[CI] Move coverity job to public GHA runner

There's no need for self-hosted.
For this change to happen it was required to re-write the workflow:
- install dependencies for adapters and UMF,
- download coverity tool from the project's page,
- push tarball to Coverity's scan webpage via curl.

Author: lukaszstolarczuk

.github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch

@@ -1,63 +1,81 @@
-#
-# Copyright (C) 2023-2024 Intel Corporation
-#
-# Part of the Unified-Runtime Project, under the Apache License v2.0 with LLVM Exceptions.
-# See LICENSE.TXT
-# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
-#
+# Coverity - static analysis build. It requires Coverity's token (set in CI's secret).
 name: coverity-unified-runtime
-# It runs static analysis build - Coverity. It requires special token (set in CI's secret).
 
 on:
   workflow_dispatch:
   schedule:
     # Run every day at 22:00 UTC
     - cron: '0 22 * * *'
 
-env:
-  WORKDIR:                           ${{ github.workspace }}
-  COVERITY_SCAN_NOTIFICATION_EMAIL:  ${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}
-  COVERITY_SCAN_TOKEN:               ${{ secrets.COVERITY_SCAN_TOKEN }}
-  COVERITY_SCAN_PROJECT_NAME:        ${{ github.repository }}
-  COVERITY_SCAN_BUILD_COMMAND:       "cmake --build ${{github.workspace}}/build"
-  COVERITY_SCAN_BRANCH_PATTERN:      "main"
-  TRAVIS_BRANCH:                     ${{ github.ref_name }}
-
 permissions:
   contents: read
 
 jobs:
-  linux:
+  coverity:
     name: Coverity
-    runs-on: coverity
+    # run only on upstream; forks don't have token for upstream's cov project
+    if: github.repository == 'oneapi-src/unified-memory-framework'
+    runs-on: ubuntu-latest
 
     steps:
-      - name: Clone the git repo
+      - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: |
+          wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb
+          sudo dpkg -i cuda-keyring_1.1-1_all.deb
+          sudo apt-get update
+          sudo apt-get install -y libhwloc-dev libtbb-dev cuda-toolkit-12-6
 
       - name: Install pip packages
         run: pip install -r third_party/requirements.txt
 
+      - name: Download Coverity
+        run: |
+          wget -O coverity_tool.tgz -nv https://scan.coverity.com/download/linux64 \
+            --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=oneapi-src%2Funified-runtime"
+
+      - name: Extract Coverity
+        run: tar xzf coverity_tool.tgz
+
+      # TODO: enable HIP adapter as well (requires proper package(s) installation)
       - name: Configure CMake
         run: >
           cmake
-          -B $WORKDIR/build
+          -B ${{github.workspace}}/build
+          -DCMAKE_BUILD_TYPE=Release
+          -DUR_DEVELOPER_MODE=OFF
+          -DUR_FORMAT_CPP_STYLE=ON
           -DUR_ENABLE_TRACING=ON
-          -DUR_DEVELOPER_MODE=ON
           -DUR_BUILD_TESTS=ON
-          -DUMF_ENABLE_POOL_TRACKING=ON
-          -DUR_FORMAT_CPP_STYLE=ON
-          -DCMAKE_BUILD_TYPE=Debug
           -DUR_BUILD_ADAPTER_L0=ON
           -DUR_BUILD_ADAPTER_CUDA=ON
-          -DCUDA_CUDA_LIBRARY=/usr/local/cuda/lib64/stubs/libcuda.so
+          -DCUDA_CUDA_LIBRARY=/usr/local/cuda-12.6/targets/x86_64-linux/lib/stubs/libcuda.so
           -DUR_BUILD_ADAPTER_NATIVE_CPU=ON
-          -DUR_BUILD_ADAPTER_HIP=ON
+          -DUR_BUILD_ADAPTER_HIP=OFF
           -DUR_BUILD_ADAPTER_OPENCL=ON
 
-      - name: Run Coverity
+      - name: Build
+        run: |
+          export COVERITY_DIR=$(find . -maxdepth 1 -type d -name "cov-analysis-linux64-*" | head -n 1)
+          if [ -n "$COVERITY_DIR" ]; then
+            export PATH="$PATH:$COVERITY_DIR/bin"
+          fi
+          cov-build --dir ${{github.workspace}}/coverity-files cmake --build ${{github.workspace}}/build --config Release -j$(nproc)
+
+      - name: Create tarball to analyze
+        run: tar czvf ur-coverity-files.tgz coverity-files
+
+      - name: Push tarball to scan
         run: |
-          cd $WORKDIR/build
-          wget https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh
-          patch < "../.github/scripts/0001-travis-fix-travisci_build_coverity_scan.sh.patch"
-          bash ./travisci_build_coverity_scan.sh
+          BRANCH_NAME=$(echo ${GITHUB_REF_NAME})
+          COMMIT_ID=$(echo $GITHUB_SHA)
+          curl --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
+          --form email=bb-ur@intel.com \
+          --form file=@ur-coverity-files.tgz \
+          --form version="$COMMIT_ID" \
+          --form description="$BRANCH_NAME:$COMMIT_ID" \
+          https://scan.coverity.com/builds\?project\=oneapi-src%2Funified-runtime

.github/workflows/coverity.yml

@@ -3,7 +3,8 @@
 [![Build and test](https://github.com/oneapi-src/unified-runtime/actions/workflows/cmake.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/cmake.yml)
 [![Bandit](https://github.com/oneapi-src/unified-runtime/actions/workflows/bandit.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/bandit.yml)
 [![CodeQL](https://github.com/oneapi-src/unified-runtime/actions/workflows/codeql.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/codeql.yml)
-[![Coverity](https://scan.coverity.com/projects/28213/badge.svg)](https://scan.coverity.com/projects/oneapi-src-unified-runtime)
+[![Coverity build](https://github.com/oneapi-src/unified-runtime/actions/workflows/coverity.yml/badge.svg?branch=main)](https://github.com/oneapi-src/unified-runtime/actions/workflows/coverity.yml)
+[![Coverity report](https://scan.coverity.com/projects/28213/badge.svg)](https://scan.coverity.com/projects/oneapi-src-unified-runtime)
 [![Nightly](https://github.com/oneapi-src/unified-runtime/actions/workflows/nightly.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/nightly.yml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/oneapi-src/unified-runtime/badge)](https://securityscorecards.dev/viewer/?uri=github.com/oneapi-src/unified-runtime)
 [![Trivy](https://github.com/oneapi-src/unified-runtime/actions/workflows/trivy.yml/badge.svg)](https://github.com/oneapi-src/unified-runtime/actions/workflows/trivy.yml)