Build px4 coverity scan image

.github/workflows/tiiuae-coverity-scan-image.yaml

@@ -0,0 +1,51 @@
+name: tiiuae-builder-images
+
+on:
+  # REMOVE BEFORE MERGE:
+  push:
+  # Run only manually
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  coverity-scan-image:
+    name: create coverity scan image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout px4-firmware
+        uses: actions/checkout@v3
+        with:
+          path: px4-firmware
+          fetch-depth: 0
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ghcr.io/tiiuae/px4-coverity-scan-image
+          tags: |
+            type=raw,value=latest
+            type=sha
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: take a look
+        run: ls -al
+      - name: Build and push coverity scan image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./px4-firmware/packaging/Dockerfile.coverity
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            "COVERITY_DOCKER_REGISTRY_USERNAME=${{ secrets.COVERITY_DOCKER_REGISTRY_USERNAME }}"
+            "COVERITY_DOCKER_REGISTRY_ACCESS_TOKEN=${{ secrets.COVERITY_DOCKER_REGISTRY_ACCESS_TOKEN }}"
+            "COVERITY_LICENSE_DAT_B64=${{ secrets.COVERITY_LICENSE_DAT_B64 }}"
+            "COVERITY_ACCESS_TOKEN_B64=${{ secrets.COVERITY_ACCESS_TOKEN_B64 }}"

packaging/Dockerfile.coverity

@@ -0,0 +1,26 @@
+FROM ghcr.io/tiiuae/px4-firmware-builder-base:latest
+
+# coverity docker registry access token to download coverity tool
+# for more details refer to confluence page "Coverity docker scan"
+# https://ssrc.atlassian.net/wiki/spaces/DRON/pages/705823997/Coverity+docker+scan
+ARG COVERITY_DOCKER_REGISTRY_USERNAME
+ARG COVERITY_DOCKER_REGISTRY_ACCESS_TOKEN
+
+# coverity license file to run coverity tool
+ARG COVERITY_LICENSE_DAT_B64
+RUN echo "$COVERITY_LICENSE_DAT_B64" | base64 -d > /license.dat
+
+# access token for our internal server
+ARG COVERITY_ACCESS_TOKEN_B64
+RUN echo "$COVERITY_ACCESS_TOKEN_B64" | base64 -d > /auth_key.txt
+RUN chmod 400 /auth_key.txt
+
+# - download coverity installer package
+# - chmod and run the installer
+# - remove installation package to reduce image size
+RUN curl https://sig-repo.synopsys.com/artifactory/coverity-releases/2023.6.0/cov-analysis-linux64-2023.6.0.sh -o /coverity_install.sh -u ${COVERITY_DOCKER_REGISTRY_USERNAME}:${COVERITY_DOCKER_REGISTRY_ACCESS_TOKEN} \
+    && chmod +x /coverity_install.sh \
+    && /coverity_install.sh -q --installation.dir=/cov --license.region=6 --license.agreement=agree --license.type.choice=0 --license.cov.path=/license.dat \
+    && rm /coverity_install.sh
+
+ENTRYPOINT [ "entrypoint_coverity.sh" ]

packaging/coverity.yaml

@@ -0,0 +1,10 @@
+capture:
+  build:
+    build-command: packaging/build_px4fw.sh ssrc_saluki-v2_default
+
+commit:
+  connect:
+    auth-key-file: /auth_key.txt
+    stream: px4-coverity-test
+    url: https://coverity.ssrc.fi:443/
+    on-new-cert: trust