From 5c027a3b7b60318f5c585fb72b91b310e741cbdd Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 27 May 2026 09:18:14 -0700
Subject: [PATCH] Fix coverity nightly: inline action, drop broken md5 hash
 lookup

---
 .github/workflows/coverity-scan-fixes.yml | 48 ++++++++++++++++++++---
 1 file changed, 42 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/coverity-scan-fixes.yml b/.github/workflows/coverity-scan-fixes.yml
index 40a9e440..804baa10 100644
--- a/.github/workflows/coverity-scan-fixes.yml
+++ b/.github/workflows/coverity-scan-fixes.yml
@@ -47,10 +47,46 @@ jobs:
         email_len=${#email_var}
         echo "$email_len"
 
-    - uses: vapier/coverity-scan-action@v1
+    - name: Cache key (month-based, tool updates ~twice yearly)
+      id: cov-cache-key
+      run: echo "key=$(date +%Y-%m)" >> $GITHUB_OUTPUT
+
+    - name: Cache Coverity Build Tool
+      id: cov-build-cache
+      uses: actions/cache@v4
       with:
-        build_language: 'cxx'
-        project: "wolfTPM"
-        token: ${{ secrets.COVERITY_SCAN_TOKEN_WOLFTPM }}
-        email: ${{ secrets.COVERITY_SCAN_EMAIL }}
-        command: "make"
+        path: cov-analysis
+        key: cov-build-cxx-linux64-${{ steps.cov-cache-key.outputs.key }}
+
+    - name: Download Coverity Build Tool
+      if: steps.cov-build-cache.outputs.cache-hit != 'true'
+      env:
+        TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN_WOLFTPM }}
+      run: |
+        curl https://scan.coverity.com/download/cxx/linux64 \
+          --no-progress-meter \
+          --output cov-analysis.tar.gz \
+          --data "token=${TOKEN}&project=wolfTPM"
+        mkdir -p cov-analysis
+        tar -xzf cov-analysis.tar.gz --strip 1 -C cov-analysis
+
+    - name: Build with cov-build
+      run: |
+        export PATH="${PWD}/cov-analysis/bin:${PATH}"
+        cov-build --dir cov-int make
+
+    - name: Archive results
+      run: tar -czvf cov-int.tgz cov-int
+
+    - name: Submit results to Coverity Scan
+      env:
+        TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN_WOLFTPM }}
+        EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }}
+      run: |
+        curl \
+          --form token="${TOKEN}" \
+          --form email="${EMAIL}" \
+          --form file=@cov-int.tgz \
+          --form version="${GITHUB_SHA}" \
+          --form description="coverity-scan wolfSSL/wolfTPM / ${GITHUB_REF}" \
+          "https://scan.coverity.com/builds?project=wolfTPM"