mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-07 17:17:44 +03:00
e7a966915d
Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token it should be enough to grant the "read contents" permission to most of our actions. The "read metadata" permission is set impliciclty somewhere and can't be set via the "permissions" setting: ``` The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata' ```
44 lines
1.6 KiB
YAML
44 lines
1.6 KiB
YAML
---
|
|
# vi: ts=2 sw=2 et:
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
name: Coverity
|
|
|
|
on:
|
|
schedule:
|
|
# Run Coverity daily at midnight
|
|
- cron: '0 0 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-20.04
|
|
if: github.repository == 'systemd/systemd'
|
|
env:
|
|
COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
|
|
COVERITY_SCAN_NOTIFICATION_EMAIL: ""
|
|
COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
|
|
# Set in repo settings -> secrets -> repository secrets
|
|
COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
|
|
CURRENT_REF: "${{ github.ref }}"
|
|
steps:
|
|
- name: Repository checkout
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
|
|
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
|
|
- name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
|
|
run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
|
|
- name: Install Coverity tools
|
|
run: tools/get-coverity.sh
|
|
# Reuse the setup phase of the unit test script to avoid code duplication
|
|
- name: Install build dependencies
|
|
run: sudo -E .github/workflows/unit_tests.sh SETUP
|
|
# Preconfigure with meson to prevent Coverity from capturing meson metadata
|
|
- name: Preconfigure the build directory
|
|
run: meson cov-build -Dman=false
|
|
- name: Build
|
|
run: tools/coverity.sh build
|
|
- name: Upload the results
|
|
run: tools/coverity.sh upload
|