forked from priyanks-synopsys/Hello_Java
-
Notifications
You must be signed in to change notification settings - Fork 0
81 lines (81 loc) · 4.4 KB
/
coverity-report.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# demonstrate Coverity PR decoration using a GitHub Action, for more details see:
# https://github.com/marketplace/actions/coverity-json-output-v7-report
name: coverity-report
on:
push:
branches: [ main, master, develop, stage, release]
pull_request:
branches: [ main, master, develop, stage, release]
workflow_dispatch:
jobs:
coverity:
runs-on: ubuntu-latest
env:
COVERITY_URL: ${{ vars.COVERITY_URL }}
COV_USER: ${{ secrets.COV_USER }}
COVERITY_PASSPHRASE: ${{ secrets.COVERITY_PASSPHRASE }}
COVERITY_PROJECT: ${{ github.event.repository.name }}
COVERITY_STREAM: ${{ github.event.repository.name }}-${{ github.ref_name }}
COVERITY_TOOLKIT: cov-analysis-linux64-2023.6.0
steps:
- name: Checkout Source
uses: actions/checkout@v3
- name: Setup Java JDK
uses: actions/setup-java@v3
with:
java-version: 17
distribution: microsoft
cache: maven
# designate the Coverity toolkit as something to cache, for more details see:
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
- name: Cache Coverity Toolkit
id: cache-coverity
uses: actions/cache@v3
with:
path: ${{ runner.temp }}/${{ env.COVERITY_TOOLKIT }}
key: ${{ env.COVERITY_TOOLKIT }}
# download Coverity only if cache-hit from above is not true
- name: Coverity Download
if: ${{ steps.cache-coverity.outputs.cache-hit != 'true' }}
run: |
curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE $COVERITY_URL/downloadFile.htm?fn=$COVERITY_TOOLKIT.tar.gz | tar -C $RUNNER_TEMP -xzf -
curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE -o $RUNNER_TEMP/$COVERITY_TOOLKIT/bin/license.dat $COVERITY_URL/downloadFile.htm?fn=license.dat
# use the Coverity CLI for full scans
- name: Coverity Full Scan
if: ${{ github.event_name != 'pull_request' }}
run: |
$RUNNER_TEMP/$COVERITY_TOOLKIT/bin/coverity scan -o commit.connect.url=$COVERITY_URL -o commit.connect.stream=$COVERITY_STREAM
# use the Rest API views endpoint for a quality gate, for more details see:
# https://community.synopsys.com/s/document-item?bundleId=coverity-docs&topicId=cov-platform-rest-api%2Ftopics%2Fretrieve_contents_of_specified_view.html
- name: Coverity Quality Gate
if: ${{ github.event_name != 'pull_request' }}
run: |
curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE $COVERITY_URL/api/viewContents/issues/v1/Outstanding%20Issues?projectId=$COVERITY_PROJECT > results.json
if [ $(cat results.json | jq .viewContentsV1.totalRows) -ne 0 ]; then cat results.json | jq .viewContentsV1.rows; echo "Outstanding Issues detected, do something here"; fi
- name: Get Pull Request Changeset
if: ${{ github.event_name == 'pull_request' }}
uses: jitterbit/get-changed-files@v1
id: changeset
# use the Coverity CLI for incremental scans - incompatable with coverity-report-output-v7-json
#- name: Coverity Incremental Scan
# if: ${{ github.event_name == 'pull_request' && steps.changeset.outputs.added_modified != '' }}
# run: |
# COVERITY_STREAM=${{ github.event.repository.name }}-${{ github.base_ref }}
# $RUNNER_TEMP/$COVERITY_TOOLKIT/bin/coverity scan -o commit.connect.url=$COVERITY_URL -o commit.connect.stream=$COVERITY_STREAM -o commit.connect.comparison-report=report.json
# cat report.json | jq
# use the cov-run-desktop for incremental scans
- name: Coverity Incremental Scan
if: ${{ github.event_name == 'pull_request' && steps.changeset.outputs.added_modified != '' }}
run: |
export PATH=$PATH:$RUNNER_TEMP/$COVERITY_TOOLKIT/bin
COVERITY_STREAM=${{ github.event.repository.name }}-${{ github.base_ref }}
cov-run-desktop --dir idir --url $COVERITY_URL --stream $COVERITY_STREAM --build mvn -B -DskipTests package
cov-run-desktop --dir idir --url $COVERITY_URL --stream $COVERITY_STREAM --present-in-reference false \
--ignore-uncapturable-inputs true --json-output-v7 report.json ${{ steps.changeset.outputs.added_modified }}
cat report.json | jq
- name: Coverity Pull Request Feedback
if: ${{ github.event_name == 'pull_request' && steps.changeset.outputs.added_modified != '' }}
uses: synopsys-sig/coverity-report-output-v7-json@v0.1.1
with:
json-file-path: report.json
github-token: ${{ secrets.GITHUB_TOKEN }}