| Message ID | 8420a76eba3eba3afdc7747af6d609ad8dbd8cb6.1695379323.git.gitgitgadget@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add a GitHub workflow to submit builds to Coverity Scan | expand |
On Fri, Sep 22, 2023 at 10:41:59AM +0000, Johannes Schindelin via GitGitGadget wrote: > From: Johannes Schindelin <johannes.schindelin@gmx.de> > > It would add a 1GB+ download for every run, better cache it. > > This is inspired by the GitHub Action `vapier/coverity-scan-action`, > however, it uses the finer-grained `restore`/`save` method to be able to > cache the Coverity Build Tool even if an unrelated step in the GitHub > workflow fails later on. Nice. This is the big thing that I think the vapier action was providing us, and it does not look too bad. I have never used actions/cache before, but it all looks plausibly correct to me (and I assume you did a few test-runs to check it). One note: > + # The Coverity site says the tool is usually updated twice yearly, so the > + # MD5 of download can be used to determine whether there's been an update. > + - name: get the Coverity Build Tool hash > + id: lookup > + run: | > + MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ > + --data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=$COVERITY_PROJECT&md5=1") > + echo "hash=$MD5" >>$GITHUB_OUTPUT We probably want --fail here, too (and presumably &&-chaining) so that we don't accidentally write a bogus cache entry. Possibly even check that $MD5 isn't blank if we want to be double-paranoid. That made me wonder: if we do end up with a bogus cache entry, how does one clear it? And it looks like it can be managed directly via https://github.com/$user/$project/actions/caches. Nice. -Peff
Hi Peff, On Sat, 23 Sep 2023, Jeff King wrote: > On Fri, Sep 22, 2023 at 10:41:59AM +0000, Johannes Schindelin via GitGitGadget wrote: > > > From: Johannes Schindelin <johannes.schindelin@gmx.de> > > > > It would add a 1GB+ download for every run, better cache it. > > > > This is inspired by the GitHub Action `vapier/coverity-scan-action`, > > however, it uses the finer-grained `restore`/`save` method to be able to > > cache the Coverity Build Tool even if an unrelated step in the GitHub > > workflow fails later on. > > Nice. This is the big thing that I think the vapier action was providing > us, and it does not look too bad. > > I have never used actions/cache before, but it all looks plausibly > correct to me (and I assume you did a few test-runs to check it). I use `actions/cache` extensively, both in GitHub workflows via the Action as well as in custom Actions like `setup-git-for-windows-sdk`, so I am confident that I am using this tool correctly here, too. > > One note: > > > + # The Coverity site says the tool is usually updated twice yearly, so the > > + # MD5 of download can be used to determine whether there's been an update. > > + - name: get the Coverity Build Tool hash > > + id: lookup > > + run: | > > + MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ > > + --data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=$COVERITY_PROJECT&md5=1") > > + echo "hash=$MD5" >>$GITHUB_OUTPUT > > We probably want --fail here, too. I concur, after verifying that the scary manual page note about authentication issues often not being handled correctly by `curl --fail` does not affect this particular scenario. Ciao, Johannes
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 24408f6282c..e8d0be52702 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -29,16 +29,41 @@ jobs: env: runs_on_pool: ubuntu-latest + # The Coverity site says the tool is usually updated twice yearly, so the + # MD5 of download can be used to determine whether there's been an update. + - name: get the Coverity Build Tool hash + id: lookup + run: | + MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ + --data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=$COVERITY_PROJECT&md5=1") + echo "hash=$MD5" >>$GITHUB_OUTPUT + + # Try to cache the tool to avoid downloading 1GB+ on every run. + # A cache miss will add ~30s to create, but a cache hit will save minutes. + - name: restore the Coverity Build Tool + id: cache + uses: actions/cache/restore@v3 + with: + path: ${{ runner.temp }}/cov-analysis + key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) + if: steps.cache.outputs.cache-hit != 'true' run: | curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ --no-progress-meter \ --output $RUNNER_TEMP/cov-analysis.tgz \ --data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=$COVERITY_PROJECT" - name: extract the Coverity Build Tool + if: steps.cache.outputs.cache-hit != 'true' run: | mkdir $RUNNER_TEMP/cov-analysis && tar -xzf $RUNNER_TEMP/cov-analysis.tgz --strip 1 -C $RUNNER_TEMP/cov-analysis + - name: cache the Coverity Build Tool + if: steps.cache.outputs.cache-hit != 'true' + uses: actions/cache/save@v3 + with: + path: ${{ runner.temp }}/cov-analysis + key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} - name: build with cov-build run: | export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" &&