.github/workflows/coverity-bac.yml

# example workflow for traditional Coverity BAC with c-r-d PR scans
name: coverity-bac
on:
  push:
    branches: [ main, master, develop, stage, release ]
  pull_request:
    branches: [ main, master, develop, stage, release ]
  workflow_dispatch:
jobs:
  coverity:
    runs-on: ubuntu-latest
    env:
      COVERITY_URL: ${{ vars.COVERITY_URL }}
      COV_USER: ${{ secrets.COV_USER }}
      COVERITY_PASSPHRASE: ${{ secrets.COVERITY_PASSPHRASE }}
      COVERITY_PROJECT: ${{ github.event.repository.name }}
      COVERITY_TOOLKIT: cov-analysis-linux64-2023.6.0
      BLDCMD: mvn -B -DskipTests package
      CHECKERS: --webapp-security
    steps:
    - name: Checkout Source
      uses: actions/checkout@v3
    - name: Setup Java JDK
      uses: actions/setup-java@v3
      with:
        java-version: 17
        distribution: microsoft
        cache: maven
    - name: Coverity Download
      run: |
        curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE $COVERITY_URL/downloadFile.htm?fn=$COVERITY_TOOLKIT.tar.gz | tar -C $RUNNER_TEMP -xzf -
        curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE -o $RUNNER_TEMP/$COVERITY_TOOLKIT/bin/license.dat $COVERITY_URL/downloadFile.htm?fn=license.dat
    - name: Coverity Full Scan
      if: ${{ github.event_name != 'pull_request' }}
      env:
        COVERITY_STREAM: ${{ github.event.repository.name }}-${{ github.ref_name }}
      run: |
        export PATH=$PATH:$RUNNER_TEMP/$COVERITY_TOOLKIT/bin
        cov-configure --java
        cov-configure --javascript
        cov-build --dir idir --fs-capture-search $GITHUB_WORKSPACE $BLDCMD
        cov-analyze --dir idir --ticker-mode none --strip-path $GITHUB_WORKSPACE $CHECKERS
        cov-commit-defects --dir idir --ticker-mode none --url $COVERITY_URL --stream $COVERITY_STREAM --scm git \
          --description $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID --target $RUNNER_OS --version $GITHUB_SHA
    - name: Coverity Quality Gate
      if: ${{ github.event_name != 'pull_request' }}
      run: |
        curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE $COVERITY_URL/api/viewContents/issues/v1/Outstanding%20Issues?projectId=$COVERITY_PROJECT > issues.json
        if [ $(cat issues.json | jq .viewContentsV1.totalRows) -ne 0 ]; then echo "Outstanding Issues Detected"; cat issues.json | jq .viewContentsV1.rows; exit 8; fi
    - name: Get PR Changeset
      id: changeset
      if: ${{ github.event_name == 'pull_request' }}
      uses: jitterbit/get-changed-files@v1
    - name: Coverity PR Scan
      if: ${{ github.event_name == 'pull_request' && steps.changeset.outputs.added_modified != '' }}
      env:
        COVERITY_STREAM: ${{ github.event.repository.name }}-${{ github.base_ref }}
      run: |
        export PATH=$PATH:$RUNNER_TEMP/$COVERITY_TOOLKIT/bin
        cov-run-desktop --dir idir --url $COVERITY_URL --stream $COVERITY_STREAM --build $BLDCMD
        cov-run-desktop --dir idir --url $COVERITY_URL --stream $COVERITY_STREAM --present-in-reference false \
          --ignore-uncapturable-inputs true --json-output-v7 issues.json --exit1-if-defects true ${{ steps.changeset.outputs.added_modified }}
#    - name: Save Logs
#      if: always()
#      uses: actions/upload-artifact@v3
#      with:
#        name: coverity-logs
#        path: ${{ github.workspace }}/idir