CI: enable daily coverity scan

[chipitsine]

What does this PR do?

introduce workflow mentioned in #842

Type of Change

• Bug fix (non-breaking change)
• New feature (non-breaking change)
• Breaking change (fix or feature with breaking changes)
• Documentation update

Additional Context

next steps:

1. grant Cloudberry developers permissions on Coverity project (I can add by email or feel free to request join at https://scan.coverity.com/projects/cloudberry?tab=overview )
2. add COVERITY_SCAN_TOKEN to GHA secrets
3. enjoy

P.S. I forgot to mention reeasoning for daily scheduling. Coverity has limits

[my-ship-it]

Thanks for the contribution. Please add LICENSE header and comments?
You can refer to the file:
https://github.com/apache/cloudberry/blob/main/.github/workflows/build-cloudberry.yml

[edespino]

@chipitsine Thank you for your PR that adds Coverity scanning to the project's CI pipeline. I appreciate your effort to enhance our code quality checks.

I am currently checking with the Apache Infrastructure team about policies regarding the use of Coverity Scan services for Apache projects.

Additionally, I noticed a few technical items in the workflow that would need adjustment:

• There's a syntax error in the cron expression ("0 0 * **")
• The notification email is hardcoded to a personal address
• The workflow assumes access to a COVERITY_SCAN_TOKEN
• It is good practice to add an Apache v2.0 header.

I'll keep you updated once I have more information about Apache's policies regarding Coverity usage. We can then address the workflow specifics based on what I learn.

Thanks again for contributing to the project!

[chipitsine]

@edespino do you have an ETA for your investigations ?

[edespino]

@chipitsine I have just sent the following to the ASF Infrastructure team.

As a contributor to Apache Cloudberry (Incubating), I'm exploring options for incorporating static analysis into our codebase, which uses C, C++, Python and Go. While investigating common practices across Apache projects, I've noticed Sonar appears to be widely adopted, while Coverity is used by some projects but less frequently. One of our developers recently identified some issues through a Coverity scan.
Given Apache's ecosystem and our multi-language codebase, what would be the recommended approach for static analysis tooling? We're particularly interested in comparing Coverity, CodeQL, and Sonar. Are there any specific recommendations or preferences within the Apache community for these or other static analysis tools?

[chipitsine]

I've approved your request, you should see findings now. Let me know if not.

as for Coverity, CodeQL, and Sonar - I'd start with Coverity (for c/c++ projects).

well, those options are not mutually exclusive. if you have enough appetite, you can enable all of them

[chipitsine]

regarding those

There's a syntax error in the cron expression ("0 0 * **")

yep, it's minor error. actually, I copied from other workflow, so it even works )) but I'll fix, nevermind

The notification email is hardcoded to a personal address

notification email is mandatory. if you have some preference, Ill change it. or we can use secrets (if you want to keep it secret)

The workflow assumes access to a COVERITY_SCAN_TOKEN

yep. someone has to add that token from coverity admin area to secrets

It is good practice to add an Apache v2.0 header.

do you have an example ?

[edespino]

The infra team mentioned that the Apache Software Foundation (ASF) has a SonarQube Cloud sponsorship. I am going to investigate setting it up and we can compare the functionality and usefulness of both tools.

https://sonarcloud.io/organizations/apache/projects

@chipitsine do you have any experience with SonarQube?

[chipitsine]

Could you please help me understand the motivation behind this task?

[edespino]

Could you please help me understand the motivation behind this task?

@chipitsine I am simply trying to determine if SonarQube would give us a similar static analysis as Coverity. It is possible Coverity is the way to go. But I would like to spend a few days reviewing both tools.