From 7251d1a8d8cf790ff891e926dcfe8deb1a5fee27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Stolarczuk?= Date: Thu, 7 Nov 2024 15:20:02 +0100 Subject: [PATCH] [CI] Move coverity job to public GHA runner There's no need for self-hosted. For this change to happen it was required to re-write the workflow: - install dependencies for adapters and UMF, - download coverity tool from the project's page, - push tarball to Coverity's scan webpage via curl. --- ...-fix-travisci_build_coverity_scan.sh.patch | 27 ------ .github/workflows/coverity.yml | 82 +++++++++++-------- README.md | 3 +- 3 files changed, 52 insertions(+), 60 deletions(-) delete mode 100644 .github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch diff --git a/.github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch b/.github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch deleted file mode 100644 index 9738942aa4..0000000000 --- a/.github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b5179dc4822eaab192361da05aa95d98f523960f Mon Sep 17 00:00:00 2001 -From: Lukasz Dorau -Date: Mon, 7 May 2018 12:05:40 +0200 -Subject: [PATCH] travis: fix travisci_build_coverity_scan.sh - ---- - travisci_build_coverity_scan.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/travisci_build_coverity_scan.sh b/travisci_build_coverity_scan.sh -index ad9d4afcf..562b08bcc 100644 ---- a/travisci_build_coverity_scan.sh -+++ b/travisci_build_coverity_scan.sh -@@ -92,8 +92,8 @@ response=$(curl \ - --form description="Travis CI build" \ - $UPLOAD_URL) - status_code=$(echo "$response" | sed -n '$p') --if [ "$status_code" != "201" ]; then -+if [ "$status_code" != "200" ]; then - TEXT=$(echo "$response" | sed '$d') -- echo -e "\033[33;1mCoverity Scan upload failed: $TEXT.\033[0m" -+ echo -e "\033[33;1mCoverity Scan upload failed: $response.\033[0m" - exit 1 - fi --- -2.13.6 - diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index ba0230d600..43f8d1c62d 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -1,12 +1,5 @@ -# -# Copyright (C) 2023-2024 Intel Corporation -# -# Part of the Unified-Runtime Project, under the Apache License v2.0 with LLVM Exceptions. -# See LICENSE.TXT -# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -# +# Coverity - static analysis build. It requires Coverity's token (set in CI's secret). name: coverity-unified-runtime -# It runs static analysis build - Coverity. It requires special token (set in CI's secret). on: workflow_dispatch: @@ -14,50 +7,75 @@ on: # Run every day at 22:00 UTC - cron: '0 22 * * *' -env: - WORKDIR: ${{ github.workspace }} - COVERITY_SCAN_NOTIFICATION_EMAIL: ${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }} - COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} - COVERITY_SCAN_PROJECT_NAME: ${{ github.repository }} - COVERITY_SCAN_BUILD_COMMAND: "cmake --build ${{github.workspace}}/build" - COVERITY_SCAN_BRANCH_PATTERN: "main" - TRAVIS_BRANCH: ${{ github.ref_name }} - permissions: contents: read jobs: - linux: + coverity: name: Coverity - runs-on: coverity + # run only on upstream; forks don't have token for upstream's cov project + if: github.repository == 'oneapi-src/unified-memory-framework' + runs-on: ubuntu-latest steps: - - name: Clone the git repo + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Install dependencies + run: | + wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb + sudo dpkg -i cuda-keyring_1.1-1_all.deb + sudo apt-get update + sudo apt-get install -y libhwloc-dev libtbb-dev cuda-toolkit-12-6 - name: Install pip packages run: pip install -r third_party/requirements.txt + - name: Download Coverity + run: | + wget -O coverity_tool.tgz -nv https://scan.coverity.com/download/linux64 \ + --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=oneapi-src%2Funified-runtime" + + - name: Extract Coverity + run: tar xzf coverity_tool.tgz + + # TODO: enable HIP adapter as well (requires proper package(s) installation) - name: Configure CMake run: > cmake - -B $WORKDIR/build + -B ${{github.workspace}}/build + -DCMAKE_BUILD_TYPE=Release + -DUR_DEVELOPER_MODE=OFF + -DUR_FORMAT_CPP_STYLE=ON -DUR_ENABLE_TRACING=ON - -DUR_DEVELOPER_MODE=ON -DUR_BUILD_TESTS=ON - -DUMF_ENABLE_POOL_TRACKING=ON - -DUR_FORMAT_CPP_STYLE=ON - -DCMAKE_BUILD_TYPE=Debug -DUR_BUILD_ADAPTER_L0=ON -DUR_BUILD_ADAPTER_CUDA=ON - -DCUDA_CUDA_LIBRARY=/usr/local/cuda/lib64/stubs/libcuda.so + -DCUDA_CUDA_LIBRARY=/usr/local/cuda-12.6/targets/x86_64-linux/lib/stubs/libcuda.so -DUR_BUILD_ADAPTER_NATIVE_CPU=ON - -DUR_BUILD_ADAPTER_HIP=ON + -DUR_BUILD_ADAPTER_HIP=OFF -DUR_BUILD_ADAPTER_OPENCL=ON - - name: Run Coverity + - name: Build + run: | + export COVERITY_DIR=$(find . -maxdepth 1 -type d -name "cov-analysis-linux64-*" | head -n 1) + if [ -n "$COVERITY_DIR" ]; then + export PATH="$PATH:$COVERITY_DIR/bin" + fi + cov-build --dir ${{github.workspace}}/coverity-files cmake --build ${{github.workspace}}/build --config Release -j$(nproc) + + - name: Create tarball to analyze + run: tar czvf ur-coverity-files.tgz coverity-files + + - name: Push tarball to scan run: | - cd $WORKDIR/build - wget https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh - patch < "../.github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch" - bash ./travisci_build_coverity_scan.sh + BRANCH_NAME=$(echo ${GITHUB_REF_NAME}) + COMMIT_ID=$(echo $GITHUB_SHA) + curl --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \ + --form email=bb-ur@intel.com \ + --form file=@ur-coverity-files.tgz \ + --form version="$COMMIT_ID" \ + --form description="$BRANCH_NAME:$COMMIT_ID" \ + https://scan.coverity.com/builds\?project\=oneapi-src%2Funified-runtime diff --git a/README.md b/README.md index dc70f43876..5f1e7df3ff 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,8 @@ [![Build and test](https://github.com/oneapi-src/unified-runtime/actions/workflows/cmake.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/cmake.yml) [![Bandit](https://github.com/oneapi-src/unified-runtime/actions/workflows/bandit.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/bandit.yml) [![CodeQL](https://github.com/oneapi-src/unified-runtime/actions/workflows/codeql.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/codeql.yml) -[![Coverity](https://scan.coverity.com/projects/28213/badge.svg)](https://scan.coverity.com/projects/oneapi-src-unified-runtime) +[![Coverity build](https://github.com/oneapi-src/unified-runtime/actions/workflows/coverity.yml/badge.svg?branch=main)](https://github.com/oneapi-src/unified-runtime/actions/workflows/coverity.yml) +[![Coverity report](https://scan.coverity.com/projects/28213/badge.svg)](https://scan.coverity.com/projects/oneapi-src-unified-runtime) [![Nightly](https://github.com/oneapi-src/unified-runtime/actions/workflows/nightly.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/nightly.yml) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/oneapi-src/unified-runtime/badge)](https://securityscorecards.dev/viewer/?uri=github.com/oneapi-src/unified-runtime) [![Trivy](https://github.com/oneapi-src/unified-runtime/actions/workflows/trivy.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/trivy.yml)