From 850e0edf5b9eb1e618a70af101d52a0e8a177586 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Wed, 5 Jun 2024 14:01:47 +0100 Subject: [PATCH] ansible: move Coverity Scan build tool install Install the Coverity Scan build tool on the `benchmark` machines instead of the `jenkins-workspace` machines. Refs: https://github.com/nodejs/build/issues/3723 --- ansible/MANUAL_STEPS.md | 13 ++++- ansible/playbooks/jenkins/worker/create.yml | 3 ++ .../roles/jenkins-workspace/tasks/main.yml | 45 ----------------- ansible/roles/static-analysis/meta/main.yml | 7 +++ ansible/roles/static-analysis/tasks/main.yml | 49 +++++++++++++++++++ 5 files changed, 70 insertions(+), 47 deletions(-) create mode 100644 ansible/roles/static-analysis/meta/main.yml create mode 100644 ansible/roles/static-analysis/tasks/main.yml diff --git a/ansible/MANUAL_STEPS.md b/ansible/MANUAL_STEPS.md index ff0879ff0..9e625cf18 100644 --- a/ansible/MANUAL_STEPS.md +++ b/ansible/MANUAL_STEPS.md @@ -23,6 +23,8 @@ * [Control machine (where Ansible is run)](#control-machine-where-ansible-is-run) * [Target machines](#target-machines) * [jenkins-workspace](#jenkins-workspace) +* [benchmark](#benchmark) + * [Static analysis](#static-analysis) * [Docker hosts](#docker-hosts) * [SmartOS](#smartos) * [IBM i](#ibm-i) @@ -664,9 +666,15 @@ Note that not all jobs can use [jenkins-workspace] servers for execution, some a The [jenkins-workspace] hosts are setup as standard Node.js nodes but are only given the [jenkins-workspace] label. +## benchmark + +### Static analysis + +The [benchmark][] machines are set up so they can run preinstalled tooling to run against the Node.js codebase and submit the results to [Coverity Scan][]. + The playbook should download and install the Coverity build tool needed for static analysis into `/var/`. The extracted build tool should end up in a directory similar to `/var/cov-analysis-linux64-2023.6.2`. This directory must match the `PATH` setting in the [node-daily-coverity][] job. According to Synopsis the tool is usually updated twice yearly -- if it is updated the directory will change and the following steps should be done: -* Run the playbook on all [jenkins-workspace][] machines so that they have the same version of the Coverity build tool installed. +* Run the playbook on all [benchmark][] machines so that they have the same version of the Coverity build tool installed. * Update the [node-daily-coverity][] job so that the set `PATH` contains the new directory name. ## Docker hosts @@ -776,8 +784,9 @@ pax -rf /u/unix1/SDK8_64bit_SR6_FP10.PAX.Z -ppx ``` - +[Coverity Scan]: https://scan.coverity.com/projects/node-js [Setting up a Windows Host]: https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html +[benchmark]: https://ci.nodejs.org/label/benchmark/ [jenkins-workspace]: https://ci.nodejs.org/label/jenkins-workspace/ [newer Ansible configuration]: https://github.com/nodejs/build/tree/main/ansible [node-daily-coverity]: https://ci.nodejs.org/job/node-daily-coverity/configure diff --git a/ansible/playbooks/jenkins/worker/create.yml b/ansible/playbooks/jenkins/worker/create.yml index 559b70850..dfd900c93 100644 --- a/ansible/playbooks/jenkins/worker/create.yml +++ b/ansible/playbooks/jenkins/worker/create.yml @@ -16,6 +16,9 @@ - { role: 'benchmarking', tags: 'benchmarking', when: is_benchmark is defined and is_benchmark|bool == True } + - { role: 'static-analysis', + tags: 'static-analysis', + when: is_benchmark is defined and is_benchmark|bool == True } # # Install Linux perf on Benchmarking servers # diff --git