[PATCH 0/6] Add a GitHub workflow to submit builds to Coverity Scan

["Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>]

Coverity [https://scan.coverity.com/] is a powerful static analysis tool
that helps prevent vulnerabilities. It is free to use by open source
projects, and Git benefits from this, as well as Git for Windows. As is the
case with many powerful tools, using Coverity comes with its own set of
challenges, one of which being that submitting a build is quite laborious.

The help with this, the Git for Windows project has an Azure Pipeline for
several years already to automate submitting builds to Coverity Scan:
https://dev.azure.com/git-for-windows/git/_build/index?definitionId=35

It is time to move this automation off of Azure Pipelines, and I thought
that the Git project itself might as well benefit from this workflow.

Since Coverity build submissions require access (and a token to
authenticate), this workflow is skipped by default. To enable it, the
repository variable
[https://docs.github.com/en/actions/learn-github-actions/variables]
ENABLE_COVERITY_SCAN_FOR_BRANCHES needs to be added. Its value needs to be a
JSON string array containing the branch names, e.g. ["master", "next"].
Further, two repository secrets
[https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions]
need to be set: COVERITY_SCAN_EMAIL and COVERITY_SCAN_TOKEN.

An example run in the Git for Windows project can be admired here:
https://github.com/git-for-windows/git/actions/runs/6272393351/job/17033838405

To prove out that it would also work with the git Coverity project and
building on operating systems other than Windows, I added two throw-away
commits disabling the actual submission of the build to Coverity Scan (and
also the main.yml CI to save on electrons) and pushed the branch to my fork.
The ubuntu-latest run
[https://github.com/dscho/git/actions/runs/6272014876/job/17032859462], the
windows-latest run
[https://github.com/dscho/git/actions/runs/6272014876/job/17032859234] and
the macos-latest run
[https://github.com/dscho/git/actions/runs/6272014876/job/17032710138] all
worked as expected.

This patch series is based on that Azure Pipeline, the support code in
https://github.com/git-for-windows/build-extra/blob/0e0b919073fb/please.sh#L835-L968,
and is very loosely inspired by
https://lore.kernel.org/git/4590e1381feb8962cadf2b40b22086531d662ef8.1692675172.git.me@ttaylorr.com/
(but you may not know it from comparing the patches because they look so
vastly different). The reason why this patch series is so different is quite
sad because I got very excited about the simplicity of using the GitHub
Action vapier/coverity-scan-action. On paper, this Action looks really neat,
but its implementation left me wanting, in particular because it does not
even work (cov-configure must be called these days, and that Action simply
does not, causing the entire build to fail), lacks support for Windows and
macOS, fails to cache the Coverity Tool if the build fails for reasons
unrelated to downloading & extracting the tool, and the activity in its
issue tracker suggests to me that it is neither used nor maintained
actively.

This patch series is based on v2.42.0, but would apply literally everywhere
because it adds a new file and modifies no existing one.

Johannes Schindelin (6):
  ci: add a GitHub workflow to submit Coverity scans
  coverity: cache the Coverity Build Tool
  coverity: allow overriding the Coverity project
  coverity: support building on Windows
  coverity: allow running on macOS
  coverity: detect and report when the token or project is incorrect

 .github/workflows/coverity.yml | 159 +++++++++++++++++++++++++++++++++
 1 file changed, 159 insertions(+)
 create mode 100644 .github/workflows/coverity.yml


base-commit: 43c8a30d150ecede9709c1f2527c8fba92c65f40
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1588%2Fdscho%2Fcoverity-workflow-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1588/dscho/coverity-workflow-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1588
-- 
gitgitgadget