.github/workflows/coverity.yml

name: Coverity

# Coverity Scan gives relatively low-quality reports and has strict
# rate limits, so we only run it on the main branch on a schedule.
on:
  schedule:
    - cron: '31 3 * * 1'  # Monday at 3h31 UTC
  workflow_dispatch:

jobs:
  Coverity:
    runs-on: ubuntu-24.04

    env:
      CVT_PROJECT: besser82/libxcrypt

    # Coverity doesn't have official Github Actions integration yet.
    # The steps below were kitbashed together from the contents of
    # https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh
    # plus some notions from
    # https://github.com/ruby/actions-coverity-scan/blob/master/.github/workflows/coverity-scan.yml
    steps:
    - name: Check for authorization
      env:
        CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
      run: |
        if [ -z "$CVT_TOKEN" ]; then
          printf '\033[33;1mCoverity Scan token not available.\033[0m\n'
          exit 1
        fi
        AUTH_RES=$(curl -s --form project="$CVT_PROJECT" \
                           --form token="$CVT_TOKEN" \
                           https://scan.coverity.com/api/upload_permitted)
        if [ "$AUTH_RES" = "Access denied" ]; then
          printf '\033[33;1mCoverity Scan API access denied.\033[0m\n'
          printf 'Check project name and access token.\n'
          exit 1
        else
          AUTH=$(printf '%s' "$AUTH_RES" | ruby -e "
            require 'rubygems'
            require 'json'
            puts JSON[STDIN.read]['upload_permitted']
          ")
          if [ "$AUTH" = "true" ]; then
            echo ok
            exit 0
          else
            WHEN=$(printf '%s' "$AUTH_RES" | ruby -e "
              require 'rubygems'
              require 'json'
              puts JSON[STDIN.read]['next_upload_permitted_at']
            ")
            printf '\033[33;1mCoverity Scan access blocked until %s.\033[0m\n' \
              "$WHEN"
            exit 1
          fi
        fi

    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Install packages
      run: sudo apt-get install libltdl-dev

    - name: Download Coverity Build Tool
      env:
        CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
      run: |
        echo Downloading Coverity tools...
        # Put the tools in the parent directory so the build can't
        # clobber them by accident.
        cd ..
        curl --no-progress-meter -o cov-analysis-linux64.tar.gz \
             --form token="$CVT_TOKEN" \
             --form project="$CVT_PROJECT" \
             https://scan.coverity.com/download/cxx/linux64
        echo Extracting...
        mkdir cov-analysis-linux64
        tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
        echo done.
        if [ -f cov-analysis-linux64/VERSION ]; then
          echo ::group::Coverity tool versions
          echo + cat cov-analysis-linux64/VERSION
          echo
          cat cov-analysis-linux64/VERSION
          echo ::endgroup::
        fi

    - name: Versions of build tools
      id: build-tools
      run: ./build-aux/ci/ci-log-dependency-versions

    - name: Get nprocs
      run: echo "NPROCS=$((`nproc --all 2>/dev/null || sysctl -n hw.ncpu` * 2))" | tee $GITHUB_ENV

    - name: Cache bootstrap
      id: cache
      uses: actions/cache@v4
      with:
        path: |
          INSTALL
          Makefile.in
          aclocal.m4
          config.h.in
          configure
          autom4te.cache/**
          build-aux/m4/libtool.m4
          build-aux/m4/ltoptions.m4
          build-aux/m4/ltsugar.m4
          build-aux/m4/ltversion.m4
          build-aux/m4/lt~obsolete.m4
          build-aux/m4-autogen/**
        key: autoreconf-${{ steps.build-tools.outputs.autotools-ver }}-${{ hashFiles('autogen.sh', 'configure.ac', 'Makefile.am', 'build-aux/m4/*.m4', 'build-aux/m4-autogen/**') }}

    - name: Bootstrap
      if: steps.cache.outputs.cache-hit != 'true'
      run: ./autogen.sh

    - name: Configure
      run: ./configure --disable-werror --enable-obsolete-api --enable-hashes=all

    - name: Prepare build script
      run: |
        echo '#! /bin/sh' > cov_make.sh
        echo "make -j${{ env.NPROCS }} all" >> cov_make.sh
        echo "make -j${{ env.NPROCS }} test-programs" >> cov_make.sh
        chmod +x cov_make.sh

    - name: Build
      run: |
        export PATH=$(cd .. && pwd)/cov-analysis-linux64/bin:$PATH
        cov-build --dir cov-int ./cov_make.sh
        cov-import-scm --dir cov-int --scm git --log cov-int/scm_log.txt

    - name: Upload analysis results
      env:
        CVT_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
        CVT_EMAIL: ${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}
      run: |
        tar czvf cov-int.tar.gz cov-int
        printf 'Uploading Coverity Scan Analysis results...\n'
        response=$(curl -s --write-out '\n%{http_code}\n' \
          --form project="$CVT_PROJECT" \
          --form token="$CVT_TOKEN" \
          --form email="$CVT_EMAIL" \
          --form file=@cov-int.tar.gz \
          --form version="${GITHUB_REF}" \
          --form description="${GITHUB_SHA}" \
          https://scan.coverity.com/builds)
        status_code=$(echo "$response" | sed -n '$p')
        if [ "$status_code" = "200" ] || [ "$status_code" = "201" ] ; then
          printf 'Upload complete.\n'
          exit 0
        else
          TEXT=$(echo "$response" | sed '$d')
          printf '\033[33;1mCoverity Scan upload failed:\033[0m\n%s.\n' "$TEXT"
          exit 1
        fi

    - name: Detailed error logs
      if: failure()
      run: ./build-aux/ci/ci-log-logfiles