diff options
author | Zack Weinberg <zackw@panix.com> | 2021-07-20 10:51:54 -0400 |
---|---|---|
committer | Zack Weinberg <zackw@panix.com> | 2021-07-22 11:55:55 -0400 |
commit | dad9dea0846bbb626870b5a86c683450417c0845 (patch) | |
tree | 198684498ed81f1ad90beca2532387185a62a660 /.github | |
parent | 3e5222194512e404e2ae4ccb1a8d050e8b5748d9 (diff) | |
download | libxcrypt-dad9dea0846bbb626870b5a86c683450417c0845.tar.gz libxcrypt-dad9dea0846bbb626870b5a86c683450417c0845.tar.bz2 libxcrypt-dad9dea0846bbb626870b5a86c683450417c0845.zip |
CI: Add workflows for running code quality tools.
Presently we have CodeQL and Coverity Scan. CodeQL is run on every
push, but Coverity is only run on a schedule since it’s aggressively
rate limited, the results are hidden in their private webapp, and it
doesn’t give us very high value feedback.
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/codeql.yml | 99 | ||||
-rw-r--r-- | .github/workflows/coverity.yml | 155 |
2 files changed, 254 insertions, 0 deletions
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..2411ffb --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,99 @@ +name: "CodeQL static analysis" + +on: + push: + pull_request: + schedule: + - cron: '31 3 * * 1' # Monday at 3h31 UTC + +jobs: + skip_duplicates: + continue-on-error: true + runs-on: ubuntu-latest + outputs: + should_skip: ${{ steps.skip_check.outputs.should_skip }} + steps: + - id: skip_check + # pin to unreleased SHA so we can use 'same_content_newer' + # see https://github.com/fkirc/skip-duplicate-actions/pull/112 + uses: fkirc/skip-duplicate-actions@98d1dc89f43a47f8e4fba8e1c1fb8d6c5fc515ee + with: + concurrent_skipping: 'same_content_newer' + skip_after_successful_duplicate: 'true' + paths_ignore: '["doc/**", "**/*.md", "AUTHORS", "NEWS", "THANKS"]' + do_not_skip: '["workflow_dispatch", "schedule"]' + + CodeQL: + needs: skip_duplicates + if: ${{ needs.skip_duplicates.outputs.should_skip != 'true' }} + + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + # CodeQL lumps C with C++. Perl is not currently supported. + languages: cpp, python + + # If you wish to specify custom queries, you can do so here or in a + # config file. By default, queries listed here will override any + # specified in a config file. Prefix the list here with "+" to use + # these queries and those in the config file. + #queries: + # - ./path/to/local/query + # - your-org/your-repo/queries@main + + - name: Versions of build tools + id: build-tools + run: ./build-aux/ci-log-dependency-versions + + - name: Cache bootstrap + id: cache + uses: actions/cache@v2 + with: + path: | + INSTALL + Makefile.in + aclocal.m4 + config.h.in + configure + autom4te.cache/** + build-aux/compile + build-aux/config.guess + build-aux/config.sub + build-aux/depcomp + build-aux/install-sh + build-aux/libtool.m4 + build-aux/ltmain.sh + build-aux/ltoptions.m4 + build-aux/ltsugar.m4 + build-aux/ltversion.m4 + build-aux/lt~obsolete.m4 + build-aux/missing + build-aux/test-driver + key: autoreconf-${{ steps.build-tools.outputs.autotools-ver }}-${{ hashFiles('autogen.sh', 'configure.ac', 'Makefile.am', 'build-aux/*.m4') }} + + - name: Bootstrap + if: steps.cache.outputs.cache-hit != 'true' + run: ./autogen.sh + + - name: Configure + run: ./configure --enable-obsolete-api --enable-hashes=all + + - name: Build + run: make all test-programs + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + + - name: Detailed error logs + if: failure() + run: ./build-aux/ci-log-logfiles diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000..97bbb8d --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,155 @@ +name: Coverity + +# Coverity Scan gives relatively low-quality reports and has strict +# rate limits, so we only run it on the main branch on a schedule. +on: + schedule: + - cron: '31 3 * * 1' # Monday at 3h31 UTC + +jobs: + Coverity: + runs-on: ubuntu-latest + + env: + CVT_PROJECT: besser82/libxcrypt + + # Coverity doesn't have official Github Actions integration yet. + # The steps below were kitbashed together from the contents of + # https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh + # plus some notions from + # https://github.com/ruby/actions-coverity-scan/blob/master/.github/workflows/coverity-scan.yml + steps: + - name: Check for authorization + env: + CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + run: | + if [ -z "$CVT_TOKEN" ]; then + printf '\033[33;1mCoverity Scan token not available.