ci: Add job for pushing coverity reports

This job does:
1. Download the coverity bundle and untar it in a cached location
2. Build GNOME Shell using clang and the coverity tool
3. Compress the coverity report
4. Upload for analysis

In a similar setup to that of Mutter.

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1913>
This commit is contained in:
Carlos Garnacho 2021-07-14 19:21:34 +02:00 committed by Marge Bot
parent 37a6434a4d
commit 6203668b6c
2 changed files with 64 additions and 1 deletions

View File

@ -9,6 +9,7 @@ stages:
- review - review
- build - build
- test - test
- analyze
- deploy - deploy
default: default:
@ -29,7 +30,7 @@ variables:
LINT_LOG: "eslint-report.xml" LINT_LOG: "eslint-report.xml"
LINT_MR_LOG: "eslint-mr-report.xml" LINT_MR_LOG: "eslint-mr-report.xml"
image: registry.gitlab.gnome.org/gnome/mutter/fedora/34:x86_64-2021-07-07.1 image: registry.gitlab.gnome.org/gnome/mutter/fedora/34:x86_64-2021-07-09.1
workflow: workflow:
rules: rules:
@ -208,6 +209,30 @@ test:
- build/meson-logs/testlog.txt - build/meson-logs/testlog.txt
when: on_failure when: on_failure
test-coverity:
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule" && $GNOME_SHELL_SCHEDULED_JOB == "coverity"'
when: always
- when: manual
needs: ["build"]
stage: analyze
allow_failure: true
before_script:
- ninja -C mutter/build install
script:
- .gitlab-ci/download-coverity-tarball.sh
- CC=clang meson coverity-build -Dman=false
- ./coverity/cov-analysis-linux64-*/bin/cov-build --fs-capture-search js --dir cov-int ninja -C coverity-build
- tar czf cov-int.tar.gz cov-int
- curl https://scan.coverity.com/builds?project=GNOME+Shell
--form token=$COVERITY_TOKEN --form email=carlosg@gnome.org
--form file=@cov-int.tar.gz --form version="`git describe --tags`"
--form description="GitLab CI build"
cache:
key: coverity-tarball
paths:
- coverity
flatpak: flatpak:
stage: build stage: build
needs: ["check_commit_log"] needs: ["check_commit_log"]

View File

@ -0,0 +1,38 @@
#!/usr/bin/bash
# We need a coverity token to fetch the tarball
if [ -x $COVERITY_TOKEN ]
then
echo "No coverity token. Run this job from a protected branch."
exit -1
fi
mkdir -p coverity
# Download and check MD5 first
curl https://scan.coverity.com/download/linux64 \
--data "token=$COVERITY_TOKEN&project=GNOME+Shell&md5=1" \
--output /tmp/coverity_tool.md5
diff /tmp/coverity_tool.md5 coverity/coverity_tool.md5 >/dev/null 2>&1
if [ $? -eq 0 -a -d coverity/cov-analysis* ]
then
echo "Coverity tarball is up-to-date"
exit 0
fi
# Download and extract coverity tarball
curl https://scan.coverity.com/download/linux64 \
--data "token=$COVERITY_TOKEN&project=GNOME+Shell" \
--output /tmp/coverity_tool.tgz
rm -rf ./coverity/cov-analysis*
tar zxf /tmp/coverity_tool.tgz -C coverity/
if [ $? -eq 0 ]
then
mv /tmp/coverity_tool.md5 coverity/
fi
rm /tmp/coverity_tool.tgz