From 590434ca81aaa85092efe29ffb60f8a29291e8bc Mon Sep 17 00:00:00 2001 From: Alexey Kazakov Date: Thu, 30 Jan 2025 16:52:54 +0000 Subject: [PATCH] [Coverity] Enabling coverity scan --- .github/workflows/coverity.yml | 167 +++++++++++++++++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000000..eec696bb92 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,167 @@ +name: Coverity (Ubuntu 22.04, Python 3.11) +on: + workflow_dispatch: + schedule: + # run daily at 00:00 + - cron: '0 0 * * *' + pull_request: + paths: + - '.github/workflows/coverity.yml' + +permissions: read-all # Required by https://github.com/ossf/scorecard/blob/e23b8ad91fd6a64a0a971ca4fc0a4d1650725615/docs/checks.md#token-permissions + +concurrency: + group: ${{ github.ref }}-genai-cov-linux + cancel-in-progress: true + +env: + PYTHON_VERSION: '3.11' + OV_BRANCH: ${{ github.base_ref || github.event.merge_group.base_ref || github.ref }} + +jobs: + openvino_download: + name: Download OpenVINO + outputs: + status: ${{ steps.openvino_download.outcome }} + ov_artifact_name: ${{ steps.openvino_download.outputs.ov_artifact_name }} + ov_wheel_source: ${{ steps.openvino_download.outputs.ov_wheel_source }} + docker_tag: ${{ steps.get_docker_tag.outputs.docker_tag }} + timeout-minutes: 10 + defaults: + run: + shell: bash + runs-on: aks-linux-2-cores-8gb + container: + image: 'openvinogithubactions.azurecr.io/openvino_provider:0.1.0' + volumes: + - /mount:/mount + - ${{ github.workspace }}:${{ github.workspace }} + + steps: + - uses: openvinotoolkit/openvino/.github/actions/openvino_provider@master + id: openvino_download + with: + platform: ubuntu22 + commit_packages_to_provide: wheels + revision: latest_available_commit + + - name: Clone docker tag from OpenVINO repo + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + repository: 'openvinotoolkit/openvino' + path: 'openvino' + ref: ${{ env.OV_BRANCH }} + sparse-checkout: | + .github/dockerfiles/docker_tag + + - name: Save docker tag to output + id: get_docker_tag + run: | + docker_tag=$(cat openvino/.github/dockerfiles/docker_tag) + echo "docker_tag=$docker_tag" >> $GITHUB_OUTPUT + + coverity_build: + name: Build for coverity + needs: [ openvino_download ] + timeout-minutes: 20 + defaults: + run: + shell: bash + runs-on: aks-linux-16-cores-64gb + container: + image: openvinogithubactions.azurecr.io/ov_build/ubuntu_22_04_x64:${{ needs.openvino_download.outputs.docker_tag }} + volumes: + - /mount:/mount + options: -v ${{ github.workspace }}:${{ github.workspace }} + env: + CMAKE_GENERATOR: Unix Makefiles + OV_INSTALL_DIR: ${{ github.workspace }}/ov + INSTALL_DIR: ${{ github.workspace }}/install + BUILD_DIR: ${{ github.workspace }}/build + BUILD_TYPE: Release + + steps: + - name: Clone openvino.genai + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + path: openvino.genai + submodules: recursive + + - name: Download OpenVINO package + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ needs.openvino_download.outputs.ov_artifact_name }} + path: ${{ env.OV_INSTALL_DIR }} + merge-multiple: true + + - name: Download coverity tool + run: | + wget -q https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.COVERITY_SECRET_TOKEN }}&project=openvino.genai" -O coverity_tool.tgz + tar -I pigz -xf coverity_tool.tgz + echo "ENV_COV_TOOL_DIR=$(tar -tzf coverity_tool.tgz | head -1 | cut -f1 -d'/')" >> $GITHUB_ENV + rm coverity_tool.tgz + + - name: Create config file for coverity build + run: | + ${ENV_COV_TOOL_DIR}/bin/cov-configure --delete-compiler-config template-python-config-0 + ${ENV_COV_TOOL_DIR}/bin/cov-configure --python --no-capture-config-files --version 3 + + - name: Create build.sh + run: | + echo """ + mkdir -p ${{ github.workspace }}/build + cmake -DCMAKE_BUILD_TYPE=${BUILD_TYPE} -DOpenVINO_DIR=${OV_INSTALL_DIR}/runtime/cmake/ -DCMAKE_C_COMPILER_LAUNCHER= -DCMAKE_CXX_COMPILER_LAUNCHER= -B${BUILD_DIR} ${{ github.workspace }}/openvino.genai + cmake --build ${BUILD_DIR} --config ${BUILD_TYPE} -j + """ > build.sh + + - name: Build for coverity + run: | + ${ENV_COV_TOOL_DIR}/bin/cov-build --config ${ENV_COV_TOOL_DIR}/config/coverity_config.xml --tmpdir cov_temp --dir ${BUILD_DIR}/cov-int --fs-capture-search ./openvino.genai sh build.sh + + - name: Pack for analysis submission + run: tar -cvf - cov-int | pigz > openvino-genai.tgz + working-directory: ${{ env.BUILD_DIR }} + + - name: Submit to coverity + run: | + apt-get update && apt-get install -y curl jq + pushd ${BUILD_DIR} + curl -X POST -d token=${{ secrets.COVERITY_SECRET_TOKEN }} \ + -d email=${{ secrets.COVERITY_USER }} \ + -d file_name="openvino-genai.tgz" \ + -d version="${{ github.sha }}" \ + -d description="https://github.com/openvinotoolkit/openvino.genai/actions/runs/${{ github.run_id }}" \ + https://scan.coverity.com/projects/30357/builds/init | tee response + + upload_url=$(jq -r '.url' response) + build_id=$(jq -r '.build_id' response) + + curl -X PUT \ + --header 'Content-Type: application/json' \ + --upload-file openvino-genai.tgz \ + $upload_url + + curl -X PUT \ + -d token=${{ secrets.COVERITY_SECRET_TOKEN }} \ + https://scan.coverity.com/projects/30357/builds/$build_id/enqueue + popd + + - name: Show Coverity configure logs + continue-on-error: true + run: ${ENV_COV_TOOL_DIR}/bin/cov-configure -c ${ENV_COV_TOOL_DIR}/config/coverity_config.xml -lscc text + + - name: Upload Coverity build log + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if: always() + with: + name: coverity_logs + path: ${{ env.BUILD_DIR }}/cov-int/build-log.txt + if-no-files-found: 'error' + + - name: Upload Coverity build archive + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if: always() + with: + name: coverity_archive + path: ${{ env.BUILD_DIR }}/openvino-genai.tgz + if-no-files-found: 'error'