rdkcentral · brendanobra · Apr 30, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.actrc b/.actrc
@@ -0,0 +1,2 @@
+--container-architecture linux/amd64
+-W .github/workflows/native_full_build.yml
diff --git a/.github/workflows/coverity_component_full_scan.yml b/.github/workflows/coverity_component_full_scan.yml
@@ -0,0 +1,87 @@
+name: Coverity Full Analysis Scan
+
+# Reusable workflow — called by coverity_full_scan.yml.
+# Runs a full cov-build + cov-analyze + cov-commit-defects cycle.
+# Results are committed to the Coverity Connect server stream only;
+# nothing is posted back to any pull request.
+on:
+  workflow_call:
+    inputs:
+      buildCommand:
+        description: 'Build Command'
+        required: true
+        type: string
+      branchName:
+        description: 'Branch Name'
+        required: true
+        type: string
+      customSetup:
+        description: 'Custom setup commands'
+        required: false
+        type: string
+    secrets:
+      COVERITY_APIKEY:
+        required: true
+      ARTIFACTORY_USER_APIKEY:
+        required: true
+      # GITHUB_TOKENCM: cross-org token — required if customSetup clones private repos
+      GITHUB_TOKENCM:
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  coverity_full_scan:
+    runs-on: comcast-ubuntu-latest
+    container:
+      # TODO (org admin): provision vars.DOCKER_REGISTRY in rdkcentral org
+      image: ${{ vars.DOCKER_REGISTRY }}/rdk-docker/docker-rdk-coverity:1.0.7
+      credentials:
+        # TODO (org admin): provision vars.ARTIFACTORY_USER in rdkcentral org
+        username: ${{ vars.ARTIFACTORY_USER }}
+        password: ${{ secrets.ARTIFACTORY_USER_APIKEY }}
+
+    env:
+      # TODO (org admin): provision vars.COVERITY_URL and vars.COVERITY_USER in rdkcentral org
+      COVERITY_URL: ${{ vars.COVERITY_URL }}
+      COVERITY_USER: ${{ vars.COVERITY_USER }}
+      COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }}
+      COVERITY_PROJECT_NAME: ${{ github.event.repository.name }}
+      COVERITY_STREAM_NAME: ${{ github.event.repository.name }}_${{ inputs.branchName }}
+      BUILD_COMMAND: ${{ inputs.buildCommand }}
+      GITHUB_TOKENCM: ${{ secrets.GITHUB_TOKENCM }}
+      COVERITY_UNSUPPORTED_COMPILER_INVOCATION: 1
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Custom setup
+        if: ${{ inputs.customSetup }}
+        run: eval "${{ inputs.customSetup }}"
+
+      - name: Coverity Full Analysis Scan
+        run: |
+          export PATH=$PATH:/opt/coverity/bin
+          set -x
+          cd $GITHUB_WORKSPACE
+          mkdir -p config
+          cov-configure --gcc
+          cov-build --dir coverity_dir $BUILD_COMMAND
+          cov-analyze --dir coverity_dir --one-tu-per-psf false --disable-spotbugs --aggressiveness-level low --enable DC.STRING_BUFFER --all
+
+          max_retries=3
+          retries=0
+          retry_timeout_sec=30
+          success=false
+          while [ $retries -lt $max_retries ]; do
+            echo "Attempt $((retries + 1)) of $max_retries for cov-commit-defects"
+            if cov-commit-defects --dir coverity_dir --stream $COVERITY_STREAM_NAME \
+                --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY; then
+              success=true
+              break
+            fi
+            retries=$((retries + 1))
+            sleep $((retries * retry_timeout_sec))
+          done
+          $success || { echo "cov-commit-defects failed after $max_retries attempts"; exit 1; }
diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml
@@ -0,0 +1,136 @@
+name: Coverity Incremental Analysis Scan
+
+# Reusable workflow — called by coverity_incremental_scan.yml.
+# Runs cov-run-desktop against changed files only and posts findings
+# as pull request comments via synopsys-sig/coverity-report-output-v7-json.
