From 863ab5da0987624501984c82b6b469f4b98c03cf Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Thu, 22 Aug 2024 13:58:34 +0200 Subject: [PATCH] Move coverity to a reusable workflow, add a dispatcher workflow --- .github/workflows/coverity-dispatch.yml | 25 +++++ .github/workflows/coverity.yml | 122 ++++++++++++++++++++++++ .github/workflows/misc-dailies.yml | 106 ++++---------------- 3 files changed, 165 insertions(+), 88 deletions(-) create mode 100644 .github/workflows/coverity-dispatch.yml create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/coverity-dispatch.yml b/.github/workflows/coverity-dispatch.yml new file mode 100644 index 000000000000..facdf3e85c05 --- /dev/null +++ b/.github/workflows/coverity-dispatch.yml @@ -0,0 +1,25 @@ +--- +name: Trigger specific coverity scan + +on: + workflow_dispatch: + inputs: + product: + description: Product to build + type: choice + options: + - authoritative + - recursor + - dnsdist + +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + +jobs: + call-coverity: + uses: PowerDNS/pdns/.github/workflows/coverity.yml@master + with: + product: ${{ github.event.inputs.product }} + secrets: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }} diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 000000000000..3c66162722a6 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,122 @@ +--- +name: Coverity scan + +on: + workflow_call: + inputs: + product: + required: true + description: Product to build + type: string + secrets: + COVERITY_TOKEN: + required: true + COVERITY_EMAIL: + required: true + +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + +env: + CLANG_VERSION: '12' + +jobs: + coverity-auth: + name: coverity scan of the auth + if: ${{ inputs.product == 'authoritative' }} + runs-on: ubuntu-22.04 + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + FUZZING_TARGETS: no + SANITIZERS: + UNIT_TESTS: no + steps: + - uses: PowerDNS/pdns/set-ubuntu-mirror@meta + - uses: actions/checkout@v4 + with: + fetch-depth: 5 + submodules: recursive + - uses: actions/setup-python@v5 + with: + python-version: '3.11' + - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade + - run: inv install-clang + - run: inv install-auth-build-deps + - run: inv install-coverity-tools PowerDNS + - run: inv coverity-clang-configure + - run: inv ci-autoconf + - run: inv ci-auth-configure + - run: inv coverity-make + - run: inv coverity-tarball auth.tar.bz2 + - run: inv coverity-upload ${{ secrets.COVERITY_EMAIL }} PowerDNS auth.tar.bz2 + + coverity-dnsdist: + name: coverity scan of dnsdist + if: ${{ inputs.product == 'dnsdist' }} + runs-on: ubuntu-22.04 + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + SANITIZERS: + UNIT_TESTS: no + REPO_HOME: ${{ github.workspace }} + steps: + - uses: PowerDNS/pdns/set-ubuntu-mirror@meta + - uses: actions/checkout@v4 + with: + fetch-depth: 5 + submodules: recursive + - uses: actions/setup-python@v5 + with: + python-version: '3.11' + - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade + - run: inv install-clang + - run: inv install-dnsdist-build-deps --skipXDP + - run: inv install-coverity-tools dnsdist + - run: inv coverity-clang-configure + - run: inv ci-autoconf + working-directory: ./pdns/dnsdistdist/ + - run: inv ci-install-rust ${{ env.REPO_HOME }} + working-directory: ./pdns/dnsdistdist/ + - run: inv ci-build-and-install-quiche ${{ env.REPO_HOME }} + working-directory: ./pdns/dnsdistdist/ + - run: inv ci-dnsdist-configure full + working-directory: ./pdns/dnsdistdist/ + - run: inv coverity-make + working-directory: ./pdns/dnsdistdist/ + - run: inv coverity-tarball dnsdist.tar.bz2 + working-directory: ./pdns/dnsdistdist/ + - run: inv coverity-upload ${{ secrets.COVERITY_EMAIL }} dnsdist dnsdist.tar.bz2 + working-directory: ./pdns/dnsdistdist/ + + coverity-rec: + name: coverity scan of the rec + if: ${{ inputs.product == 'recursor' }} + runs-on: ubuntu-22.04 + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + SANITIZERS: + UNIT_TESTS: no + steps: + - uses: PowerDNS/pdns/set-ubuntu-mirror@meta + - uses: actions/checkout@v4 + with: + fetch-depth: 5 + submodules: recursive + - uses: actions/setup-python@v5 + with: + python-version: '3.11' + - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade + - run: