scan-coverity-baremetal #191
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan Coverity Ubuntu Scan | |
on: | |
schedule: | |
- cron: '0 18 * * *' | |
workflow_dispatch: | |
inputs: | |
branch: | |
description: 'Branch to run scans on' | |
default: 'main' | |
type: string | |
env: | |
BUILD_TYPE: Release | |
MTL_BUILD_DISABLE_PCAPNG: true | |
LIBFABRIC_DIR: /tmp/libfabric | |
XDP_VERSION: 5c88569dd15e55db678b897b8ea2a73aeaf956f4 | |
XDP_DIR: /tmp/xdp | |
GRPC_VERSION: v1.58.0 | |
GRPC_DIR: /tmp/grpc | |
PREFIX_DIR: /usr/local | |
DEBIAN_FRONTEND: noninteractive | |
permissions: | |
contents: read | |
jobs: | |
coverity: | |
runs-on: 'ubuntu-22.04' | |
timeout-minutes: 90 | |
steps: | |
- name: 'Harden Runner' | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
egress-policy: audit | |
- name: 'Checkout repository' | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ inputs.branch }} | |
- name: 'Install dependencies' | |
run: | | |
sudo apt-get update -y && \ | |
sudo apt-get install -y --no-install-recommends \ | |
git build-essential meson python3 python3-pyelftools pkg-config \ | |
libnuma-dev libjson-c-dev libpcap-dev libgtest-dev libsdl2-dev \ | |
libsdl2-ttf-dev libssl-dev ca-certificates m4 clang llvm zlib1g-dev \ | |
libelf-dev libcap-ng-dev libcap2-bin gcc-multilib systemtap-sdt-dev ninja-build \ | |
nasm dpdk-dev librdmacm-dev && \ | |
sudo apt-get clean && \ | |
sudo rm -rf /var/lib/apt/lists/* | |
- name: 'Build and Install xdp and libbpf' | |
run: | | |
git clone --recurse-submodules https://github.com/xdp-project/xdp-tools.git "${XDP_DIR}" && \ | |
pushd "${XDP_DIR}" && \ | |
./configure && \ | |
make -j$(nproc) && \ | |
sudo make install && \ | |
make -j$(nproc) -C "${XDP_DIR}/lib/libbpf/src" && \ | |
sudo make -C "${XDP_DIR}/lib/libbpf/src" install && popd | |
- name: 'Build and Install libfabric' | |
run: | | |
git clone --depth 1 --branch v1.22.0 https://github.com/ofiwg/libfabric "${LIBFABRIC_DIR}" && \ | |
pushd "${LIBFABRIC_DIR}" && \ | |
./autogen.sh && ./configure && \ | |
make -j$(nproc) && \ | |
sudo make install && popd | |
- name: 'Install MTL' | |
run: | | |
git clone --depth 1 https://github.com/OpenVisualCloud/Media-Transport-Library.git imtl | |
pushd imtl && ./build.sh && popd | |
- name: 'Restore cached for gRPC build' | |
id: grpc-cache-restore | |
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: ${{ env.GRPC_DIR }} | |
key: Linux-grpc${{ env.GRPC_VERSION }} | |
- name: 'Build gRPC' | |
if: steps.grpc-cache-restore.outputs.cache-hit != 'true' | |
run: | | |
git clone --branch ${GRPC_VERSION} --recurse-submodules --depth 1 --shallow-submodules https://github.com/grpc/grpc "${GRPC_DIR}" && \ | |
cmake -DgRPC_INSTALL=ON -DgRPC_BUILD_TESTS=OFF -DCMAKE_INSTALL_PREFIX=${PREFIX_DIR} \ | |
-B "${GRPC_DIR}/cmake/build" -S "${GRPC_DIR}" && \ | |
cmake --build "${GRPC_DIR}/cmake/build" -j `nproc` | |
- name: 'Save cache for gRPC build' | |
id: grpc-cache-save | |
if: steps.grpc-cache-restore.outputs.cache-hit != 'true' | |
uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: ${{ env.GRPC_DIR }} | |
key: ${{ steps.grpc-cache-restore.outputs.cache-primary-key }} | |
- name: 'Install gRPC' | |
run: sudo cmake --install "${GRPC_DIR}/cmake/build" | |
- name: 'Patch and configure MCM FFmpeg plugin' | |
working-directory: ${{ github.workspace }}/ffmpeg-plugin | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "Milosz Linkiewicz" | |
./clone-and-patch-ffmpeg.sh | |
- name: 'Run coverity' | |
uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0 | |
with: | |
project: 'Media-Communications-Mesh' | |
email: ${{ secrets.COVERITY_SCAN_EMAIL }} | |
token: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
build_language: 'cxx' | |
build_platform: 'linux64' | |
command: | | |
${{ github.workspace }}/build.sh && \ | |
${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh && \ | |
${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: coverity-reports | |
path: '${{ github.workspace }}/cov-int' |