harfbuzz/.github/workflows/coverity-scan.yml

name: coverity-scan

on:
  schedule:
    - cron: '0 10 * * *' # Daily at 10:00 UTC

permissions:
  contents: read

jobs:
  latest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - run: sudo apt-get install gcc clang wget git curl pkg-config libfreetype6-dev libglib2.0-dev libicu-dev libgraphite2-dev

      - name: Download Coverity
        run: |
          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=HarfBuzz" -O cov-analysis-linux64.tar.gz
          mkdir cov-analysis-linux64
          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64          
        env:
          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}

      # ideally we should've used meson and ninja here but it complains about coverage or something
      - run: cov-analysis-linux64/bin/cov-build --dir cov-int clang src/hb-*.cc -DHAVE_FREETYPE -DHAVE_GRAPHITE2 -DHAVE_GLIB -DHAVE_ICU `pkg-config --cflags freetype2 graphite2 glib-2.0 icu-uc` -DHAVE_ROUNDF -DHAVE_SYS_MMAN_H -DHAVE_UNISTD_H -DHAVE_GETPAGESIZE -DHB_EXPERIMENTAL_API -c

      - run: tar czvf harfbuzz.tgz cov-int

      - name: submit to coverity
        run: |
          curl \
            --form project=HarfBuzz \
            --form token=$TOKEN \
            --form email=harfbuzz-bots-chatter@googlegroups.com \
            --form file=@harfbuzz.tgz \
            --form version=trunk \
            --form description="`git rev-parse --short HEAD`" \
            https://scan.coverity.com/builds?project=HarfBuzz          
        env:
          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}