Coverity #403

	# Copyright 2024-2026, Intel Corporation
	# SPDX-License-Identifier: BSD-3-Clause

	name: Coverity
	# It runs static analysis build - Coverity. It requires special token (set in CI's secret).

	permissions: read-all

	on:
	workflow_dispatch:
	schedule:
	# Run every day at 22:00 UTC
	- cron: '0 22 * * *'

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	env:
	LLVM_REPO: https://github.com/ispc/ispc.dependencies

	jobs:
	linux:
	name: Coverity
	runs-on: ubuntu-22.04
	env:
	COVERITY_SCAN_BUILD_COMMAND: "cmake --build ${{github.workspace}}/build"
	COVERITY_SCAN_BRANCH_PATTERN: "main"
	COVERITY_SCAN_NOTIFICATION_EMAIL: ${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}
	COVERITY_SCAN_PROJECT_NAME: ${{ secrets.COVERITY_SCAN_PROJECT_NAME }}
	COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}

	# Disabling this workflow for non ispc/ispc repo, since number of build submissions is limited.
	if: github.repository == 'ispc/ispc'

	steps:
	- name: Clone the git repo
	uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

	- name: Install dependencies
	run: \|
	.github/workflows/scripts/install-build-deps.sh

	- name: Check environment
	run: \|
	which -a clang
	cat /proc/cpuinfo

	- name: Build package
	run: \|
	.github/workflows/scripts/build-ispc.sh

	- name: Run Coverity
	run: \|
	.github/workflows/scripts/run-coverity.sh

	- name: Upload Coverity artifact
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: scm_log.txt
	path: cov-int/scm_log.txt

Provide feedback