run coverity scan

.github/workflows/tiiuae-coverity-scan-image.yaml

@@ -22,7 +22,7 @@ jobs:
           fetch-depth: 0
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ghcr.io/tiiuae/px4-coverity-scan-image
           tags: |

.github/workflows/tiiuae-coverity-scan.yaml

@@ -0,0 +1,38 @@
+name: tiiuae-px4-coverity-scan
+
+on:
+  workflow_dispatch:
+  # REMOVE PUSH BEFORE MERGE!!!
+  # run it on pr or something
+  push:
+
+jobs:
+  coverity:
+    runs-on: px4-self-hosted-coverity
+    steps:
+      - name: Checkout px4-firmware
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_REPO_TOKEN }}
+          submodules: 'recursive'
+          fetch-depth: 0
+      - name: Fetch submodule tags
+        run: |
+          git submodule foreach --recursive git fetch --tags
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run coverity scan
+        run:
+          docker run --rm -v "$(pwd):/main_ws" ghcr.io/tiiuae/px4-coverity-scan-image:latest
+      - name: Update summary
+        run:
+          cat cov-analyze-result.txt >> $GITHUB_STEP_SUMMARY
+      - name: Upload coverity scan results
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverity-html-report-${{ github.event.repository.name }}
+          path: coverity-output

packaging/Dockerfile.coverity

@@ -23,4 +23,5 @@ RUN curl https://sig-repo.synopsys.com/artifactory/coverity-releases/2023.6.0/co
     && /coverity_install.sh -q --installation.dir=/cov --license.region=6 --license.agreement=agree --license.type.choice=0 --license.cov.path=/license.dat \
     && rm /coverity_install.sh
 
-ENTRYPOINT [ "entrypoint_coverity.sh" ]
+COPY px4-firmware/packaging/entrypoint_coverity.sh /
+ENTRYPOINT [ "/entrypoint_coverity.sh" ]

packaging/entrypoint_coverity.sh

@@ -0,0 +1,35 @@
+#!/bin/bash -eu
+
+COVERITY_SUMMARY_OUT=/main_ws/cov-analyze-result.txt
+COVERITY_SCAN_OUT=/main_ws/cov-scan-output.txt
+COVERITY_REPORT_OUT=/main_ws/coverity-output
+SOURCE_DIR=/sources
+
+cp -r /main_ws ${SOURCE_DIR}
+cp ${SOURCE_DIR}/packaging/coverity.yaml ${SOURCE_DIR}/coverity.yaml
+cd ${SOURCE_DIR}
+
+export PATH=$PATH:/cov/bin/
+cov-configure --gcc
+coverity scan --exclude-language java |tee ${COVERITY_SCAN_OUT}
+coverity list
+
+# find important information from coverity scan to be shown on github action step summary
+# link for coverity
+grep 'Results are available at' ${COVERITY_SCAN_OUT} >> ${COVERITY_SUMMARY_OUT}
+echo 'send a slack message to tampere-drones if you have access issues' >> ${COVERITY_SUMMARY_OUT}
+
+echo "Analysis summary:">> ${COVERITY_SUMMARY_OUT}
+# '```' marks the code block for output
+echo '```' >> ${COVERITY_SUMMARY_OUT}
+# check analysis summary output and save everything beginning from "analysis summary report" to a file
+cov-analyze --dir idir --strip-path /main_ws/src/ |sed -n -E -e '/Analysis summary report:/,$ p'>>${COVERITY_SUMMARY_OUT}
+# '```' ends the code block for output
+echo '```' >> ${COVERITY_SUMMARY_OUT}
+
+echo "File findings:">> ${COVERITY_SUMMARY_OUT}
+echo '------' >> ${COVERITY_SUMMARY_OUT}
+
+# save coverity html output
+cov-format-errors --dir idir --html-output ${COVERITY_REPORT_OUT}
+echo 'for more details please check attached html report from "Artifacts" -sections above' >> ${COVERITY_SUMMARY_OUT}