From 3f45315b8495e53a237a48a5c985ad6698ed9d69 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 7 May 2024 11:39:37 +0200
Subject: [PATCH] ci: submit dbus-broker builds to Coverity automatically

Let's make a full use of Coverity and submit the builds for analysis
automatically every midnight. We can't do that for every PR, since there
are quite strict rate limits that limit how many builds we can submit
per day and per week (see [0]).

The action (and the script) requires two environment variables to be
set - $COVERITY_SCAN_TOKEN for authentication (can be found here [1]),
and $COVERITY_SCAN_NOTIFICATION_EMAIL for sending the email notification
when the build analysis is done. Originally this email used to be set to
the email from the latest commit, but since the author of that commit
might not even have permissions to see the Coverity report it's best to
set it to one of the dbus-broker maintainers.

Resolves: #316

[0] https://scan.coverity.com/faq#frequency
[1] https://scan.coverity.com/projects/dbus-broker?tab=project_settings
---
 .github/workflows/coverity.sh  | 62 ++++++++++++++++++++++++++++++++++
 .github/workflows/coverity.yml | 36 ++++++++++++++++++++
 2 files changed, 98 insertions(+)
 create mode 100755 .github/workflows/coverity.sh
 create mode 100644 .github/workflows/coverity.yml

diff --git a/.github/workflows/coverity.sh b/.github/workflows/coverity.sh
new file mode 100755
index 00000000..4aabde45
--- /dev/null
+++ b/.github/workflows/coverity.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+set -eux
+
+COVERITY_SCAN_TOOL_BASE="/tmp/coverity-scan-analysis"
+COVERITY_SCAN_PROJECT_NAME="dbus-broker"
+
+coverity_install_script() {
+    local platform tool_url tool_archive
+
+    platform=$(uname)
+    tool_url="https://scan.coverity.com/download/${platform}"
+    tool_archive="/tmp/cov-analysis-${platform}.tgz"
+
+    set +x # this is supposed to hide COVERITY_SCAN_TOKEN
+    echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
+    wget -nv -O "$tool_archive" "$tool_url" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=${COVERITY_SCAN_TOKEN:?}"
+    set -x
+
+    mkdir -p "$COVERITY_SCAN_TOOL_BASE"
+    pushd "$COVERITY_SCAN_TOOL_BASE"
+    tar xzf "$tool_archive"
+    popd
+}
+
+run_coverity() {
+    local results_dir tool_dir results_archive sha response status_code
+
+    results_dir="cov-int"
+    tool_dir=$(find "$COVERITY_SCAN_TOOL_BASE" -type d -name 'cov-analysis*')
+    results_archive="analysis-results.tgz"
+    sha=$(git rev-parse --short HEAD)
+
+    meson setup build -Dapparmor=true -Daudit=true -Dselinux=true
+    COVERITY_UNSUPPORTED=1 "$tool_dir/bin/cov-build" --dir "$results_dir" sh -c "ninja -C ./build -v"
+    "$tool_dir/bin/cov-import-scm" --dir "$results_dir" --scm git --log "$results_dir/scm_log.txt"
+
+    tar czf "$results_archive" "$results_dir"
+
+    set +x # this is supposed to hide COVERITY_SCAN_TOKEN
+    echo -e "\033[33;1mUploading Coverity Scan Analysis results...\033[0m"
+    response=$(curl \
+               --silent --write-out "\n%{http_code}\n" \
+               --form project="$COVERITY_SCAN_PROJECT_NAME" \
+               --form token="${COVERITY_SCAN_TOKEN:?}" \
+               --form email="${COVERITY_SCAN_NOTIFICATION_EMAIL:?}" \
+               --form file="@$results_archive" \
+               --form version="$sha" \
+               --form description="Daily build" \
+               https://scan.coverity.com/builds)
+    printf "\033[33;1mThe response is\033[0m\n%s\n" "$response"
+    status_code=$(echo "$response" | sed -n '$p')
+    if [ "$status_code" != "200" ]; then
+        echo -e "\033[33;1mCoverity Scan upload failed: $(echo "$response" | sed '$d').\033[0m"
+        return 1
+    fi
+    set -x
+}
+
+coverity_install_script
+run_coverity
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 00000000..90714931
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,36 @@
+---
+# vi: ts=2 sw=2 et:
+
+name: Coverity
+
+on:
+  schedule:
+    # Run Coverity daily at midnight
+    - cron:  '0 0 * * *'
+  pull_request:
+    paths:
+      - ".github/workflows/coverity.*"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    #if: github.repository == 'bus1/dbus-broker'
+    env:
+      # Set in repo settings -> Secrets and variables -> Actions -> Repository secrets
+      COVERITY_SCAN_TOKEN:              "${{ secrets.COVERITY_SCAN_TOKEN }}"
+      COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          sudo add-apt-repository -y --enable-source
+          sudo apt build-dep -y dbus-broker
+          sudo apt install -y libselinux1-dev libapparmor-dev libaudit-dev
+
+      - name: Build & upload the results
+        run: .github/workflows/coverity.sh