Add coverity support to workflow #26
Conversation
There was a problem hiding this comment.
I think this deserves a separate workflow.
Also do we even want to automatically run Coverity on every PR/push? (I don't know the deal that we have or how much it costs)
There was a problem hiding this comment.
Can you move this into a separate workflow then? This will make it easy to tweak the run condition without affecting the regular build.
Also we will be able to use jobs.<job_id>.if instead of jobs.<job_id>.steps[*].if.
.github/workflows/build.yaml
Outdated
| COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | ||
| run: | | ||
| # Download toolbox | ||
| COVERITY_URL="https://scan.coverity.com/download/cxx/linux64" |
There was a problem hiding this comment.
Why use an environment variable?
There was a problem hiding this comment.
Indeed, you can probably replace all these lines by something like:
curl https://scan.coverity.com/download/cxx/linux64 \
--form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
--form project=wisun-br-linux | tar -xC /opt
ln -sfn /opt/coverity*/bin/coverity /bin
.github/workflows/build.yaml
Outdated
| tar -xf coverity.tar.gz -C coverity --strip-components=1 | ||
| rm -fr coverity.tar.gz | ||
| # For the current shell session | ||
| export PATH=$(pwd)/coverity/bin:$PATH |
There was a problem hiding this comment.
I would prefer either:
- Install
coverityin a standard directory (ie./usr/bin,/usr/local/binor alike). - Use an absolute path when calling Coverity tools.
.github/workflows/build.yaml
Outdated
| export PATH=$(pwd)/coverity/bin:$PATH | ||
| coverity --version | ||
| # For the upcoming shell sessions | ||
| echo "$(pwd)/coverity/bin" >> $GITHUB_PATH |
There was a problem hiding this comment.
Why is this necessary?
There was a problem hiding this comment.
Make sure coverity exists then simplify the next call of cov-build.
| env: | ||
| COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | ||
| COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} | ||
| COVERITY_SCAN_VERSION: ${{ github.sha }} |
There was a problem hiding this comment.
Do we need to use env vars?
There was a problem hiding this comment.
Note: I now understand the need for secrets, but is it necessary for the SHA?
There was a problem hiding this comment.
Not necessary, there is plenty of other ways to do it, the aim here was reusability by other teams working on open sources projects.
But let me point smt: It's common practice to use env variables in CI/CD tools.
Environment variables are ephemeral and exist only during pipeline execution. No persistence.
Most importantly, defining parameters as environment variables enhances reusability and flexibility, allowing different users or projects to run workflows with custom values without modifying the core script or commands or stages.
There was a problem hiding this comment.
If we want something generic and reusable, the good way is to write an action. Maybe in the future we could have a Silabs action for Coverity if we have common steps.
btw, there seems to be an official Coverity GitHub action, I don't know how usable it is:
https://documentation.blackduck.com/bundle/bridge/page/documentation/c_github-coverity.html
There was a problem hiding this comment.
I prefer relying on simple commands directly over using GitHub Actions.
GA abstract too much, making it feel like "magic" or "black box".
Reproducing workflows locally isn’t straightforward for developers—unless you use nektos/act, which isn’t easy to setup nor to use.
For me, it's the same logic as with Jenkins plugin: the less you rely on it, the happier you are.
There was a problem hiding this comment.
Fair point, it is nice to view the Workflow as a list of commands that one can execute locally by copy-pasting.
I don't know much about Coverity, but it looks quite similar to SonarQube in being "magic / black box".
Sure you download tools, but you have no idea what they do besides produce data in a proprietary format that you then upload to a web platform for processing. Maybe I am wrong, as I have not looked in the details. Anyway, I'm diverging.
.github/workflows/build.yaml
Outdated
| run: | | ||
| # Download toolbox | ||
| COVERITY_URL="https://scan.coverity.com/download/cxx/linux64" | ||
| wget -q $COVERITY_URL --post-data "token=${COVERITY_SCAN_TOKEN}&project=wisun-br-linux" -O coverity.tar.gz --no-check-certificate |
There was a problem hiding this comment.
Why no-check-certificate?
There was a problem hiding this comment.
Locally, I couldn't check the certificate under the Silabs network, and this issue would also apply to self-hosted runners. We can assume that we won't use self-hosted runners for public repositories, and therefore, for Coverity, we don't need that flag.
However, I wanted to note the first point somewhere.
.github/workflows/build.yaml
Outdated
| tar -xf coverity.tar.gz -C coverity --strip-components=1 | ||
| rm -fr coverity.tar.gz | ||
| # For the current shell session | ||
| export PATH=$(pwd)/coverity/bin:$PATH |
There was a problem hiding this comment.
ln -sfn $(pwd)/coverity/bin/coverity /usr/bin, so you can drop the pain with $PATH
There was a problem hiding this comment.
Do you mean ln -sfn $(pwd)/coverity/bin/ /usr/bin ?
Because, the goal is to facilitate the call to toolbox (cov-build, cov-analyze ...) not only coverity.
There was a problem hiding this comment.
Then, ln -sfn $(pwd)/coverity/bin/cov* /usr/bin
yasslbk
force-pushed
the
wip/yla/ci
branch
4 times, most recently
from
05d1b98 to
76daf49
Compare
* For main branch, download toolbox, build wsbrd using coverity then publish results. * Make sure cov commands are stored in /opt/coverity and accessible by creating a symlink to /usr/local/bin.
|
V2:
|
There was a problem hiding this comment.
Can you move this into a separate workflow then? This will make it easy to tweak the run condition without affecting the regular build.
Also we will be able to use jobs.<job_id>.if instead of jobs.<job_id>.steps[*].if.
| COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} | ||
| COVERITY_SCAN_VERSION: ${{ github.sha }} | ||
| run: | | ||
| tar czf cov-int.tgz cov-int |
There was a problem hiding this comment.
What does "int" mean here?
| --form email="$COVERITY_SCAN_EMAIL" \ | ||
| --form [email protected] \ | ||
| --form version="$COVERITY_SCAN_VERSION" \ | ||
| --form description="Coverity scan results for commit $COVERITY_SCAN_VERSION" \ |
There was a problem hiding this comment.
Is this description necessary? It currently does not provide much information since the version is already provided. I could not even find where this description can be read on the frontend 😅
| --form token="$COVERITY_SCAN_TOKEN" \ | ||
| --form email="$COVERITY_SCAN_EMAIL" \ | ||
| --form [email protected] \ | ||
| --form version="$COVERITY_SCAN_VERSION" \ |
There was a problem hiding this comment.
Should we use something more human friendly than a SHA? The output of wsbrd --version uses git describe.
This PR adds Coverity support to the build workflow.
We need to add the needed secrets at a repository level.
We can restrict Coverity to publish only results of main branch.