gitlab CI: hook up coverity

This requires the COVERITY_SCAN_TOKEN as listed on the project settings page in coverity itself. The intention here is to run this as a scheduled job, with the pipeline schedule itself controlling the branch name etc. This way we can keep the gitlab CI simple enough and just check for COVERITY_SCAN_TOKEN itself. This job shouldn't ever fail unless coverity is down (we'll fix that then), the results of the coverity run are sent to the user that owns the the scheduled pipeline, i.e. me. Because coverity does not currently work on F32 (invalid GNU version number: 101), we force this to run on F31. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2026-01-03 01:00:09 +01:00 · 2020-07-02 12:32:11 +10:00 · 2020-07-02 12:32:11 +10:00 · 04e612488a
commit 04e612488a
parent 1ce05ca4a5
2 changed files with 86 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -758,6 +758,49 @@ flake8@fedora:32:
  script:
    - flake8-3 --ignore=W501,E501,W504 $(git grep -l '^#!/usr/bin/env python3')

+
+#
+# coverity run
+#
+# This requires the COVERITY_SCAN_TOKEN. Log into scan.coverity.com and get
+# the token from the respective project settings page.
+# Schedule a pipeline and set a variable COVERITY_SCAN_TOKEN with the token value.
+# https://gitlab.freedesktop.org/$CI_PROJECT_PATH/-/pipeline_schedules
+# Email from coverity will be sent to the GITLAB_USER_EMAIL that scheduled the
+# job.
+#
+# Coverity ratelimits submissions and the coverity tools download is about
+# 700M, do not run this too often.
+#
+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+    - .policy
+  stage: build
+  variables:
+    # coverity doesn't work on Fedora 32
+    FDO_DISTRIBUTION_VERSION: '31'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  only:
+    variables:
+      - $COVERITY_SCAN_TOKEN
+  script:
+    - curl https://scan.coverity.com/download/linux64
+        -o /tmp/cov-analysis-linux64.tgz
+        --form project=$CI_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN
+    - tar xfz /tmp/cov-analysis-linux64.tgz
+    # coverity has special build options in meson, make sure we enable those
+    - meson coverity-build -Ddocumentation=false -Dcoverity=true
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int  ninja -C coverity-build
+    - tar cfz cov-int.tar.gz cov-int
+    - curl https://scan.coverity.com/builds?project=$CI_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
+        --form file=@cov-int.tar.gz --form version="$(git describe --tags)"
+        --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
+  needs:
+    - "fedora:31@container-prep"
+
 #################################################################
 #                                                               #
 #                        distro stage                           #
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -580,6 +580,49 @@ flake8@{{distro.name}}:{{version}}:
    - flake8-3 --ignore=W501,E501,W504 $(git grep -l '^#!/usr/bin/env python3')

 {% endfor %}
+
+#
+# coverity run
+#
+# This requires the COVERITY_SCAN_TOKEN. Log into scan.coverity.com and get
+# the token from the respective project settings page.
+# Schedule a pipeline and set a variable COVERITY_SCAN_TOKEN with the token value.
+# https://gitlab.freedesktop.org/$CI_PROJECT_PATH/-/pipeline_schedules
+# Email from coverity will be sent to the GITLAB_USER_EMAIL that scheduled the
+# job.
+#
+# Coverity ratelimits submissions and the coverity tools download is about
+# 700M, do not run this too often.
+#
+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+    - .policy
+  stage: build
+  variables:
+    # coverity doesn't work on Fedora 32
+    FDO_DISTRIBUTION_VERSION: '31'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  only:
+    variables:
+      - $COVERITY_SCAN_TOKEN
+  script:
+    - curl https://scan.coverity.com/download/linux64
+        -o /tmp/cov-analysis-linux64.tgz
+        --form project=$CI_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN
+    - tar xfz /tmp/cov-analysis-linux64.tgz
+    # coverity has special build options in meson, make sure we enable those
+    - meson coverity-build -Ddocumentation=false -Dcoverity=true
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int  ninja -C coverity-build
+    - tar cfz cov-int.tar.gz cov-int
+    - curl https://scan.coverity.com/builds?project=$CI_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
+        --form file=@cov-int.tar.gz --form version="$(git describe --tags)"
+        --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
+  needs:
+    - "fedora:31@container-prep"
+
 #################################################################
 #                                                               #
 #                        distro stage                           #