue-on-error: true
- name: Coverity Scan not needed
if: ${{ steps.changed-sources.outcome == 'success' && steps.changed-sources.outputs.any_changed == 'false' }}
run: echo "Dummy action to report all ok and mark covscan as handled"
- name: Coverity Scan is needed
if: ${{ steps.changed-sources.outcome == 'failure' || steps.changed-sources.outputs.any_changed == 'true' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
NUMBER: ${{ github.event.number }}
run: |
gh pr edit "$NUMBER" --remove-label "covscan"
false