coverity.yml: Shell may only be a single command

[Flole998]

No description provided.

[Flole998]

I'm still trying to figure out how to actually run this without merging it into master first...

[djowel]

Maybe just do it in master?

[Flole998]

Yeah it seems like there is no other option

[djowel]

Let's do it. I'll merge to master

[djowel]

Let's do it. I'll merge to master

Done

[Flole998]

Now you can add the coverity secrets to the repo and try to run it. Let's see how it goes

[djowel]

Can you check this?

https://github.com/cycfi/elements/actions/runs/9641033364

[Flole998]

It's still missing the environment secret configuration. That's why it can't download and fails. You need to setup a new environment named Coverity with the token and email address you're seeing when you login to coverity (on the tab where you can submit a build).

[djowel]

I am a total moron with Coverity. Is there a tutorial on how to set this up?

[Flole998]

Not really, it's really simple: Go to the settings of the repository here on GitHub, select "secrets and variables" on the left, then click on "actions". On the right hand side select"Manage environment secrets", click on new environment, name it Coverity. Once it's added you need to add 2 secrets to it, COVERITY_SCAN_EMAIL and COVERITY_SCAN_TOKEN. Both information can be found at https://scan.coverity.com/projects/30354/builds/new (at "Step 1" at the bottom where the submission process for automated builds is). Once that is done you can try to re-run it.

[djowel]

Working?: https://github.com/cycfi/elements/actions/runs/9704773826

[djowel]

Now where do we get the results?

[Flole998]

Log in to coverity and you should be able to see it there (and also give others permission to see the results, I've sent a request that you can approve somewhere).

[djowel]

Log in to coverity and you should be able to see it there (and also give others permission to see the results, I've sent a request that you can approve somewhere).

Approved.

[Flole998]

Thanks, I had a brief look through the results, only a few high-severity issues which will only occur in corner cases (super long paths for example). Some of them I can't really assess (like the "copy of large parameter") and some might be logical mistakes (the "dead code" ones). If you fix them they will disappear from the list after the next scan. There is a limited number of scans per week available,.it depends on the lines of code in the project. I'm not sure about the exact limits, I think even for the largest projects it's 3 runs per week. Just keep tuat in mind and don't run it after every commit or you'll have to wait until the week is over for the next analysis to run :)

[djowel]

Thanks, I had a brief look through the results, only a few high-severity issues which will only occur in corner cases (super long paths for example). Some of them I can't really assess (like the "copy of large parameter") and some might be logical mistakes (the "dead code" ones). If you fix them they will disappear from the list after the next scan. There is a limited number of scans per week available,.it depends on the lines of code in the project. I'm not sure about the exact limits, I think even for the largest projects it's 3 runs per week. Just keep tuat in mind and don't run it after every commit or you'll have to wait until the week is over for the next analysis to run :)

Splendid! Thanks for working in this, @Flole998 super much appreciated! 👍 👍 👍 👍 👍