Message ID | 1497369290-20401-4-git-send-email-peter.maydell@linaro.org |
---|---|
State | New |
Headers | show |
Series | Automate coverity scan uploads via Travis | expand |
Peter Maydell <peter.maydell@linaro.org> writes: > Add config to travis to do a Coverity Scan build and upload, using > the new run-coverity-scan script. > > There is an official integration between Travis and Coverity Scan: > https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb > which slurps values out of the .travis.yml and downloads a build > script from Coverity which does the bulk of the work: > https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh > > However we choose to roll our own since this seems less > confusing and also allows us to include debug features > (notably the ability to do a "dry run" test which doesn't > actually upload anything). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > .travis.yml | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > > diff --git a/.travis.yml b/.travis.yml > index 26dabb6..d772a4a 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -210,3 +210,27 @@ matrix: > - TEST_CMD="" > before_script: > - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log > + # Build and upload to Coverity Scan. > + # We do not impose any rate limiting here, but instead rely on the > + # limiting done by the coverity servers, which for a project of QEMU's > + # size means one build a day. The run-coverity-scan script will exit > + # early if the limiter does not permit a new upload, so the effect will > + # be that the first build (only) in each 24 hour period will be scanned. > + # If we needed to apply a limit at the Travis end, the simplest approach > + # would be to run the scan only if the branch was 'coverity-scan', and > + # use a cron job to push master to the 'coverity-scan' branch periodically. > + # We run on the trusty Travis hosts so that there's a wider set of > + # dependencies satisfied to improve coverage. > + - dist: trusty I think we ought to add a sudo: stanza here to make it explicit if we want the containerised or VM based trusty image here. I'm wildly assuming we need lots of memory for this build so I would suggest: sudo: required > + env: > + - COVERITY=1 > + - COVERITY_BUILD_CMD="make -j3" > + - COVERITY_EMAIL=peter.maydell@linaro.org > + # This 'secure' setting sets COVERITY_TOKEN=<secret token> > + # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=... > + - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o=" > + before_script: > + - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi > + - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping > Coverity (wrong branch)"; exit 0; fi This doesn't actually skip anything - but you can't exit non-zero without breaking the build. You would need to touch a file or something to make run-coverity-scan skip its work. > + script: > + - ./scripts/run-coverity-scan -- Alex Bennée
On 14 June 2017 at 16:14, Alex Bennée <alex.bennee@linaro.org> wrote: > > Peter Maydell <peter.maydell@linaro.org> writes: > >> Add config to travis to do a Coverity Scan build and upload, using >> the new run-coverity-scan script. >> >> There is an official integration between Travis and Coverity Scan: >> https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb >> which slurps values out of the .travis.yml and downloads a build >> script from Coverity which does the bulk of the work: >> https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh >> >> However we choose to roll our own since this seems less >> confusing and also allows us to include debug features >> (notably the ability to do a "dry run" test which doesn't >> actually upload anything). >> >> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> >> --- >> .travis.yml | 24 ++++++++++++++++++++++++ >> 1 file changed, 24 insertions(+) >> >> diff --git a/.travis.yml b/.travis.yml >> index 26dabb6..d772a4a 100644 >> --- a/.travis.yml >> +++ b/.travis.yml >> @@ -210,3 +210,27 @@ matrix: >> - TEST_CMD="" >> before_script: >> - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log >> + # Build and upload to Coverity Scan. >> + # We do not impose any rate limiting here, but instead rely on the >> + # limiting done by the coverity servers, which for a project of QEMU's >> + # size means one build a day. The run-coverity-scan script will exit >> + # early if the limiter does not permit a new upload, so the effect will >> + # be that the first build (only) in each 24 hour period will be scanned. >> + # If we needed to apply a limit at the Travis end, the simplest approach >> + # would be to run the scan only if the branch was 'coverity-scan', and >> + # use a cron job to push master to the 'coverity-scan' branch periodically. >> + # We run on the trusty Travis hosts so that there's a wider set of >> + # dependencies satisfied to improve coverage. >> + - dist: trusty > > I think we ought to add a sudo: stanza here to make it explicit if we > want the containerised or VM based trusty image here. I'm wildly > assuming we need lots of memory for this build so I would suggest: > > sudo: required It works with both, and the default as set in the top of the travis config is for not-required so that's what I went with. I think the sudo:required setups give you less CPU which makes it even more likely to hit the 50 minute timeout. >> + env: >> + - COVERITY=1 >> + - COVERITY_BUILD_CMD="make -j3" >> + - COVERITY_EMAIL=peter.maydell@linaro.org >> + # This 'secure' setting sets COVERITY_TOKEN=<secret token> >> + # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=... >> + - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o=" >> + before_script: >> + - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi >> + - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping >> Coverity (wrong branch)"; exit 0; fi > > This doesn't actually skip anything - but you can't exit non-zero > without breaking the build. You would need to touch a file or something > to make run-coverity-scan skip its work. Yes, you're right. That's a bit awkward. thanks -- PMM
diff --git a/.travis.yml b/.travis.yml index 26dabb6..d772a4a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -210,3 +210,27 @@ matrix: - TEST_CMD="" before_script: - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log + # Build and upload to Coverity Scan. + # We do not impose any rate limiting here, but instead rely on the + # limiting done by the coverity servers, which for a project of QEMU's + # size means one build a day. The run-coverity-scan script will exit + # early if the limiter does not permit a new upload, so the effect will + # be that the first build (only) in each 24 hour period will be scanned. + # If we needed to apply a limit at the Travis end, the simplest approach + # would be to run the scan only if the branch was 'coverity-scan', and + # use a cron job to push master to the 'coverity-scan' branch periodically. + # We run on the trusty Travis hosts so that there's a wider set of + # dependencies satisfied to improve coverage. + - dist: trusty + env: + - COVERITY=1 + - COVERITY_BUILD_CMD="make -j3" + - COVERITY_EMAIL=peter.maydell@linaro.org + # This 'secure' setting sets COVERITY_TOKEN=<secret token> + # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=... + - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o=" + before_script: + - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi + - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping Coverity (wrong branch)"; exit 0; fi + script: + - ./scripts/run-coverity-scan
Add config to travis to do a Coverity Scan build and upload, using the new run-coverity-scan script. There is an official integration between Travis and Coverity Scan: https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb which slurps values out of the .travis.yml and downloads a build script from Coverity which does the bulk of the work: https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh However we choose to roll our own since this seems less confusing and also allows us to include debug features (notably the ability to do a "dry run" test which doesn't actually upload anything). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- .travis.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) -- 2.7.4