+on:
+  workflow_call:
+    inputs:
+      pullRequestNumber:
+        description: 'Pull Request Number'
+        required: true
+        type: string
+      buildCommand:
+        description: 'Build Command'
+        required: true
+        type: string
+      branchName:
+        description: 'Branch Name (target/base branch)'
+        required: true
+        type: string
+      customSetup:
+        description: 'Custom setup commands'
+        required: false
+        type: string
+    secrets:
+      COVERITY_APIKEY:
+        required: true
+      ARTIFACTORY_USER_APIKEY:
+        required: true
+      # GITHUB_TOKEN: used to post PR feedback comments
+      GITHUB_TOKEN:
+        required: true
+      # GITHUB_TOKENCM: cross-org token — required if customSetup clones private repos
+      GITHUB_TOKENCM:
+        required: false
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  coverity_incremental_scan:
+    runs-on: comcast-ubuntu-latest
+    container:
+      # TODO (org admin): provision vars.DOCKER_REGISTRY in rdkcentral org
+      image: ${{ vars.DOCKER_REGISTRY }}/rdk-docker/docker-rdk-coverity:1.0.7
+      credentials:
+        # TODO (org admin): provision vars.ARTIFACTORY_USER in rdkcentral org
+        username: ${{ vars.ARTIFACTORY_USER }}
+        password: ${{ secrets.ARTIFACTORY_USER_APIKEY }}
+
+    env:
+      # TODO (org admin): provision vars.COVERITY_URL and vars.COVERITY_USER in rdkcentral org
+      COVERITY_URL: ${{ vars.COVERITY_URL }}
+      COVERITY_USER: ${{ vars.COVERITY_USER }}
+      COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      COVERITY_PROJECT_NAME: ${{ github.event.repository.name }}
+      COVERITY_STREAM_NAME: ${{ github.event.repository.name }}_${{ inputs.branchName }}
+      BUILD_COMMAND: ${{ inputs.buildCommand }}
+      COVERITY_UNSUPPORTED_COMPILER_INVOCATION: 1
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ format('refs/pull/{0}/merge', inputs.pullRequestNumber) }}
+
+      - name: Custom setup
+        if: ${{ inputs.customSetup }}
+        run: |
+          echo "customSetup: ${{ inputs.customSetup }}"
+          eval "${{ inputs.customSetup }}"
+
+      - name: Get Pull Request Changeset
+        id: changeset
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pull_number = Number(${{ toJSON(inputs.pullRequestNumber) }});
+            if (!Number.isInteger(pull_number) || pull_number <= 0) {
+              core.setFailed('Invalid pullRequestNumber input.');
+              return;
+            }
+            const files = await github.paginate(github.rest.pulls.listFiles, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number,
+              per_page: 100
+            });
+            const addedModified = files
+              .filter((file) => ['added', 'modified', 'renamed'].includes(file.status))
+              .map((file) => file.filename)
+              .join('\n');
+            core.setOutput('added_modified', addedModified);
+
+      - name: Coverity Incremental Analysis Scan
+        id: incremental_scan
+        if: ${{ steps.changeset.outputs.added_modified != '' }}
+        env:
+          CHANGED_FILES_RAW: ${{ steps.changeset.outputs.added_modified }}
+        run: |
+          export PATH=$PATH:/opt/coverity/bin
+          set -x
+          cd $GITHUB_WORKSPACE
+          echo "Changed files: $CHANGED_FILES_RAW"
+          mapfile -t changed_files <<< "$CHANGED_FILES_RAW"
+          # Phase 1: capture build into the coverity_dir intermediate database
+          cov-run-desktop --dir coverity_dir \
+            --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY \
+            --stream $COVERITY_STREAM_NAME \
+            --build "$BUILD_COMMAND"
+          # Phase 2: analyze changed files only, compare against stream baseline
+          # --exit1-if-defects true: workflow fails on new defects (maintainers can bypass
+          #   via GitHub branch protection "Allow specified actors to bypass required pull requests")
+          cov-run-desktop --dir coverity_dir \
+            --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY \
+            --stream $COVERITY_STREAM_NAME \
+            --present-in-reference false \
+            --ignore-uncapturable-inputs true \
+            --exit1-if-defects true \
+            --json-output-v7 coverity_dir/coverity-results.json \
+            --allow-suffix-match --set-new-defect-owner false \
+            "${changed_files[@]}"
+
+      # Post findings as PR comments — raw Coverity output, no custom formatting
+      - name: Coverity Pull Request Feedback
+        if: ${{ always() && hashFiles('coverity_dir/coverity-results.json') != '' }}
+        uses: synopsys-sig/coverity-report-output-v7-json@v0.1.1
+        with:
+          json-file-path: coverity_dir/coverity-results.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          coverity-url: ${{ vars.COVERITY_URL }}
+          coverity-project-name: ${{ github.event.repository.name }}
+          coverity-username: ${{ vars.COVERITY_USER }}
+          coverity-password: ${{ secrets.COVERITY_APIKEY }}
diff --git a/.github/workflows/coverity_full_scan.yml b/.github/workflows/coverity_full_scan.yml
@@ -0,0 +1,24 @@
+name: Coverity Full Scan
+
+# Triggers on merges to primary branches.
