[gnome-shell/wip/carlosg/ci-coverity] ci: Add job for pushing coverity reports

[Carlos Garnacho <carlosg src gnome org>]

commit 9acfee15c7c757e0c3850f82516300fc6022bcd4
Author: Carlos Garnacho <carlosg gnome org>
Date:   Wed Jul 14 19:21:34 2021 +0200

    ci: Add job for pushing coverity reports
    
    This job does:
    1. Download the coverity bundle and untar it in a cached location
    2. Build GNOME Shell using clang and the coverity tool
    3. Compress the coverity report
    4. Upload for analysis
    
    In a similar setup to that of Mutter.

 .gitlab-ci.yml                          | 31 +++++++++++++++++++++++++--
 .gitlab-ci/download-coverity-tarball.sh | 38 +++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 2 deletions(-)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2f09743335..5483e2f908 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,6 +9,7 @@ stages:
  - review
  - build
  - test
+ - analyze
  - deploy
 
 default:
@@ -48,10 +49,10 @@ workflow:
 .gnome-shell.fedora:34:
     variables:
         FDO_DISTRIBUTION_VERSION: 34
-        FDO_DISTRIBUTION_TAG: '2021-07-07.1'
+        FDO_DISTRIBUTION_TAG: '2021-07-14.1'
         FDO_UPSTREAM_REPO: GNOME/gnome-shell
         FDO_DISTRIBUTION_PACKAGES: |
-            findutils mozjs78-devel nodejs npm meson \
+            findutils mozjs78-devel nodejs npm meson clang \
             'pkgconfig(gio-2.0)' 'pkgconfig(gio-unix-2.0)' \
             'pkgconfig(gnome-autoar-0)' 'pkgconfig(json-glib-1.0)'
         FDO_DISTRIBUTION_EXEC: |
@@ -208,6 +209,32 @@ test:
             - build/meson-logs/testlog.txt
         when: on_failure
 
+test-coverity:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "schedule" && $GNOME_SHELL_SCHEDULED_JOB == "coverity"'
+      when: always
+    - when: manual
+  extends:
+    - .fdo.distribution-image@fedora
+    - .gnome-shell.fedora:34
+  needs:
+    - build-fedora-container
+  stage: analyze
+  allow_failure: true
+  script:
+    - .gitlab-ci/download-coverity-tarball.sh
+    - CC=clang meson coverity-build
+    - ./coverity/cov-analysis-linux64-*/bin/cov-build --fs-capture-search js --dir cov-int ninja -C 
coverity-build
+    - tar czf cov-int.tar.gz cov-int
+    - curl https://scan.coverity.com/builds?project=GNOME+Shell
+      --form token=$COVERITY_TOKEN --form email=carlosg gnome org
+      --form file=@cov-int.tar.gz --form version="`git describe --tags`"
+      --form description="GitLab CI build"
+  cache:
+    key: coverity-tarball
+    paths:
+      - coverity
+
 flatpak:
     stage: build
     needs: ["check_commit_log"]
diff --git a/.gitlab-ci/download-coverity-tarball.sh b/.gitlab-ci/download-coverity-tarball.sh
new file mode 100755
index 0000000000..e2afc5d555
--- /dev/null
+++ b/.gitlab-ci/download-coverity-tarball.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/bash
+
+# We need a coverity token to fetch the tarball
+if [ -x $COVERITY_TOKEN ]
+then
+  echo "No coverity token. Run this job from a protected branch."
+  exit -1
+fi
+
+mkdir -p coverity
+
+# Download and check MD5 first
+curl https://scan.coverity.com/download/linux64 \
+  --data "token=$COVERITY_TOKEN&project=GNOME+Shell&md5=1" \
+  --output /tmp/coverity_tool.md5
+
+diff /tmp/coverity_tool.md5 coverity/coverity_tool.md5 >/dev/null 2>&1
+
+if [ $? -eq 0 -a -d coverity/cov-analysis* ]
+then
+  echo "Coverity tarball is up-to-date"
+  exit 0
+fi
+
+# Download and extract coverity tarball
+curl https://scan.coverity.com/download/linux64 \
+  --data "token=$COVERITY_TOKEN&project=GNOME+Shell" \
+  --output /tmp/coverity_tool.tgz
+
+rm -rf ./coverity/cov-analysis*
+
+tar zxf /tmp/coverity_tool.tgz -C coverity/
+if [ $? -eq 0 ]
+then
+  mv /tmp/coverity_tool.md5 coverity/
+fi
+
+rm /tmp/coverity_tool.tgz