Add Coverity static analyzer scan

WE2-539 Signed-off-by: Raul Metsma <raul@metsma.ee>
web-eid · Apr 4, 2023 · 7e161a5 · 7e161a5
1 parent 36abf82
commit 7e161a5
Showing 1 changed file with 57 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: recursive
 
@@ -16,7 +16,7 @@ jobs:
         node-version: '14.x'
 
     - name: Cache Node.js modules
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         # npm cache files are stored in `~/.npm` on Linux/macOS
         path: ~/.npm
@@ -35,7 +35,61 @@ jobs:
         npm run test clean build package
 
     - name: Upload artifacts
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       with:
         name: web-eid-webextension-${{github.run_number}}
         path: dist/
+
+  coverity:
+    name: Run Coverity tests
+    if: contains(github.repository, 'web-eid/web-eid-webextension') && contains(github.ref, 'coverity_scan')
+    runs-on: ubuntu-latest
+    env:
+      TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+      PROJECTNAME: 'web-eid/web-eid-webextension'
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        submodules: recursive
+
+    - uses: actions/setup-node@v1
+      with:
+        node-version: '14.x'
+
+    - name: Cache Node.js modules
+      uses: actions/cache@v3
+      with:
+        # npm cache files are stored in `~/.npm` on Linux/macOS
+        path: ~/.npm
+        key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.OS }}-node-
+          ${{ runner.OS }}-
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Download Coverity Build Tool
+      run: |
+        curl --silent --data "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64
+        mkdir cov-analysis-linux64
+        tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+
+    - name: Build
+      run: |
+        export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
+        export PATH=$PWD/cov-analysis-linux64/bin:$PATH
+        cov-capture --dir cov-int --project-dir . --language typescript
+
+    - name: Submit the result to Coverity Scan
+      run: |
+        tar czvf upload.tgz cov-int
+        curl --silent \
+          --form project=$PROJECTNAME \
+          --form token=$TOKEN \
+          --form email=eid-teenusehaldus@ria.ee \
+          --form file=@upload.tgz \
+          --form version=master \
+          --form description="Github Actions CI build" \
+          https://scan.coverity.com/builds?project=$PROJECTNAME