ci: Add job for pushing coverity reports

This job does: 1. Download the coverity bundle and untar it in a cached location 2. Build GNOME Shell using clang and the coverity tool 3. Compress the coverity report 4. Upload for analysis In a similar setup to that of Mutter. Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1913>
2021-07-14 19:21:34 +02:00 · 2021-07-14 19:21:34 +02:00 · 6203668b6c
commit 6203668b6c
parent 37a6434a4d
2 changed files with 64 additions and 1 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -9,6 +9,7 @@ stages:
 - review
 - build
 - test
+ - analyze
 - deploy

 default:
@ -29,7 +30,7 @@ variables:
    LINT_LOG: "eslint-report.xml"
    LINT_MR_LOG: "eslint-mr-report.xml"

-image: registry.gitlab.gnome.org/gnome/mutter/fedora/34:x86_64-2021-07-07.1
+image: registry.gitlab.gnome.org/gnome/mutter/fedora/34:x86_64-2021-07-09.1

 workflow:
    rules:
@ -208,6 +209,30 @@ test:
            - build/meson-logs/testlog.txt
        when: on_failure

+test-coverity:
+    rules:
+        - if: '$CI_PIPELINE_SOURCE == "schedule" && $GNOME_SHELL_SCHEDULED_JOB == "coverity"'
+          when: always
+        - when: manual
+    needs: ["build"]
+    stage: analyze
+    allow_failure: true
+    before_script:
+        - ninja -C mutter/build install
+    script:
+        - .gitlab-ci/download-coverity-tarball.sh
+        - CC=clang meson coverity-build -Dman=false
+        - ./coverity/cov-analysis-linux64-*/bin/cov-build --fs-capture-search js --dir cov-int ninja -C coverity-build
+        - tar czf cov-int.tar.gz cov-int
+        - curl https://scan.coverity.com/builds?project=GNOME+Shell
+          --form token=$COVERITY_TOKEN --form email=carlosg@gnome.org
+          --form file=@cov-int.tar.gz --form version="`git describe --tags`"
+          --form description="GitLab CI build"
+    cache:
+        key: coverity-tarball
+        paths:
+            - coverity
+
 flatpak:
    stage: build
    needs: ["check_commit_log"]
--- a/.gitlab-ci/download-coverity-tarball.sh
+++ b/.gitlab-ci/download-coverity-tarball.sh
@ -0,0 +1,38 @@
+#!/usr/bin/bash
+
+# We need a coverity token to fetch the tarball
+if [ -x $COVERITY_TOKEN ]
+then
+  echo "No coverity token. Run this job from a protected branch."
+  exit -1
+fi
+
+mkdir -p coverity
+
+# Download and check MD5 first
+curl https://scan.coverity.com/download/linux64 \
+  --data "token=$COVERITY_TOKEN&project=GNOME+Shell&md5=1" \
+  --output /tmp/coverity_tool.md5
+
+diff /tmp/coverity_tool.md5 coverity/coverity_tool.md5 >/dev/null 2>&1
+
+if [ $? -eq 0 -a -d coverity/cov-analysis* ]
+then
+  echo "Coverity tarball is up-to-date"
+  exit 0
+fi
+
+# Download and extract coverity tarball
+curl https://scan.coverity.com/download/linux64 \
+  --data "token=$COVERITY_TOKEN&project=GNOME+Shell" \
+  --output /tmp/coverity_tool.tgz
+
+rm -rf ./coverity/cov-analysis*
+
+tar zxf /tmp/coverity_tool.tgz -C coverity/
+if [ $? -eq 0 ]
+then
+  mv /tmp/coverity_tool.md5 coverity/
+fi
+
+rm /tmp/coverity_tool.tgz