ci: Add job for pushing coverity reports

This job does:
1. Download the coverity bundle and untar it
2. Build mutter using clang and the coverity tool
3. Compress the coverity report
4. Upload for analysis

Things to note:
- Analysis are throttled, as per https://scan.coverity.com/faq#frequency
  we qualify for 21 weekly builds, 3 daily. Mutter is sometimes a busy
  project, so it seems we'd get often those consumed early in the day.
  This is something we can resign to, but the times we'll try to upload
  a report to have it rejected make the operation kinda pointless and
  probably better throttled by ourselves.
- Just made it apply to master, given the restrictions above.
- I had to use clang as the coverity tool doesn't seem to work ATM with
  gcc as per recent Fedora.
- The coverity tarball is 714MB in size, which is a bit too big to have
  it downloaded each time. As per their upload instructions, the tarball
  gets updated twice yearly, may also be a candidate for caching.
- The coverity token for mutter is kept private/hidden in gitlab CI
  settings.

https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1100

.gitlab-ci.yml

@@ -4,6 +4,7 @@ stages:
  - review
  - build
  - test
+ - analysis
 
 check-commit-log:
   stage: review
@@ -77,3 +78,20 @@ can-build-gnome-shell:
   only:
     - merge_requests
     - /^.*$/
+
+coverity:
+  stage: analysis
+  allow_failure: true
+  script:
+    - dnf install -y clang
+    - curl https://scan.coverity.com/download/linux64 --data "token=$COVERITY_TOKEN&project=mutter" --output /tmp/coverity_tool.tgz
+    - tar zxf /tmp/coverity_tool.tgz
+    - CC=clang meson coverity-build
+    - ./cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja -C coverity-build
+    - tar czf cov-int.tar.gz cov-int
+    - curl https://scan.coverity.com/builds?project=mutter
+      --form token=$COVERITY_TOKEN --form email=carlosg@gnome.org
+      --form file=@cov-int.tar.gz --form version="`git describe --tags`"
+      --form description="gitlab CI build"
+  only:
+    - master