tf-m-coverity.yaml

#-------------------------------------------------------------------------------
# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
#-------------------------------------------------------------------------------

- scm:
    name: tf-m-ci-scripts
    scm:
        - git:
            url: https://git.trustedfirmware.org/ci/tf-m-ci-scripts.git
            refspec: +refs/heads/master:refs/remotes/origin/master
            name: origin
            branches:
                - refs/heads/master
            basedir: tf-m-ci-scripts
            skip-tag: true
            shallow-clone: true
            wipe-workspace: false
- scm:
    name: trusted-firmware-m
    scm:
        - git:
            url: https://review.trustedfirmware.org/${TF_GERRIT_PROJECT}
            refspec: ${TF_GERRIT_REFSPEC}
            name: origin
            branches:
                - ${TF_GERRIT_BRANCH}
            basedir: trusted-firmware-m
            skip-tag: true
            shallow-clone: false
            wipe-workspace: false
- job:
    name: tf-m-coverity
    node: docker-amd64-tf-m-bionic
    project-type: freestyle
    concurrent: true
    disabled: false
    defaults: global
    description: |
      Run the Coverity tool on Trusted Firmware M and submit the resulting
      tarball to <a href="https://scan.coverity.com/projects/trusted-firmware-m-35b064f0-65c2-4afb-9ba9-24aa432fb7fa">Coverity Scan Online</a>.
      <br/>
      This job runs <b>every weekday</b> and by default uses the <b>master</b> branch on trustedfirmware.org.
    properties:
        - build-discarder:
            days-to-keep: 180
            num-to-keep: 180
    parameters:
        - string:
            name: TF_GERRIT_PROJECT
            default: 'TF-M/trusted-firmware-m'
        - string:
            name: TF_GERRIT_BRANCH
            default: 'refs/heads/master'
        - string:
            name: TF_GERRIT_REFSPEC
            default: '+refs/heads/master:refs/remotes/origin/master'
        - string:
            name: COVERITY_VERSION
            default: '2020.09'
        - bool:
            name: UPLOAD_TO_COVERITY_SCAN_ONLINE
            default: true
    scm:
        - tf-m-ci-scripts
        - trusted-firmware-m
    wrappers:
        - timestamps
        - credentials-binding:
          - text:
              credential-id: TF-M-COVERITY-SCAN-TOKEN
              variable: TF_M_COVERITY_SCAN_TOKEN
    builders:
        - shell: |-
            #!/bin/bash
            set -e

            # Fetch coverity tool and untar it
            cd ${WORKSPACE}
            wget https://scan.coverity.com/download/linux64 \
                --quiet \
                --post-data "token=${TF_M_COVERITY_SCAN_TOKEN}&project=Trusted+Firmware-M" \
                -O coverity_tool.tgz
            tar -xzf coverity_tool.tgz
            mv cov-analysis-linux64-${COVERITY_VERSION} coverity
            export PATH=${WORKSPACE}/coverity/bin:${PATH}

            # Run coverity
            cd ${WORKSPACE}/trusted-firmware-m
            ${WORKSPACE}/tf-m-ci-scripts/run-coverity.py --tf $(pwd)

        - conditional-step:
            condition-kind: boolean-expression
            condition-expression: "${UPLOAD_TO_COVERITY_SCAN_ONLINE}"
            on-evaluation-failure: dont-run
            steps:
            - shell: |-
                #!/bin/bash

                echo "Uploading tarball to Coverity Scan Online..."
                cd ${WORKSPACE}/trusted-firmware-m
                GIT_COMMIT=$(git rev-parse HEAD)

                curl \
                  --form token=${TF_M_COVERITY_SCAN_TOKEN} \
                  --form email=Karl.Zhang@arm.com \
                  --form file=@"arm-tf-coverity-results.tgz" \
                  --form version="Commit ${GIT_COMMIT}" \
                  --form description="Build ${BUILD_DISPLAY_NAME}" \
                  https://scan.coverity.com/builds?project=Trusted+Firmware-M
    triggers:
    - timed: H H(4-6) * * 1-5