Re: What's cooking in git.git (Oct 2021, #02; Wed, 6)

From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Jeff King <peff@peff.net>
Cc: Taylor Blau <me@ttaylorr.com>, Junio C Hamano <gitster@pobox.com>,
	git@vger.kernel.org
Subject: Re: What's cooking in git.git (Oct 2021, #02; Wed, 6)
Date: Wed, 20 Oct 2021 14:27:30 +0200 (CEST)	[thread overview]
Message-ID: <nycvar.QRO.7.76.6.2110201416390.56@tvgsbejvaqbjf.bet> (raw)
In-Reply-To: <YWC49+xCh+zum8Ms@coredump.intra.peff.net>

Hi Peff,

On Fri, 8 Oct 2021, Jeff King wrote:

> On Fri, Oct 08, 2021 at 09:51:33AM +0200, Johannes Schindelin wrote:
>
> > FWIW I have set up an Azure Pipeline to keep Git for Windows' `main`
> > branch covered by Coverity:
> >
> > https://dev.azure.com/git-for-windows/git/_build?definitionId=35
> >
> > It essentially calls into this scripted code:
> > https://github.com/git-for-windows/build-extra/blob/4676f286a1ec830a5038b32400808a353dc6c48d/please.sh#L1820-L1915
>
> Do you have any objection to adding something like the Action I showed
> eariler? It would do nothing in git-for-windows/git unless you set up
> the right environment, so there shouldn't be any downside.

No objection. I'd just ask to use `${{github.repository}}` instead of
hard-coding `peff/git`, and to really not run the workflow unless
configured. So something like this:

name: coverity-scan
on:
  push:
    - master
    - next
    - seen

jobs:
  coverity:
    runs-on: ubuntu-latest
    env:
      COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
      COVERITY_SCAN_EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}
    if: env.COVERITY_SCAN_TOKEN != '' && env.COVERITY_SCAN_EMAIL != ''
    steps:
      - uses: actions/checkout@v2
      - run: ci/install-dependencies.sh
      - name: Download Coverity Build Tool
        run: |
          wget -q https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$GITHUB_REPOSITORY" -O cov-analysis-linux64.tar.gz
          mkdir cov-analysis-linux64
          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
      - name: Build with cov-build
        run: |
          export PATH=$(pwd)/cov-analysis-linux64/bin:$PATH
          cov-build --dir cov-int make
      - name: Submit the result to Coverity Scan
        run: |
          tar czvf git.tgz cov-int
          curl \
            --form project=$GITHUB_REPOSITORY \
            --form token=$COVERITY_SCAN_TOKEN \
            --form email=$COVERITY_SCAN_EMAIL \
            --form file=@git.tgz \
            --form version=$(git rev-parse HEAD) \
            --form description="$(./git version)" \
            https://scan.coverity.com/builds?project=$GITHUB_REPOSITORY

Note the `jobs.coverity.if` attribute. This is what will let the entire
job be skipped unless the secrets are set up.

I am very much in favor of having this in git/git. Do you want to provide
the commit message, or do you want me to shepher this?

> I admit I was not really planning to try to suppress the false positives
> as you've done here; my plan was to just keep an eye on the "new"
> entries (having already gone through the existing ones years ago).

I think we will _have_ to suppress the false positives at some point, as
something like 9 out of 10 new reports I receive are about these, and it
takes time to analyze & dismiss them. In general, I have no trouble
finding more fun things to do with my time.

Ciao,
Dscho