CI: enable daily coverity scan #849
Conversation
.github/workflows/coverity.yml
Outdated
| @@ -0,0 +1,46 @@ | |||
|
|
|||
| name: Coverity | |||
There was a problem hiding this comment.
Thanks for the contribution. Please add LICENSE header and comments?
You can refer to the file:
https://github.com/apache/cloudberry/blob/main/.github/workflows/build-cloudberry.yml
|
@chipitsine Thank you for your PR that adds Coverity scanning to the project's CI pipeline. I appreciate your effort to enhance our code quality checks. I am currently checking with the Apache Infrastructure team about policies regarding the use of Coverity Scan services for Apache projects. Additionally, I noticed a few technical items in the workflow that would need adjustment:
I'll keep you updated once I have more information about Apache's policies regarding Coverity usage. We can then address the workflow specifics based on what I learn. Thanks again for contributing to the project! |
|
@edespino do you have an ETA for your investigations ? |
|
@chipitsine I have just sent the following to the ASF Infrastructure team.
|
|
I've approved your request, you should see findings now. Let me know if not. as for Coverity, CodeQL, and Sonar - I'd start with Coverity (for c/c++ projects). well, those options are not mutually exclusive. if you have enough appetite, you can enable all of them |
|
regarding those
yep, it's minor error. actually, I copied from other workflow, so it even works )) but I'll fix, nevermind
notification email is mandatory. if you have some preference, Ill change it. or we can use secrets (if you want to keep it secret)
yep. someone has to add that token from coverity admin area to secrets
do you have an example ? |
|
The infra team mentioned that the Apache Software Foundation (ASF) has a SonarQube Cloud sponsorship. I am going to investigate setting it up and we can compare the functionality and usefulness of both tools. https://sonarcloud.io/organizations/apache/projects @chipitsine do you have any experience with SonarQube? |
|
Could you please help me understand the motivation behind this task? |
@chipitsine I am simply trying to determine if SonarQube would give us a similar static analysis as Coverity. It is possible Coverity is the way to go. But I would like to spend a few days reviewing both tools. |
|
@edespino , hope this finds you well. how do you estimate several days ? |
|
@edespino hope you are doing well. did you have a chance to review ? |
|
Hi @chipitsine, since we haven't heard from Ed in a while, I think we can proceed with this. If something is wrong, we can create a new PR to fix it or just revert the changes. By the way, could you please replace your personal token and account info with mine as follows? I've informed the Cloudberry PPMC. |
|
I decided to rebase and met some problems either it will be fixed or I'll get some linux computer |
Hi thanks! Looking forward to your new PR. |
as for token, I'm against keeping it open text. |
Ok, let me talk with the Apache infra team to see how we can do it. By the way, could you provide some steps on this, assuming you're the admin, which can be a reference for the ASF infra team. Thanks! |
|
Hi @chipitsine, I already requested that the ASF infra team help set the secret. The secret name is still |
|
assuming you are an admin, you can add secret here: https://github.com/apache/cloudberry/settings/secrets/actions |
|
@tuhaihe , I've reopened. "project" must be the same as it is in Coverity |
|
Hi, you can use this in the CURL cmd: https://scan.coverity.com/builds?project=apache%2Fcloudberry You can visit the new Coverity page for Apache Cloudberry: https://scan.coverity.com/projects/apache-cloudberry-1f6d497c-9dcb-4204-a37b-0d79c6c5bec3 |
|
ok, it;s another project. |
What does this PR do?
introduce workflow mentioned in #842
Type of Change
Additional Context
next steps:
P.S. I forgot to mention reeasoning for daily scheduling. Coverity has limits