name: Coverity scan
on:
  schedule:
    - cron: '0 18 * * 1' # Weekly at 18:00 UTC on Mondays

jobs:
  latest:
    runs-on: ubuntu-latest
    container: debian:stable
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Install dependencies
        run: |
          apt update
          DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends curl ca-certificates make wget
      - name: Cache musl toolchain
        uses: actions/cache@v3
        id: cache-musl
        with:
          path: x86_64-linux-musl-native
          key: musl
      - name: Downloading musl-based toolchain
        if: steps.cache-musl.outputs.cache-hit != 'true'
        run: wget --quiet https://musl.cc/x86_64-linux-musl-native.tgz
      - name: Extracting musl-based toolchain
        if: steps.cache-musl.outputs.cache-hit != 'true'
        run: tar xzf ./x86_64-linux-musl-native.tgz

      - name: Download Coverity Build Tool
        run: |
          curl https://scan.coverity.com/download/linux64 --form token=$TOKEN --form project=jvoisin/fortify-headers -o cov-analysis-linux64.tar.gz
          mkdir cov-analysis-linux64
          tar xzf cov-analysis-linux64.tar.gz --strip-components=1 -C cov-analysis-linux64
        env:
          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
      - name: Build with cov-build
        run: ./cov-analysis-linux64/bin/cov-build --dir cov-int make -C tests gcc
      - name: Submit the result to Coverity Scan
        run: |
          tar czf fortify-headers.tgz cov-int
          curl \
            --form project=jvoisin/fortify-headers \
            --form token=$TOKEN \
            --form file=@fortify-headers.tgz \
            --form version=master \
            --form email=julien.voisin+coverity@dustri.org \
            --form description=master \
            https://scan.coverity.com/builds?project=jvoisin/fortify-headers
        env:
          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}