Message ID | 94acd2e49687b0b182bc5cfb71af14d469ed7559.1713253492.git.echaudro@redhat.com |
---|---|
State | Under Review |
Delegated to: | Eelco Chaudron |
Headers | show |
Series | [ovs-dev] GitHub: Add Coverity scan as a daily GitHub action. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/intel-ovs-compilation | success | test: success |
On Tue, Apr 16, 2024 at 09:44:52AM +0200, Eelco Chaudron wrote: > This patch adds a daily Coverity run for the OVS main branch > to the GitHub actions. The result of the runs can be found here: > > https://scan.coverity.com/projects/openvswitch > > Before applying, we need to add the following two actions secrets > to the GitHub openvswitch project: > > - COVERITY_SCAN_TOKEN; The secret token from the project page > - COVERITY_SCAN_EMAIL; The maintainer's email alias > > Signed-off-by: Eelco Chaudron <echaudro@redhat.com> Hi Eelco, I'm fine with this patch in it's current form. Acked-by: Simon Horman <horms@ovn.org> But I do have a few questions. 1. Would it be useful to provide instructions to allow people to become involved in addressing warnings? It seems that a signup to scan.coverity.com is required to see information on warnings. 2. Is there any plan to address warnings? 3. See below. > --- > .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++ > Makefile.am | 1 + > README.rst | 2 + > 3 files changed, 134 insertions(+) > create mode 100644 .github/workflows/coverity.yml > > diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml > new file mode 100644 > index 000000000..ae28920de > --- /dev/null > +++ b/.github/workflows/coverity.yml > @@ -0,0 +1,131 @@ > +name: Coverity scan > +on: > + schedule: > + - cron: '0 0 * * *' > + > +env: > + python_default: 3.12 > + > +jobs: > + build-dpdk: > + env: > + dependencies: gcc libbpf-dev libnuma-dev libpcap-dev ninja-build pkgconf > + CC: gcc > + DPDK_GIT: https://dpdk.org/git/dpdk > + DPDK_VER: 23.11 > + name: dpdk gcc > + outputs: > + dpdk_key: ${{ steps.gen_dpdk_key.outputs.key }} > + runs-on: ubuntu-22.04 > + timeout-minutes: 30 > + > + steps: > + - name: checkout > + uses: actions/checkout@v4 > + > + - name: update PATH > + run: | > + echo "$HOME/bin" >> $GITHUB_PATH > + echo "$HOME/.local/bin" >> $GITHUB_PATH > + > + - name: create ci signature file for the dpdk cache key > + # This will collect most of DPDK related lines, so hash will be different > + # if something changed in a way we're building DPDK including DPDK_VER. > + # This also allows us to use cache from any branch as long as version > + # and a way we're building DPDK stays the same. > + run: | > + cat .ci/dpdk-* > dpdk-ci-signature > + grep -rwE 'DPDK_GIT|DPDK_VER' .github/ >> dpdk-ci-signature > + if [ "${DPDK_VER##refs/*/}" != "${DPDK_VER}" ]; then > + git ls-remote --heads $DPDK_GIT $DPDK_VER >> dpdk-ci-signature > + fi > + cat dpdk-ci-signature > + > + - name: generate ci DPDK key > + id: gen_dpdk_key > + env: > + ci_key: ${{ hashFiles('dpdk-ci-signature') }} > + run: echo 'key=dpdk-${{ env.ci_key }}' >> $GITHUB_OUTPUT The above two steps seem both complex and somewhat different to the implementation in build-and-test.yml. Would it be worth introducing some sort of helper to generate the key? Perhaps a script that lives in .ci/ > + > + - name: cache > + id: dpdk_cache > + uses: actions/cache@v4 > + with: > + path: dpdk-dir > + key: ${{ steps.gen_dpdk_key.outputs.key }} ...
On 4/16/24 09:44, Eelco Chaudron wrote: > This patch adds a daily Coverity run for the OVS main branch > to the GitHub actions. The result of the runs can be found here: > > https://scan.coverity.com/projects/openvswitch > > Before applying, we need to add the following two actions secrets > to the GitHub openvswitch project: > > - COVERITY_SCAN_TOKEN; The secret token from the project page > - COVERITY_SCAN_EMAIL; The maintainer's email alias > > Signed-off-by: Eelco Chaudron <echaudro@redhat.com> > --- > .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++ > Makefile.am | 1 + > README.rst | 2 + > 3 files changed, 134 insertions(+) > create mode 100644 .github/workflows/coverity.yml Thanks, Eelco for bringing this up. Though, continuing the offline discussion, I'm not sure having coverity scans as a GitHub action has any benefits for OVS community. A few issues: 1. Reports are not available to people outside of the OVS Coverity project. Adding everyone there doesn't seem reasonable. Also a potential security concern. 2. Workflow cannot be used in forks due to organization secrets. (IIUC, current implementation will just fail once a day annoying people who didn't disable that workflow.) 3. Necessity to have secrets in the organization. We currently don't have any, and from a security standpoint not having any secrets is always better. 4. A decent amount of code duplication for this workflow. (Reusable workflows maybe?) In its current form, I think, the same functionality can be provided by the 0-day robot that could submit sources once a day for the scan. And it could also send some emails with build details if necessary (again, there may be some security concerns in case coverity discovers a genuine security issue). With the total amount of code in the project, IIUC, we could submit up to 21 builds a week with no more than 3 per day (Coverity claims that it checked just under 300K lines in OVS). So, technically, we could create a bit more complex logic for 0-day bot to run a check per patch set (probably, not per patch though). In most cases we would fit within the limit with the current patch rate. Maybe reserving one run a week for the main branch. Such logic would be harder to implement with GHA. All in all, using GHA just for scheduling of a job that wider community can't take advantage of seems a little unjustified. Thoughts? Best regards, Ilya Maximets.
