gitlab-ci: add coverity submissions to weekly scheduled CI

We currently submit builds to Coverity manually every now and then, but it would make sense to submit them more frequently and periodically, so that it can detect defects sooner. Add a "coverity" stage to the pipeline, which submits a build to Coverit (the scheduls currently set to run every week). https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1973
2024-06-29 06:04:26 +00:00 · 2024-06-19 15:13:30 +02:00 · 2024-06-19 15:13:30 +02:00 · 508d43efc9
commit 508d43efc9
parent 14eaf4e419
3 changed files with 68 additions and 5 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -49,6 +49,7 @@ stages:
  - tier3
  - deploy
  - triage
+  - coverity

 variables:
  FDO_UPSTREAM_REPO: NetworkManager/NetworkManager
@ -59,11 +60,11 @@ variables:
  #
  # This is done by running `ci-fairy generate-template` and possibly bumping
  # ".default_tag".
-  ALPINE_TAG:  'tag-ec99bc32ed7f'
-  CENTOS_TAG:  'tag-a76c3f2e9d0f'
-  DEBIAN_TAG:  'tag-3f6892bcd503'
-  FEDORA_TAG:  'tag-a76c3f2e9d0f'
-  UBUNTU_TAG:  'tag-3f6892bcd503'
+  ALPINE_TAG:  'tag-f0b648c04526'
+  CENTOS_TAG:  'tag-c2d500e0391f'
+  DEBIAN_TAG:  'tag-7687baa06688'
+  FEDORA_TAG:  'tag-c2d500e0391f'
+  UBUNTU_TAG:  'tag-7687baa06688'

  ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
  CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@ -639,6 +640,24 @@ triage:issues:
    - gem install gitlab-triage
    - gitlab-triage --debug --token $API_TOKEN --source-id $CI_PROJECT_ID

+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+  variables:
+    FDO_DISTRIBUTION_VERSION: '40'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  stage: coverity
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'schedule'
+  script:
+    - dnf install -y curl
+    - BUILD_TYPE=meson CC=gcc CONFIGURE_ONLY=1 contrib/scripts/nm-ci-run.sh
+    - cd build
+    - ../.gitlab-ci/coverity.sh download
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja
+    - ../.gitlab-ci/coverity.sh upload
+
 # Clean the generated images periodically to get updated snapshots of the distribution images.
 # Create an scheduled pipeline to run it, passing an AUTHFILE environment variable of type
 # 'File' with an authentication token with API access level.
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -53,6 +53,7 @@ stages:
  - tier3
  - deploy
  - triage
+  - coverity

 variables:
  FDO_UPSTREAM_REPO: NetworkManager/NetworkManager
@ -248,6 +249,24 @@ triage:issues:
    - gem install gitlab-triage
    - gitlab-triage --debug --token $API_TOKEN --source-id $CI_PROJECT_ID

+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+  variables:
+    FDO_DISTRIBUTION_VERSION: '40'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  stage: coverity
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'schedule'
+  script:
+    - dnf install -y curl
+    - BUILD_TYPE=meson CC=gcc CONFIGURE_ONLY=1 contrib/scripts/nm-ci-run.sh
+    - cd build
+    - ../.gitlab-ci/coverity.sh download
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja
+    - ../.gitlab-ci/coverity.sh upload
+
 # Clean the generated images periodically to get updated snapshots of the distribution images.
 # Create an scheduled pipeline to run it, passing an AUTHFILE environment variable of type
 # 'File' with an authentication token with API access level.
--- a/.gitlab-ci/coverity.sh
+++ b/.gitlab-ci/coverity.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+
+[ "$COVERITY_SCAN_PROJECT_NAME" = "" ] && echo "missing COVERITY_SCAN_PROJECT_NAME" >&2 && exit 1
+[ "$COVERITY_SCAN_TOKEN" = "" ] && echo "missing COVERITY_SCAN_PROJECT_NAME" >&2 && exit 1
+
+if [ "$1" = "download" ]; then
+    curl https://scan.coverity.com/download/linux64 \
+         -o /tmp/cov-analysis-linux64.tar.gz        \
+         --form "project=$COVERITY_SCAN_PROJECT_NAME" \
+         --form "token=$COVERITY_SCAN_TOKEN"
+
+    tar xvzf /tmp/cov-analysis-linux64.tar.gz
+elif [ "$1" = "upload" ]; then
+    tar cvzf cov-int.tar.gz cov-int
+    ls -l cov-int.tar.gz
+    curl "https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME" \
+          --form "token=$COVERITY_SCAN_TOKEN" --form "email=$GITLAB_USER_EMAIL" \
+          --form file=@cov-int.tar.gz --form version="`meson introspect --projectinfo | jq -r .version`" \
+          --form description="ci run: $CI_COMMIT_TITLE / `git rev-parse --short HEAD`"
+    rm -rf cov-int*
+else
+    echo "invalid command: $1" >&2
+    exit 1
+fi