inv install-clang + - run: inv install-rec-build-deps + - run: inv install-coverity-tools 'PowerDNS+Recursor' + - run: inv coverity-clang-configure + - run: inv ci-autoconf + working-directory: ./pdns/recursordist/ + - run: inv ci-rec-configure full + working-directory: ./pdns/recursordist/ + - run: inv coverity-make + working-directory: ./pdns/recursordist/ + - run: inv coverity-tarball recursor.tar.bz2 + working-directory: ./pdns/recursordist/ + - run: inv coverity-upload ${{ secrets.COVERITY_EMAIL }} 'PowerDNS+Recursor' recursor.tar.bz2 + working-directory: ./pdns/recursordist/ diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml index 48eee9caf1a8..e70c4309c03f 100644 --- a/.github/workflows/misc-dailies.yml +++ b/.github/workflows/misc-dailies.yml @@ -42,99 +42,29 @@ jobs: coverity-auth: name: coverity scan of the auth if: ${{ vars.SCHEDULED_MISC_DAILIES }} - runs-on: ubuntu-22.04 - env: - COVERITY_TOKEN: ${{ secrets.coverity_auth_token }} - FUZZING_TARGETS: no - SANITIZERS: - UNIT_TESTS: no - steps: - - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - - uses: actions/checkout@v4 - with: - fetch-depth: 5 - submodules: recursive - - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade - - run: inv install-clang - - run: inv install-auth-build-deps - - run: inv install-coverity-tools PowerDNS - - run: inv coverity-clang-configure - - run: inv ci-autoconf - - run: inv ci-auth-configure - - run: inv coverity-make - - run: inv coverity-tarball auth.tar.bz2 - - run: inv coverity-upload ${{ secrets.coverity_email }} PowerDNS auth.tar.bz2 + uses: PowerDNS/pdns/.github/workflows/coverity.yml@master + with: + product: 'authoritative' + secrets: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }} coverity-dnsdist: name: coverity scan of dnsdist if: ${{ vars.SCHEDULED_MISC_DAILIES }} - runs-on: ubuntu-22.04 - env: - COVERITY_TOKEN: ${{ secrets.coverity_dnsdist_token }} - SANITIZERS: - UNIT_TESTS: no - REPO_HOME: ${{ github.workspace }} - steps: - - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - - uses: actions/checkout@v4 - with: - fetch-depth: 5 - submodules: recursive - - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade - - run: inv install-clang - - run: inv install-dnsdist-build-deps --skipXDP - - run: inv install-coverity-tools dnsdist - - run: inv coverity-clang-configure - - run: inv ci-autoconf - working-directory: ./pdns/dnsdistdist/ - - run: inv ci-install-rust ${{ env.REPO_HOME }} - working-directory: ./pdns/dnsdistdist/ - - run: inv ci-build-and-install-quiche ${{ env.REPO_HOME }} - working-directory: ./pdns/dnsdistdist/ - - run: inv ci-dnsdist-configure full - working-directory: ./pdns/dnsdistdist/ - - run: inv coverity-make - working-directory: ./pdns/dnsdistdist/ - - run: inv coverity-tarball dnsdist.tar.bz2 - working-directory: ./pdns/dnsdistdist/ - - run: inv coverity-upload ${{ secrets.coverity_email }} dnsdist dnsdist.tar.bz2 - working-directory: ./pdns/dnsdistdist/ + uses: PowerDNS/pdns/.github/workflows/coverity.yml@master + with: + product: 'dnsdist' + secrets: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }} coverity-rec: name: coverity scan of the rec if: ${{ vars.SCHEDULED_MISC_DAILIES }} - runs-on: ubuntu-22.04 - env: - COVERITY_TOKEN: ${{ secrets.coverity_rec_token }} - SANITIZERS: - UNIT_TESTS: no - steps: - - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - - uses: actions/checkout@v4 - with: - fetch-depth: 5 - submodules: recursive - - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade - - run: inv install-clang - - run: inv install-rec-build-deps - - run: inv install-coverity-tools 'PowerDNS+Recursor' - - run: inv coverity-clang-configure - - run: inv ci-autoconf - working-directory: ./pdns/recursordist/ - - run: inv ci-rec-configure full - working-directory: ./pdns/recursordist/ - - run: inv coverity-make - working-directory: ./pdns/recursordist/ - - run: inv coverity-tarball recursor.tar.bz2 - working-directory: ./pdns/recursordist/ - - run: inv coverity-upload ${{ secrets.coverity_email }} 'PowerDNS+Recursor' recursor.tar.bz2 - working-directory: ./pdns/recursordist/ + uses: PowerDNS/pdns/.github/workflows/coverity.yml@master + with: + product: 'recursor' + secrets: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }}