wolfip/.github/workflows/coverity.yml at master · wolfSSL/wolfip · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Coverity Scan

on:
  schedule:
    - cron: '0 0 * * 0'  # Weekly on Sunday at midnight UTC
  workflow_dispatch:

# Minimal permissions - read-only access to repository contents
permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  coverity:
    name: Coverity Scan
    runs-on: ubuntu-latest

    # Only run from the original repo (not forks) and only on default branch
    # workflow_dispatch requires write access, so only maintainers can trigger manually
    if: github.repository == 'wolfSSL/wolfip' && github.ref_name == github.event.repository.default_branch

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libwolfssl-dev check

      - name: Run Coverity Scan
        uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1
        with:
          project: wolfip
          token: ${{ secrets.COVERITY_SCAN_TOKEN }}
          email: ${{ secrets.COVERITY_SCAN_EMAIL }}
          command: make