On Mon, Mar 04, 2024 at 05:06:31PM -0500, Paolo Bonzini wrote: > Add a job that can be run, either manually or on a schedule, to upload > a build to Coverity Scan. The job uses the run-coverity-scan script > in multiple phases of check, download tools and upload, in order to > avoid both wasting time (skip everything if you are above the upload > quota) and avoid filling the log with the progress of downloading > the tools. > > The job is intended to run on a scheduled pipeline run, and scheduled > runs will not get any other job. It requires two variables to be in > GitLab CI, COVERITY_TOKEN and COVERITY_EMAIL. Those are already set up > in qemu-project's configuration as protected and masked variables. > > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> > --- > .gitlab-ci.d/base.yml | 4 ++++ > .gitlab-ci.d/buildtest.yml | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 40 insertions(+) > > diff --git a/.gitlab-ci.d/base.yml b/.gitlab-ci.d/base.yml > index ef173a34e6..2dd8a9b57c 100644 > --- a/.gitlab-ci.d/base.yml > +++ b/.gitlab-ci.d/base.yml > @@ -41,6 +41,10 @@ variables: > - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_TAG' > when: never > > + # Scheduled runs on mainline don't get pipelines except for the special > Coverity job > + - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_PIPELINE_SOURCE > == "schedule"' > + when: never > + > # Cirrus jobs can't run unless the creds / target repo are set > - if: '$QEMU_JOB_CIRRUS && ($CIRRUS_GITHUB_REPO == null || > $CIRRUS_API_TOKEN == null)' > when: never > diff --git a/.gitlab-ci.d/buildtest.yml b/.gitlab-ci.d/buildtest.yml > index a1c030337b..378dee055b 100644 > --- a/.gitlab-ci.d/buildtest.yml > +++ b/.gitlab-ci.d/buildtest.yml > @@ -729,3 +729,38 @@ pages: > - public > variables: > QEMU_JOB_PUBLISH: 1 > + > +coverity: > + image: $CI_REGISTRY_IMAGE/qemu/fedora:$QEMU_CI_CONTAINER_TAG > + stage: build > + allow_failure: true > + timeout: 3h > + needs: > + - job: amd64-fedora-container > + optional: true > + before_script: > + - dnf install -y curl wget > + script: > + # would be nice to cancel the job if over quota > (https://gitlab.com/gitlab-org/gitlab/-/issues/256089) > + - 'scripts/coverity-scan/run-coverity-scan --check-upload-only || > (exitcode=$?; if test $exitcode = 1; then > + exit 0; > + else > + exit $exitcode; > + fi)' > + - 'scripts/coverity-scan/run-coverity-scan --update-tools-only > > update-tools.log 2>&1 || cat update-tools.log'
Slightly shorter as: ..... 2>&1 | tee update-tools.log > + - 'scripts/coverity-scan/run-coverity-scan --no-update-tools' > + rules: > + - if: '$COVERITY_TOKEN == null' > + when: never > + - if: '$COVERITY_EMAIL == null' > + when: never > + # Never included on upstream pipelines, except for schedules > + - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_PIPELINE_SOURCE > == "schedule" && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH' > + when: on_success > + - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM' > + when: never > + # Forks don't get any pipeline unless QEMU_CI=1 or QEMU_CI=2 is set > + - if: '$QEMU_CI != "1" && $QEMU_CI != "2"' > + when: never > + # Always manual on forks even if $QEMU_CI == "2" > + - when: manual > -- Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