a/ansible/roles/jenkins-workspace/tasks/main.yml b/ansible/roles/jenkins-workspace/tasks/main.yml index ddacf2bf0..403486d46 100644 --- a/ansible/roles/jenkins-workspace/tasks/main.yml +++ b/ansible/roles/jenkins-workspace/tasks/main.yml @@ -141,48 +141,3 @@ name: pip executable: pip3 state: latest - -# Required to submit builds to Coverity. -- name: Install jq - ansible.builtin.package: - name: jq - state: latest - update_cache: yes - -# Coverity build tool. See MANUAL_STEPS.md. -- name: Get md5sum for Coverity build tool - ansible.builtin.uri: - body: - md5: 1 - token: "{{ secrets.coverity_token }}" - project: Node.js - body_format: form-urlencoded - method: POST - url: https://scan.coverity.com/download/linux64 - return_content: true - register: coverity_build_tool_meta - -- name: Download Coverity build tool - ansible.builtin.uri: - body: - token: "{{ secrets.coverity_token }}" - project: Node.js - body_format: form-urlencoded - dest: /tmp/ - method: POST - url: https://scan.coverity.com/download/linux64 - register: coverity_build_tool - -- name: Validate checksum of downloaded Coverity build tool - ansible.builtin.stat: - checksum_algorithm: md5 - path: "{{ coverity_build_tool.path }}" - failed_when: coverity_build_tool_file.stat.checksum != coverity_build_tool_meta.content - register: coverity_build_tool_file - -- name: Unpack Coverity build tool - ansible.builtin.unarchive: - creates: "/var/{{ coverity_build_tool.path|regex_search('/tmp/(.+)\\.tar\\.gz', '\\1')|first }}" - dest: /var/ - remote_src: true - src: "{{ coverity_build_tool.path }}" diff --git a/ansible/roles/static-analysis/meta/main.yml b/ansible/roles/static-analysis/meta/main.yml new file mode 100644 index 000000000..7c38071ab --- /dev/null +++ b/ansible/roles/static-analysis/meta/main.yml @@ -0,0 +1,7 @@ +--- + +# This role depends on read-secrets to get the token necessary to download the +# Coverity Scan Build Tool. + +dependencies: + - role: read-secrets diff --git a/ansible/roles/static-analysis/tasks/main.yml b/ansible/roles/static-analysis/tasks/main.yml new file mode 100644 index 000000000..6bf30cd23 --- /dev/null +++ b/ansible/roles/static-analysis/tasks/main.yml @@ -0,0 +1,49 @@ +--- + +# Set up tooling required to perform static analysis builds. +# See MANUAL_STEPS.md for further steps if the Build tool is updated. + +# Required to submit builds to Coverity. +- name: Install jq + ansible.builtin.package: + name: jq + state: latest + update_cache: yes + +# Coverity build tool. +- name: Get md5sum for Coverity build tool + ansible.builtin.uri: + body: + md5: 1 + token: "{{ secrets.coverity_token }}" + project: Node.js + body_format: form-urlencoded + method: POST + url: https://scan.coverity.com/download/linux64 + return_content: true + register: coverity_build_tool_meta + +- name: Download Coverity build tool + ansible.builtin.uri: + body: + token: "{{ secrets.coverity_token }}" + project: Node.js + body_format: form-urlencoded + dest: /tmp/ + method: POST + url: https://scan.coverity.com/download/linux64 + register: coverity_build_tool + +- name: Validate checksum of downloaded Coverity build tool + ansible.builtin.stat: + checksum_algorithm: md5 + path: "{{ coverity_build_tool.path }}" + failed_when: coverity_build_tool_file.stat.checksum != coverity_build_tool_meta.content + register: coverity_build_tool_file + +- name: Unpack Coverity build tool + ansible.builtin.unarchive: + creates: "/var/{{ coverity_build_tool.path|regex_search('/tmp/(.+)\\.tar\\.gz', '\\1')|first }}" + dest: /var/ + remote_src: true + src: "{{ coverity_build_tool.path }}"