[mutter/wip/carlosg/ci-coverity] ci: Add job for pushing coverity reports

From: Carlos Garnacho <carlosg src gnome org>
To: commits-list gnome org
Cc:
Subject: [mutter/wip/carlosg/ci-coverity] ci: Add job for pushing coverity reports
Date: Fri, 9 Jul 2021 11:27:34 +0000 (UTC)

commit dfc3cd09f8df6165b634fd00e813827c795078b0
Author: Carlos Garnacho <carlosg gnome org>
Date:   Sat Feb 29 15:06:26 2020 +0100

    ci: Add job for pushing coverity reports
    
    This job does:
    1. Download the coverity bundle and untar it
    2. Build mutter using clang and the coverity tool
    3. Compress the coverity report
    4. Upload for analysis
    
    Things to note:
    - Analysis are throttled, as per https://scan.coverity.com/faq#frequency
      we qualify for 21 weekly builds, 3 daily. Mutter is sometimes a busy
      project, so it seems we'd get often those consumed early in the day.
      This is something we can resign to, but the times we'll try to upload
      a report to have it rejected make the operation kinda pointless and
      probably better throttled by ourselves.
    - The task is manual, given the restrictions above.
    - The task only applies on master, as the envvar holding the coverity
      token is protected in gitlab.
    - I had to use clang as the coverity tool doesn't seem to work ATM with
      gcc as per recent Fedora.
    - The coverity tarball is 1.2GB in size, which is a bit too big to have
      it downloaded each time. As per their upload instructions, the tarball
      gets updated twice yearly, so this is cached to minimize downloads.
    - The coverity token for mutter is kept private/hidden in gitlab CI
      settings.

 .gitlab-ci.yml                          | 37 ++++++++++++++++++++++++++++----
 .gitlab-ci/download-coverity-tarball.sh | 38 +++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 4 deletions(-)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 44c91dd842..5af949d41a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,14 +7,14 @@ stages:
  - prepare
  - build
  - test
- - coverage
+ - analyze
 
 .mutter.fedora:34@common:
   variables:
     FDO_DISTRIBUTION_VERSION: 34
-    BASE_TAG: '2021-07-07.1'
+    BASE_TAG: '2021-07-09.1'
     FDO_UPSTREAM_REPO: GNOME/mutter
-    FDO_DISTRIBUTION_PACKAGES: 'gdm gnome-shell xorg-x11-server-Xvfb sassc gcovr'
+    FDO_DISTRIBUTION_PACKAGES: 'gdm gnome-shell xorg-x11-server-Xvfb sassc gcovr clang'
 
     FDO_DISTRIBUTION_EXEC: |
       dnf install -y 'dnf-command(builddep)' &&
@@ -226,7 +226,7 @@ test-mutter@aarch64:
 .test-mutter-coverage:
   extends:
     - .fdo.distribution-image@fedora
-  stage: coverage
+  stage: analyze
   script:
     - ninja -C build coverage
     - cat build/meson-logs/coverage.txt
@@ -262,3 +262,32 @@ can-build-gnome-shell@x86_64:
     - .gitlab-ci/checkout-gnome-shell.sh
     - meson gnome-shell gnome-shell/build --prefix /usr -Dman=false
     - ninja -C gnome-shell/build install
+
+test-mutter-coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+    - .mutter.fedora:34@x86_64
+  needs:
+    - build-fedora-container@x86_64
+  stage: analyze
+  allow_failure: true
+  script:
+    - .gitlab-ci/download-coverity-tarball.sh
+    - CC=clang meson coverity-build -Dprofiler=false
+    - ./coverity/cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja -C coverity-build
+    - tar czf cov-int.tar.gz cov-int
+    - curl https://scan.coverity.com/builds?project=mutter
+      --form token=$COVERITY_TOKEN --form email=carlosg gnome org
+      --form file=@cov-int.tar.gz --form version="`git describe --tags`"
+      --form description="GitLab CI build"
+  cache:
+    key: coverity-tarball
+    paths:
+      - coverity
+  when: manual
+  only:
+    - merge_requests
+    - master
+  except:
+    changes:
+      - po/*.po
diff --git a/.gitlab-ci/download-coverity-tarball.sh b/.gitlab-ci/download-coverity-tarball.sh
new file mode 100755
index 0000000000..9d387bbe8f
--- /dev/null
+++ b/.gitlab-ci/download-coverity-tarball.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/bash
+
+# We need a coverity token to fetch the tarball
+if [ -x $COVERITY_TOKEN ]
+then
+  echo "No coverity token"
+  exit -1
+fi
+
+mkdir -p coverity
+
+# Download and check MD5 first
+curl https://scan.coverity.com/download/linux64 \
+  --data "token=$COVERITY_TOKEN&project=mutter&md5=1" \
+  --output /tmp/coverity_tool.md5
+
+diff /tmp/coverity_tool.md5 coverity/coverity_tool.md5 >/dev/null 2>&1
+
+if [ $? -eq 0 -a -d coverity/cov-analysis* ]
+then
+  echo "Coverity tarball is up-to-date"
+  exit 0
+fi
+
+# Download and extract coverity tarball
+curl https://scan.coverity.com/download/linux64 \
+  --data "token=$COVERITY_TOKEN&project=mutter" \
+  --output /tmp/coverity_tool.tgz
+
+rm -rf ./coverity/cov-analysis*
+
+tar zxf /tmp/coverity_tool.tgz -C coverity/
+if [ $? -eq 0 ]
+then
+  mv /tmp/coverity_tool.md5 coverity/
+fi
+
+rm /tmp/coverity_tool.tgz
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]