ci: add a GitHub workflow to submit Coverity scans

Coverity is a static analysis tool that detects and generates reports on
various security and code quality issues.

It is particularly useful when diagnosing memory safety issues which may
be used as part of exploiting a security vulnerability.

Coverity's website provides a service that accepts "builds" (which
contains the object files generated during a standard build as well as a
database generated by Coverity's scan tool).

This GitHub workflow performs that job when the repository variable
"ENABLE_COVERITY_SCAN_FOR_BRANCHES" has been configured accordingly (see
https://docs.github.com/en/actions/learn-github-actions/variables for
details how to configure repository variables): It is expected to be a
valid JSON array of branch strings, e.g. `["main", "next"]`.

In addition, this workflow requires two repository secrets:

- COVERITY_SCAN_EMAIL: the email to send the report to

- COVERITY_SCAN_TOKEN: the Coverity token (look in the Project Settings
  tab of your Coverity project).

To run the workflow on a pool other than `ubuntu-latest`, the repository
variable `ENABLE_COVERITY_SCAN_FOR_OS` can be set to a valid JSON array
of string, e.g. `["ubuntu-latest", "macos-latest"]`.

Note: The initial version of this patch used
`vapier/coverity-scan-action` to benefit from that Action's caching of
the Coverity tool, which is rather large. Sadly, that Action
unfortunately only supports Linux, and we want to build on Windows, too.
Besides, Coverity requires `cov-configure` to be run in the meantime,
and that Action was not adjusted accordingly. So it would seem to be a
better way forward to carry a working set of steps than trying to rely
on that Action.

Initial-patch-by: Taylor Blau <[email protected]>
Signed-off-by: Johannes Schindelin <[email protected]>

.github/workflows/coverity.yml

@@ -0,0 +1,136 @@
+name: Coverity
+
+on:
+  push:
+
+jobs:
+  coverity:
+    if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name)
+    strategy:
+      matrix:
+        os: fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]')
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: install minimal Git for Windows SDK
+        if: contains(matrix.os, 'windows')
+        uses: git-for-windows/setup-git-for-windows-sdk@v1
+      - run: ci/install-dependencies.sh
+        if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos')
+        env:
+          runs_on_pool: ${{ matrix.os }}
+
+      # The following is copy/edited from vapier/coverity-scan-action because
+      # that composite Action currently only supports Linux.
+
+      # The Coverity site says the tool is usually updated twice yearly, so the
+      # MD5 of download can be used to determine whether there's been an update.
+      - name: get Coverity Build Tool hash
+        id: lookup
+        shell: bash
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+        run: |
+          BUILD_LANGUAGE: cxx
+          case "${{ matrix.os }}" in
+          *windows*)
+            BUILD_PLATFORM=win64
+            TOOL_FILENAME=cov-analysis.zip
+            MAKEFLAGS=-j$(nproc)
+            ;;
+          *macos*)
+            BUILD_PLATFORM=macOSX
+            TOOL_FILENAME=cov-analysis.dmg
+            MAKEFLAGS=-j$(sysctl -n hw.physicalcpu)
+            ;;
+          *ubuntu*)
+            BUILD_PLATFORM=linux64
+            TOOL_FILENAME=cov-analysis.tgz
+            MAKEFLAGS=-j$(nproc)
+            ;;
+          *)
+            echo '::error::unhandled OS ${{ matrix.os }}' >&2
+            exit 1
+            ;;
+          esac
+          echo "language=$BUILD_LANGUAGE" >>$GITHUB_OUTPUT
+          echo "platform=$BUILD_PLATFORM" >>$GITHUB_OUTPUT
+          echo "filename=$TOOL_FILENAME" >>$GITHUB_OUTPUT
+          echo "make-flags=$MAKEFLAGS" >>$GITHUB_OUTPUT
+          MD5=$(curl https://scan.coverity.com/download/$BUILD_LANGUAGE/$BUILD_PLATFORM \
+                   --data "token=$TOKEN&project=${{ github.repository_owner }}&md5=1"); \
+          echo "hash=$MD5" >>$GITHUB_OUTPUT
+
+      # Try to cache the tool to avoid downloading 1GB+ archive on every run.
+      # Cache miss will add ~30s to create, but cache hit will save minutes.
+      - name: restore Coverity Build Tool
+        id: cache
+        uses: actions/cache/restore@v3
+        with:
+          path: ${{ runner.temp }}/cov-analysis
+          key: cov-build-${{ steps.lookup.outputs.language }}-${{ steps.lookup.outputs.platform }}-${{ steps.lookup.outputs.hash }}
+      - name: download Coverity Build Tool (${{ steps.lookup.outputs.language }} / ${{ steps.lookup.outputs.platform }})
+        if: steps.cache.outputs.cache-hit != 'true'
+        shell: bash
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+        run: |
+          curl https://scan.coverity.com/download/${{ steps.lookup.outputs.language }}/${{ steps.lookup.outputs.platform }} \
+            --no-progress-meter \
+            --output $RUNNER_TEMP/${{ steps.lookup.outputs.filename }} \
+            --data "token=$TOKEN&project=${{ github.repository_owner }}"
+      - name: extract Coverity Build Tool
+        if: steps.cache.outputs.cache-hit != 'true'
+        shell: bash
+        run: |
+          case "${{ steps.lookup.outputs.filename }}" in
+          *.tgz)
+            mkdir $RUNNER_TEMP/cov-analysis &&
+            tar -xzf $RUNNER_TEMP/${{ steps.lookup.outputs.filename }} --strip 1 -C $RUNNER_TEMP/cov-analysis
+            ;;
+          *.dmg)
+            cd $RUNNER_TEMP &&
+            attach="$(hdiutil attach ${{ steps.lookup.outputs.filename }})" &&
+            volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" &&
+            sh "$volume"/cov-analysis-macosx-*.sh &&
+            ls -l &&
+            mv cov-analysis-macosx-* cov-analysis &&
+            hdiutil detach "$volume"
+            ;;
+          *.zip)
+            cd $RUNNER_TEMP &&
+            mkdir cov-analysis-tmp &&
+            unzip -d cov-analysis-tmp ${{ steps.lookup.outputs.filename }} &&
+            mv cov-analysis-tmp/* cov-analysis
+            ;;
+          *)
+            echo "::error::unhandled archive type: ${{ steps.lookup.outputs.filename }}" >&2
+            exit 1
+            ;;
+          esac
+      - name: cache Coverity Build Tool
+        if: steps.cache.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v3
+        with:
+          path: ${{ runner.temp }}/cov-analysis
+          key: cov-build-${{ steps.lookup.outputs.language }}-${{ steps.lookup.outputs.platform }}-${{ steps.lookup.outputs.hash }}
+      - name: build with cov-build
+        shell: bash
+        run: |
+          export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" &&
+          cov-configure --gcc &&
+          cov-build --dir cov-int make ${{ steps.lookup.outputs.make-flags }}
+      - name: archive results
+        shell: bash
+        run: tar -czvf cov-int.tgz cov-int
+      - name: submit results to Coverity Scan
+        run: |
+          curl \
+            --form token="$TOKEN" \
+            --form email="${{ secrets.COVERITY_SCAN_EMAIL }}" \
+            --form [email protected] \
+            --form version="${{ github.sha }}" \
+            "https://scan.coverity.com/builds?project=${{ github.repository_owner }}"
+        shell: bash
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}