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 000000000..ae28920de --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,131 @@ +name: Coverity scan +on: + schedule: + - cron: '0 0 * * *' + +env: + python_default: 3.12 + +jobs: + build-dpdk: + env: + dependencies: gcc libbpf-dev libnuma-dev libpcap-dev ninja-build pkgconf + CC: gcc + DPDK_GIT: https://dpdk.org/git/dpdk + DPDK_VER: 23.11 + name: dpdk gcc + outputs: + dpdk_key: ${{ steps.gen_dpdk_key.outputs.key }} + runs-on: ubuntu-22.04 + timeout-minutes: 30 + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: update PATH + run: | + echo "$HOME/bin" >> $GITHUB_PATH + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: create ci signature file for the dpdk cache key + # This will collect most of DPDK related lines, so hash will be different + # if something changed in a way we're building DPDK including DPDK_VER. + # This also allows us to use cache from any branch as long as version + # and a way we're building DPDK stays the same. + run: | + cat .ci/dpdk-* > dpdk-ci-signature + grep -rwE 'DPDK_GIT|DPDK_VER' .github/ >> dpdk-ci-signature + if [ "${DPDK_VER##refs/*/}" != "${DPDK_VER}" ]; then + git ls-remote --heads $DPDK_GIT $DPDK_VER >> dpdk-ci-signature + fi + cat dpdk-ci-signature + + - name: generate ci DPDK key + id: gen_dpdk_key + env: + ci_key: ${{ hashFiles('dpdk-ci-signature') }} + run: echo 'key=dpdk-${{ env.ci_key }}' >> $GITHUB_OUTPUT + + - name: cache + id: dpdk_cache + uses: actions/cache@v4 + with: + path: dpdk-dir + key: ${{ steps.gen_dpdk_key.outputs.key }} + + - name: set up python + if: steps.dpdk_cache.outputs.cache-hit != 'true' + uses: actions/setup-python@v5 + with: + python-version: ${{ env.python_default }} + + - name: update APT cache + if: steps.dpdk_cache.outputs.cache-hit != 'true' + run: sudo apt update || true + - name: install common dependencies + if: steps.dpdk_cache.outputs.cache-hit != 'true' + run: sudo apt install -y ${{ env.dependencies }} + + - name: prepare + if: steps.dpdk_cache.outputs.cache-hit != 'true' + run: ./.ci/dpdk-prepare.sh + + - name: build + if: steps.dpdk_cache.outputs.cache-hit != 'true' + run: ./.ci/dpdk-build.sh + + build-coverity: + needs: build-dpdk + env: + dependencies: | + automake bc clang-tools libbpf-dev libnuma-dev libpcap-dev \ + libunbound-dev libunwind-dev libssl-dev libtool llvm-dev \ + selinux-policy-dev + CC: gcc + DPDK: dpdk + name: coverity + runs-on: ubuntu-22.04 + timeout-minutes: 30 + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: update PATH + run: | + echo "$HOME/bin" >> $GITHUB_PATH + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: set up python + uses: actions/setup-python@v5 + with: + python-version: ${{ env.python_default }} + + - name: get cached dpdk-dir + uses: actions/cache/restore@v4 + with: + path: dpdk-dir + key: ${{ needs.build-dpdk.outputs.dpdk_key }} + + - name: update APT cache + run: sudo apt update || true + + - name: install common dependencies + run: sudo apt install -y ${{ env.dependencies }} + + - name: prepare + run: ./.ci/linux-prepare.sh + + - name: build + run: ./.ci/linux-build.sh + + - name: pre-coverity cleanup + run: make clean + + - name: coverity scan + uses: vapier/coverity-scan-action@v1 + with: + token: ${{ secrets.COVERITY_SCAN_TOKEN }} + email: ${{ secrets.COVERITY_SCAN_EMAIL }} + command: make -j4 diff --git a/Makefile.am b/Makefile.am index e6c90a911..cf5d24f8c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -86,6 +86,7 @@ EXTRA_DIST = \ .cirrus.yml \ .editorconfig \ .github/workflows/build-and-test.yml \ + .github/workflows/coverity.yml \ .readthedocs.yaml \ appveyor.yml \ boot.sh \ diff --git a/README.rst b/README.rst index ca9e386c2..713ca91ff 100644 --- a/README.rst +++ b/README.rst @@ -14,6 +14,8 @@ Open vSwitch :target: https://cirrus-ci.com/github/openvswitch/ovs .. image:: https://readthedocs.org/projects/openvswitch/badge/?version=latest :target: https://docs.openvswitch.org/en/latest/ +.. image:: https://scan.coverity.com/projects/7290/badge.svg + :target: https://scan.coverity.com/projects/openvswitch What is Open vSwitch? ---------------------
This patch adds a daily Coverity run for the OVS main branch to the GitHub actions. The result of the runs can be found here: https://scan.coverity.com/projects/openvswitch Before applying, we need to add the following two actions secrets to the GitHub openvswitch project: - COVERITY_SCAN_TOKEN; The secret token from the project page - COVERITY_SCAN_EMAIL; The maintainer's email alias Signed-off-by: Eelco Chaudron <echaudro@redhat.com> --- .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++ Makefile.am | 1 + README.rst | 2 + 3 files changed, 134 insertions(+) create mode 100644 .github/workflows/coverity.yml