From 508d43efc9d363e2434db280f73cb6bda60abcc1 Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Wed, 19 Jun 2024 15:13:30 +0200
Subject: [PATCH] gitlab-ci: add coverity submissions to weekly scheduled CI

We currently submit builds to Coverity manually every now and then,
but it would make sense to submit them more frequently and periodically,
so that it can detect defects sooner.

Add a "coverity" stage to the pipeline, which submits a build to Coverit
(the scheduls currently set to run every week).

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1973
---
 .gitlab-ci.yml         | 29 ++++++++++++++++++++++++-----
 .gitlab-ci/ci.template | 19 +++++++++++++++++++
 .gitlab-ci/coverity.sh | 25 +++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 5 deletions(-)
 create mode 100755 .gitlab-ci/coverity.sh

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3c14e0a2fc..8a80e02395 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -49,6 +49,7 @@ stages:
   - tier3
   - deploy
   - triage
+  - coverity
 
 variables:
   FDO_UPSTREAM_REPO: NetworkManager/NetworkManager
@@ -59,11 +60,11 @@ variables:
   #
   # This is done by running `ci-fairy generate-template` and possibly bumping
   # ".default_tag".
-  ALPINE_TAG:  'tag-ec99bc32ed7f'
-  CENTOS_TAG:  'tag-a76c3f2e9d0f'
-  DEBIAN_TAG:  'tag-3f6892bcd503'
-  FEDORA_TAG:  'tag-a76c3f2e9d0f'
-  UBUNTU_TAG:  'tag-3f6892bcd503'
+  ALPINE_TAG:  'tag-f0b648c04526'
+  CENTOS_TAG:  'tag-c2d500e0391f'
+  DEBIAN_TAG:  'tag-7687baa06688'
+  FEDORA_TAG:  'tag-c2d500e0391f'
+  UBUNTU_TAG:  'tag-7687baa06688'
 
   ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
   CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@@ -639,6 +640,24 @@ triage:issues:
     - gem install gitlab-triage
     - gitlab-triage --debug --token $API_TOKEN --source-id $CI_PROJECT_ID
 
+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+  variables:
+    FDO_DISTRIBUTION_VERSION: '40'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  stage: coverity
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'schedule'
+  script:
+    - dnf install -y curl
+    - BUILD_TYPE=meson CC=gcc CONFIGURE_ONLY=1 contrib/scripts/nm-ci-run.sh
+    - cd build
+    - ../.gitlab-ci/coverity.sh download
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja
+    - ../.gitlab-ci/coverity.sh upload
+
 # Clean the generated images periodically to get updated snapshots of the distribution images.
 # Create an scheduled pipeline to run it, passing an AUTHFILE environment variable of type
 # 'File' with an authentication token with API access level.
diff --git a/.gitlab-ci/ci.template b/.gitlab-ci/ci.template
index 55df9d9ba6..aa9cfb968c 100644
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@@ -53,6 +53,7 @@ stages:
   - tier3
   - deploy
   - triage
+  - coverity
 
 variables:
   FDO_UPSTREAM_REPO: NetworkManager/NetworkManager
@@ -248,6 +249,24 @@ triage:issues:
     - gem install gitlab-triage
     - gitlab-triage --debug --token $API_TOKEN --source-id $CI_PROJECT_ID
 
+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+  variables:
+    FDO_DISTRIBUTION_VERSION: '40'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  stage: coverity
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'schedule'
+  script:
+    - dnf install -y curl
+    - BUILD_TYPE=meson CC=gcc CONFIGURE_ONLY=1 contrib/scripts/nm-ci-run.sh
+    - cd build
+    - ../.gitlab-ci/coverity.sh download
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja
+    - ../.gitlab-ci/coverity.sh upload
+
 # Clean the generated images periodically to get updated snapshots of the distribution images.
 # Create an scheduled pipeline to run it, passing an AUTHFILE environment variable of type
 # 'File' with an authentication token with API access level.
diff --git a/.gitlab-ci/coverity.sh b/.gitlab-ci/coverity.sh
new file mode 100755
index 0000000000..8d06c52e87
--- /dev/null
+++ b/.gitlab-ci/coverity.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+
+[ "$COVERITY_SCAN_PROJECT_NAME" = "" ] && echo "missing COVERITY_SCAN_PROJECT_NAME" >&2 && exit 1
+[ "$COVERITY_SCAN_TOKEN" = "" ] && echo "missing COVERITY_SCAN_PROJECT_NAME" >&2 && exit 1
+
+if [ "$1" = "download" ]; then
+    curl https://scan.coverity.com/download/linux64 \
+         -o /tmp/cov-analysis-linux64.tar.gz        \
+         --form "project=$COVERITY_SCAN_PROJECT_NAME" \
+         --form "token=$COVERITY_SCAN_TOKEN"
+
+    tar xvzf /tmp/cov-analysis-linux64.tar.gz
+elif [ "$1" = "upload" ]; then
+    tar cvzf cov-int.tar.gz cov-int
+    ls -l cov-int.tar.gz
+    curl "https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME" \
+          --form "token=$COVERITY_SCAN_TOKEN" --form "email=$GITLAB_USER_EMAIL" \
+          --form file=@cov-int.tar.gz --form version="`meson introspect --projectinfo | jq -r .version`" \
+          --form description="ci run: $CI_COMMIT_TITLE / `git rev-parse --short HEAD`"
+    rm -rf cov-int*
+else
+    echo "invalid command: $1" >&2
+    exit 1
+fi
\ No newline at end of file