ansible: move Coverity Scan build tool install

Install the Coverity Scan build tool on the `benchmark` machines
instead of the `jenkins-workspace` machines.

Refs: nodejs#3723

ansible/MANUAL_STEPS.md

@@ -23,6 +23,8 @@
   * [Control machine (where Ansible is run)](#control-machine-where-ansible-is-run)
   * [Target machines](#target-machines)
 * [jenkins-workspace](#jenkins-workspace)
+* [benchmark](#benchmark)
+  * [Static analysis](#static-analysis)
 * [Docker hosts](#docker-hosts)
 * [SmartOS](#smartos)
 * [IBM i](#ibm-i)
@@ -664,9 +666,15 @@ Note that not all jobs can use [jenkins-workspace] servers for execution, some a
 
 The [jenkins-workspace] hosts are setup as standard Node.js nodes but are only given the [jenkins-workspace] label.
 
+## benchmark
+
+### Static analysis
+
+The [benchmark][] machines are set up so they can run preinstalled tooling against the Node.js codebase and submit the results to [Coverity Scan][].
+
 The playbook should download and install the Coverity build tool needed for static analysis into `/var/`. The extracted build tool should end up in a directory similar to `/var/cov-analysis-linux64-2023.6.2`. This directory must match the `PATH` setting in the [node-daily-coverity][] job. According to Synopsis the tool is usually updated twice yearly -- if it is updated the directory will change and the following steps should be done:
 
-* Run the playbook on all [jenkins-workspace][] machines so that they have the same version of the Coverity build tool installed.
+* Run the playbook on all [benchmark][] machines so that they have the same version of the Coverity build tool installed.
 * Update the [node-daily-coverity][] job so that the set `PATH` contains the new directory name.
 
 ## Docker hosts
@@ -776,8 +784,9 @@ pax -rf /u/unix1/SDK8_64bit_SR6_FP10.PAX.Z -ppx
 ```
 
 
-
+[Coverity Scan]: https://scan.coverity.com/projects/node-js
 [Setting up a Windows Host]: https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html
+[benchmark]: https://ci.nodejs.org/label/benchmark/
 [jenkins-workspace]: https://ci.nodejs.org/label/jenkins-workspace/
 [newer Ansible configuration]: https://github.com/nodejs/build/tree/main/ansible
 [node-daily-coverity]: https://ci.nodejs.org/job/node-daily-coverity/configure

ansible/playbooks/jenkins/worker/create.yml

@@ -16,6 +16,9 @@
     - { role: 'benchmarking',
         tags: 'benchmarking',
         when: is_benchmark is defined and is_benchmark|bool == True }
+    - { role: 'static-analysis',
+        tags: 'static-analysis',
+        when: is_benchmark is defined and is_benchmark|bool == True }
 #
 # Install Linux perf on Benchmarking servers
 #

ansible/roles/jenkins-workspace/tasks/main.yml

@@ -141,48 +141,3 @@
     name: pip
     executable: pip3
     state: latest
-
-# Required to submit builds to Coverity.
-- name: Install jq
-  ansible.builtin.package:
-    name: jq
-    state: latest
-    update_cache: yes
-
-# Coverity build tool. See MANUAL_STEPS.md.
-- name: Get md5sum for Coverity build tool
-  ansible.builtin.uri:
-    body:
-      md5: 1
-      token: "{{ secrets.coverity_token }}"
-      project: Node.js
-    body_format: form-urlencoded
-    method: POST
-    url: https://scan.coverity.com/download/linux64
-    return_content: true
-  register: coverity_build_tool_meta
-
-- name: Download Coverity build tool
-  ansible.builtin.uri:
-    body:
-      token: "{{ secrets.coverity_token }}"
-      project: Node.js
-    body_format: form-urlencoded
-    dest: /tmp/
-    method: POST
-    url: https://scan.coverity.com/download/linux64
-  register: coverity_build_tool
-
-- name: Validate checksum of downloaded Coverity build tool
-  ansible.builtin.stat:
-    checksum_algorithm: md5
-    path: "{{ coverity_build_tool.path }}"
-  failed_when: coverity_build_tool_file.stat.checksum != coverity_build_tool_meta.content
-  register: coverity_build_tool_file
-
-- name: Unpack Coverity build tool
-  ansible.builtin.unarchive:
-    creates: "/var/{{ coverity_build_tool.path|regex_search('/tmp/(.+)\\.tar\\.gz', '\\1')|first }}"
-    dest: /var/
-    remote_src: true
-    src: "{{ coverity_build_tool.path }}"

ansible/roles/static-analysis/meta/main.yml

@@ -0,0 +1,7 @@
+---
+
+# This role depends on read-secrets to get the token necessary to download the
+# Coverity Scan Build Tool.
+
+dependencies:
+  - role: read-secrets

ansible/roles/static-analysis/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+# Set up tooling required to perform static analysis builds.
+# See MANUAL_STEPS.md for further steps if the Build tool is updated.
+
+# Required to submit builds to Coverity.
+- name: Install jq
+  ansible.builtin.package:
+    name: jq
+    state: latest
+    update_cache: yes
+
+# Coverity build tool.
+- name: Get md5sum for Coverity build tool
+  ansible.builtin.uri:
+    body:
+      md5: 1
+      token: "{{ secrets.coverity_token }}"
+      project: Node.js
+    body_format: form-urlencoded
+    method: POST
+    url: https://scan.coverity.com/download/linux64
+    return_content: true
+  register: coverity_build_tool_meta
+
+- name: Download Coverity build tool
+  ansible.builtin.uri:
+    body:
+      token: "{{ secrets.coverity_token }}"
+      project: Node.js
+    body_format: form-urlencoded
+    dest: /tmp/
+    method: POST
+    url: https://scan.coverity.com/download/linux64
+  register: coverity_build_tool
+
+- name: Validate checksum of downloaded Coverity build tool
+  ansible.builtin.stat:
+    checksum_algorithm: md5
+    path: "{{ coverity_build_tool.path }}"
+  failed_when: coverity_build_tool_file.stat.checksum != coverity_build_tool_meta.content
+  register: coverity_build_tool_file
+
+- name: Unpack Coverity build tool
+  ansible.builtin.unarchive:
+    creates: "/var/{{ coverity_build_tool.path|regex_search('/tmp/(.+)\\.tar\\.gz', '\\1')|first }}"
+    dest: /var/
+    remote_src: true
+    src: "{{ coverity_build_tool.path }}"