On 4/16/24 09:44, Eelco Chaudron wrote: > This patch adds a daily Coverity run for the OVS main branch > to the GitHub actions. The result of the runs can be found here: > > https://scan.coverity.com/projects/openvswitch > > Before applying, we need to add the following two actions secrets > to the GitHub openvswitch project: > > - COVERITY_SCAN_TOKEN; The secret token from the project page > - COVERITY_SCAN_EMAIL; The maintainer's email alias > > Signed-off-by: Eelco Chaudron <echau...@redhat.com> > --- > .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++ > Makefile.am | 1 + > README.rst | 2 + > 3 files changed, 134 insertions(+) > create mode 100644 .github/workflows/coverity.yml
Thanks, Eelco for bringing this up. Though, continuing the offline discussion, I'm not sure having coverity scans as a GitHub action has any benefits for OVS community. A few issues: 1. Reports are not available to people outside of the OVS Coverity project. Adding everyone there doesn't seem reasonable. Also a potential security concern. 2. Workflow cannot be used in forks due to organization secrets. (IIUC, current implementation will just fail once a day annoying people who didn't disable that workflow.) 3. Necessity to have secrets in the organization. We currently don't have any, and from a security standpoint not having any secrets is always better. 4. A decent amount of code duplication for this workflow. (Reusable workflows maybe?) In its current form, I think, the same functionality can be provided by the 0-day robot that could submit sources once a day for the scan. And it could also send some emails with build details if necessary (again, there may be some security concerns in case coverity discovers a genuine security issue). With the total amount of code in the project, IIUC, we could submit up to 21 builds a week with no more than 3 per day (Coverity claims that it checked just under 300K lines in OVS). So, technically, we could create a bit more complex logic for 0-day bot to run a check per patch set (probably, not per patch though). In most cases we would fit within the limit with the current patch rate. Maybe reserving one run a week for the main branch. Such logic would be harder to implement with GHA. All in all, using GHA just for scheduling of a job that wider community can't take advantage of seems a little unjustified. Thoughts? Best regards, Ilya Maximets. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
