diff options
| author | Petr Štetiar <ynezz@true.cz> | 2023-01-30 08:33:16 +0100 |
|---|---|---|
| committer | Christian Marangi <ansuelsmth@gmail.com> | 2023-04-26 17:24:50 +0200 |
| commit | 9a2666951051f8072ba83f0535e1534ea0dbf6aa (patch) | |
| tree | a390150ee593a61cd2481bb2da0b80ec351bd7e7 | |
| parent | 8f427f1a058dd5dcff21246a9a6d91318f55f80a (diff) | |
| download | upstream-9a2666951051f8072ba83f0535e1534ea0dbf6aa.tar.gz upstream-9a2666951051f8072ba83f0535e1534ea0dbf6aa.tar.bz2 upstream-9a2666951051f8072ba83f0535e1534ea0dbf6aa.zip | |
ci: add Coverity Scan scheduled workflow
Coverity Scan is a static code analysis service focused on open source
software quality and security, so lets scan various OpenWrt components
every Friday for the start.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
| -rw-r--r-- | .github/workflows/build.yml | 70 | ||||
| -rw-r--r-- | .github/workflows/coverity.yml | 64 |
2 files changed, 134 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22286c054e..8744bc7737 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,6 +2,8 @@ name: Build sub target on: workflow_call: + secrets: + coverity_api_token: inputs: target: required: true @@ -25,6 +27,23 @@ on: use_openwrt_container: type: boolean default: true + coverity_project_name: + type: string + default: OpenWrt + coverity_check_packages: + type: string + coverity_compiler_template_list: + type: string + default: >- + arm-openwrt-linux-gcc + coverity_force_compile_packages: + type: string + default: >- + curl + libnl + mbedtls + wolfssl + openssl permissions: contents: read @@ -361,6 +380,57 @@ jobs: working-directory: openwrt run: make -j$(nproc) BUILD_LOG=1 || ret=$? .github/workflows/scripts/show_build_failures.sh + - name: Coverity prepare toolchain + if: inputs.coverity_check_packages != '' + shell: su buildbot -c "sh -e {0}" + working-directory: openwrt + run: | + wget -q https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.coverity_api_token }}&project=${{ inputs.coverity_project_name }}" -O coverity.tar.gz + wget -q https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.coverity_api_token }}&project=${{ inputs.coverity_project_name }}&md5=1" -O coverity.tar.gz.md5 + echo ' coverity.tar.gz' >> coverity.tar.gz.md5 + md5sum -c coverity.tar.gz.md5 + + mkdir cov-analysis-linux64 + tar xzf coverity.tar.gz --strip 1 -C cov-analysis-linux64 + export PATH=$(pwd)/cov-analysis-linux64/bin:$PATH + + for template in ${{ inputs.coverity_compiler_template_list }}; do + cov-configure --template --comptype gcc --compiler "$template" + done + + - name: Clean and recompile packages with Coverity toolchain + if: inputs.coverity_check_packages != '' + shell: su buildbot -c "bash {0}" + working-directory: openwrt + run: | + set -o pipefail -o errexit + + coverity_check_packages=(${{ inputs.coverity_check_packages }}) + printf -v clean_packages "package/%s/clean " "${coverity_check_packages[@]}" + make -j$(nproc) BUILD_LOG=1 $clean_packages || ret=$? .github/workflows/scripts/show_build_failures.sh + + coverity_force_compile_packages=(${{ inputs.coverity_force_compile_packages }}) + printf -v force_compile_packages "package/%s/compile " "${coverity_force_compile_packages[@]}" + make -j$(nproc) BUILD_LOG=1 $force_compile_packages || ret=$? .github/workflows/scripts/show_build_failures.sh + + printf -v compile_packages "package/%s/compile " "${coverity_check_packages[@]}" + export PATH=$(pwd)/cov-analysis-linux64/bin:$PATH + cov-build --dir cov-int make -j $(nproc) BUILD_LOG=1 $compile_packages || ret=$? .github/workflows/scripts/show_build_failures.sh + + - name: Upload build to Coverity for analysis + if: inputs.coverity_check_packages != '' + shell: su buildbot -c "sh -e {0}" + working-directory: openwrt + run: | + tar czf cov-int.tar.gz ./cov-int + curl \ + --form token="${{ secrets.coverity_api_token }}" \ + --form email="contact@openwrt.org" \ + --form file=@cov-int.tar.gz \ + --form version="${{ github.ref_name }}-${{ github.sha }}" \ + --form description="OpenWrt ${{ github.ref_name }}-${{ github.sha }}" \ + "https://scan.coverity.com/builds?project=${{ inputs.coverity_project_name }}" + - name: Upload logs if: failure() uses: actions/upload-artifact@v3 diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000000..db628d05ee --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,64 @@ +name: Coverity scan build + +on: + schedule: + - cron: '30 2 * * 6' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + +jobs: + coverity_build: + name: Coverity x86/64 build + secrets: + coverity_api_token: ${{ secrets.COVERITY_API_TOKEN }} + permissions: + contents: read + packages: read + uses: ./.github/workflows/build.yml + with: + target: x86/64 + build_full: true + include_feeds: true + coverity_compiler_template_list: >- + x86_64-openwrt-linux-gcc + x86_64-openwrt-linux-musl-gcc + # qosify fails to build with cov-build + coverity_check_packages: >- + cgi-io + dnsmasq + dropbear + firewall + fstools + fwtool + iwinfo + jsonfilter + libnl-tiny + libubox + mtd + netifd + odhcp6c + odhcpd + opkg + procd + relayd + rpcd + swconfig + ubox + ubus + ucert + uci + uclient + ucode + ugps + uhttpd + umbim + umdns + unetd + uqmi + urngd + usbmode + usign + usteer + ustp + ustream-ssl |