+# Results committed to Coverity Connect server (maintainer-only access).
+# Nothing is posted back to any pull request.
+on:
+  push:
+    branches: [ main, develop, '+([0-9])\.+([0-9])\.x-maintenance' ]
+    paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp']
+
+permissions:
+  contents: read
+
+jobs:
+  call-coverity-full-scan:
+    uses: ./.github/workflows/coverity_component_full_scan.yml
+    with:
+      branchName: ${{ github.ref_name }}
+      buildCommand: sh cov_build.sh
+      customSetup: sh build_dependencies.sh
+    secrets:
+      COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }}
+      ARTIFACTORY_USER_APIKEY: ${{ secrets.ARTIFACTORY_USER_APIKEY }}
+      GITHUB_TOKENCM: ${{ secrets.RDKCM_RDKE }}
diff --git a/.github/workflows/coverity_incremental_scan.yml b/.github/workflows/coverity_incremental_scan.yml
@@ -0,0 +1,34 @@
+name: Coverity Incremental Scan
+
+permissions:
+  contents: read
+  pull-requests: write
+
+# Triggers on pull requests targeting primary branches.
+# Scans only changed compilable source files.
+# Findings are posted as pull request comments.
+# Merges are not blocked outright — maintainers can bypass via branch protection.
+on:
+  pull_request:
+    branches: [ main, develop, '+([0-9])\.+([0-9])\.x-maintenance' ]
+    paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp']
+  workflow_dispatch:
+    inputs:
+      pullRequestNumber:
+        description: 'Pull Request Number'
+        required: true
+        type: string
+
+jobs:
+  call-coverity-incremental-scan:
+    uses: ./.github/workflows/coverity_component_incremental_scan.yml
+    with:
+      pullRequestNumber: ${{ github.event.inputs.pullRequestNumber || github.event.pull_request.number }}
+      branchName: ${{ github.event.pull_request.base.ref || github.ref_name }}
+      buildCommand: sh cov_build.sh
+      customSetup: sh build_dependencies.sh
+    secrets:
+      COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }}
+      ARTIFACTORY_USER_APIKEY: ${{ secrets.ARTIFACTORY_USER_APIKEY }}
+      GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }}
+      GITHUB_TOKENCM: ${{ secrets.RDKCM_RDKE }}
diff --git a/.github/workflows/native_full_build.yml b/.github/workflows/native_full_build.yml
@@ -0,0 +1,35 @@
+name: Build Component in Native Environment
+
+on:
+  push:
+    branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ]
+    paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp', 'CMakeLists.txt', 'cmake/**', 'build_dependencies.sh', 'cov_build.sh']
+  pull_request:
+    branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ]
+    paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp', 'CMakeLists.txt', 'cmake/**', 'build_dependencies.sh', 'cov_build.sh']
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  native-build:
+    name: Build firebolt-cpp-transport in native environment
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/rdkcentral/docker-rdk-ci:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: sh -x build_dependencies.sh
+
+      - name: Build
+        run: sh -x cov_build.sh
+        env:
+          GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		--container-architecture linux/amd64
		-W .github/workflows/native_full_build.yml