\033[0m\n' + exit 1 + fi + AUTH_RES=$(curl -s --form project="$CVT_PROJECT" \ + --form token="$CVT_TOKEN" \ + https://scan.coverity.com/api/upload_permitted) + if [ "$AUTH_RES" = "Access denied" ]; then + printf '\033[33;1mCoverity Scan API access denied.\033[0m\n' + printf 'Check project name and access token.\n' + exit 1 + else + AUTH=$(printf '%s' "$AUTH_RES" | ruby -e " + require 'rubygems' + require 'json' + puts JSON[STDIN.read]['upload_permitted'] + ") + if [ "$AUTH" = "true" ]; then + echo ok + exit 0 + else + WHEN=$(printf '%s' "$AUTH_RES" | ruby -e " + require 'rubygems' + require 'json' + puts JSON[STDIN.read]['next_upload_permitted_at'] + ") + printf '\033[33;1mCoverity Scan access blocked until %s.\033[0m\n' \ + "$WHEN" + exit 1 + fi + fi + + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Download Coverity Build Tool + env: + CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + run: | + echo Downloading Coverity tools... + # Put the tools in the parent directory so the build can't + # clobber them by accident. + cd .. + curl --no-progress-meter -o cov-analysis-linux64.tar.gz \ + --form token="$CVT_TOKEN" \ + --form project="$CVT_PROJECT" \ + https://scan.coverity.com/download/cxx/linux64 + echo Extracting... + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + echo done. + if [ -f cov-analysis-linux64/VERSION ]; then + echo ::group::Coverity tool versions + echo + cat cov-analysis-linux64/VERSION + echo + cat cov-analysis-linux64/VERSION + echo ::endgroup:: + fi + + - name: Versions of build tools + id: build-tools + run: ./build-aux/ci-log-dependency-versions + + - name: Cache bootstrap + id: cache + uses: actions/cache@v2 + with: + path: | + INSTALL + Makefile.in + aclocal.m4 + config.h.in + configure + autom4te.cache/** + build-aux/compile + build-aux/config.guess + build-aux/config.sub + build-aux/depcomp + build-aux/install-sh + build-aux/libtool.m4 + build-aux/ltmain.sh + build-aux/ltoptions.m4 + build-aux/ltsugar.m4 + build-aux/ltversion.m4 + build-aux/lt~obsolete.m4 + build-aux/missing + build-aux/test-driver + key: autoreconf-${{ steps.build-tools.outputs.autotools-ver }}-${{ hashFiles('autogen.sh', 'configure.ac', 'Makefile.am', 'build-aux/*.m4') }} + + - name: Bootstrap + if: steps.cache.outputs.cache-hit != 'true' + run: ./autogen.sh + + - name: Configure + run: ./configure --disable-werror --enable-obsolete-api --enable-hashes=all + + - name: Build + run: | + export PATH=$(cd .. && pwd)/cov-analysis-linux64/bin:$PATH + cov-build --dir cov-int make all test-programs + cov-import-scm --dir cov-int --scm git --log cov-int/scm_log.txt + + - name: Upload analysis results + env: + CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + CVT_EMAIL: ${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }} + run: | + tar czvf cov-int.tar.gz cov-int + printf 'Uploading Coverity Scan Analysis results...\n' + response=$(curl -s --write-out '\n%{http_code}\n' \ + --form project="$CVT_PROJECT" \ + --form token="$CVT_TOKEN" \ + --form email="$CVT_EMAIL" \ + --form file=@cov-int.tar.gz \ + --form version="${GITHUB_REF}" \ + --form description="${GITHUB_SHA}" \ + https://scan.coverity.com/builds) + status_code=$(echo "$response" | sed -n '$p') + if [ "$status_code" = "200" ] || [ "$status_code" = "201" ] ; then + printf 'Upload complete.\n' + exit 0 + else + TEXT=$(echo "$response" | sed '$d') + printf '\033[33;1mCoverity Scan upload failed:\033[0m\n%s.\n' "$TEXT" + exit 1 + fi + + - name: Detailed error logs + if: failure() + run: ./build-aux/ci-log-logfiles |