Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use coverity-scan-action in CI #154

Merged
merged 1 commit into from
Oct 23, 2023
Merged

Use coverity-scan-action in CI #154

merged 1 commit into from
Oct 23, 2023

Conversation

bjosv
Copy link
Collaborator

@bjosv bjosv commented Sep 6, 2023

By using a maintained GitHub action to run Coverity jobs we hopefully don't have to do modifications when procedures change. This seems to fix the current token issue and also simplifies the CI job.

Additionally coverity-scan-action adds a cache to avoid downloading the 1GB+ tool archive on every run.

Here are logs from a test run.

@bjosv
Copy link
Collaborator Author

bjosv commented Sep 6, 2023

The repository secret COVERITY_TOKEN seems to be missing when looking at the logs above.
Maybe there has been a change since the last run?

When I ran the testrun in my own repo I added the token via the repository menu "Settings", then under the "Secrets and variables" sub-menu.
The secret COVERITY_TOKEN should be under the "Repository secrets" headine, and contain the token string that is provided at https://scan.coverity.com/projects/r3?tab=project_settings .
That seemed to work.

@c9s
Copy link
Owner

c9s commented Sep 6, 2023 via email

@c9s
Copy link
Owner

c9s commented Oct 14, 2023

@bjosv I finally updated the token, it was there but somehow I don't know why it's empty. I just updated it, thanks!

@bjosv
Use coverity-scan-action in CI
bf1bab9 
Simplifies the CI job and adds a cache to avoid downloading the 1GB+
tool archive on every run.
See: https://github.com/vapier/coverity-scan-action

Only run this job when a commit is pushed to the default branch 2.0
(like when a PR is merged) since the required Coverity token/secret
is not available when this job is triggered by forks.
@bjosv
Copy link
Collaborator Author

bjosv commented Oct 16, 2023

@c9s Thanks!
After some investigations I now understand why this job failed on my PRs.
There are some security restrictions in place on Github which makes sure arbitrary changes in a PR can't access the Coverity token. Secrets are not available when an action is triggered by a pull request, unless you are the owner of the repo.

I missed this but have now changed so that we only run this job when a PR has been merged (and reviewed) to our default 2.0 branch. I've seen that this is the recommended way to trigger this action.

@bjosv bjosv merged commit 58d8b0c into c9s:2.0 Oct 23, 2023
10 checks passed
@bjosv bjosv deleted the coverity-action-fix branch October 23, 2023 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c9s c9s c9s approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bjosv @c9s