1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 23:21:22 +03:00
systemd/.github/workflows/coverity.yml
Evgeny Vereshchagin e7a966915d ci: mimic the "restricted" mode
Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
it should be enough to grant the "read contents" permission to
most of our actions. The "read metadata" permission is set impliciclty
somewhere and can't be set via the "permissions" setting:
```
The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata'
```
2021-11-14 10:41:06 +00:00

44 lines
1.6 KiB
YAML

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: Coverity
on:
schedule:
# Run Coverity daily at midnight
- cron: '0 0 * * *'
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-20.04
if: github.repository == 'systemd/systemd'
env:
COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
COVERITY_SCAN_NOTIFICATION_EMAIL: ""
COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
# Set in repo settings -> secrets -> repository secrets
COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
CURRENT_REF: "${{ github.ref }}"
steps:
- name: Repository checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
- name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
- name: Install Coverity tools
run: tools/get-coverity.sh
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/unit_tests.sh SETUP
# Preconfigure with meson to prevent Coverity from capturing meson metadata
- name: Preconfigure the build directory
run: meson cov-build -Dman=false
- name: Build
run: tools/coverity.sh build
- name: Upload the results
run: tools/coverity.sh upload