1 files changed, 97 insertions, 0 deletions

diff --git a/taskcluster/ci/source-test/coverity.yml b/taskcluster/ci/source-test/coverity.yml
new file mode 100644
index 0000000000..3e1d91305c
--- /dev/null
+++ b/taskcluster/ci/source-test/coverity.yml
@@ -0,0 +1,97 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+job-defaults:
+    # Run only on try and code-review tasks
+    # to avoid running Coverity SA on the whole codebase
+    run-on-projects: []
+    platform: linux64/opt
+    worker-type:
+        by-platform:
+            linux64.*: b-linux
+    worker:
+        docker-image: {in-tree: debian10-amd64-build}
+        max-run-time: 5400
+    treeherder:
+        kind: other
+        tier: 2
+    run:
+        using: run-task
+        tooltool-downloads: public
+    fetches:
+        toolchain:
+            - linux64-clang-10
+            - linux64-rust
+            - linux64-cbindgen
+            - linux64-nasm
+            - linux64-node
+            - linux64-lucetc
+            - wasi-sysroot
+    when:
+        # Extension list from https://hg.mozilla.org/mozilla-central/file/default/python/mozbuild/mozbuild/mach_commands.py#l1664
+        files-changed:
+            - '**/*.c'
+            - '**/*.cpp'
+            - '**/*.cc'
+            - '**/*.cxx'
+            - '**/*.m'
+            - '**/*.mm'
+            - '**/*.h'
+            - '**/*.hh'
+            - '**/*.hpp'
+            - '**/*.hxx'
+
+coverity:
+    description: Run static-analysis (Coverity) on C/C++ patches
+    attributes:
+        code-review: true
+    treeherder:
+        symbol: cpp(coverity)
+    run:
+        cwd: '{checkout}'
+        command: >-
+            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
+            ./mach --log-no-times static-analysis check-coverity --outgoing --output $HOME/coverity.json
+    scopes:
+        - secrets:get:project/relman/coverity
+    worker:
+        artifacts:
+            - type: file
+              name: public/code-review/coverity.json
+              path: /builds/worker/coverity.json
+            - type: file
+              name: public/code-review/coverity-orig.json
+              path: /builds/worker/workspace/coverity/cov-results.json
+
+coverity-full-analysis:
+    description: Run Coverity based static-analysis on the entire Gecko repo
+    treeherder:
+        symbol: Static-Analysis(coverity-full-analysis)
+    worker-type:
+        by-platform:
+            linux64.*: b-linux-xlarge
+    run-on-projects: []
+    run:
+        cwd: '{checkout}'
+        command: >-
+            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
+            ./mach --log-no-times static-analysis check-coverity --full-build
+    scopes:
+        - secrets:get:project/relman/coverity
+    worker:
+        max-run-time: 14400
+    when:
+        files-changed:
+            - '**/*.c'
+            - '**/*.cpp'
+            - '**/*.cc'
+            - '**/*.cxx'
+            - '**/*.m'
+            - '**/*.mm'
+            - '**/*.h'
+            - '**/*.hh'
+            - '**/*.hpp'
+            - '**/*.hxx'
+            - '**/*.py'
+            - '**/*.js'