Skip to content

issue_58 added sonarcloud workflow #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AndrasZiegler wants to merge 1 commit into
base: master
Choose a base branch
from
Open

issue_58 added sonarcloud workflow #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 54 additions & 50 deletions .github/workflows/00-Check-Code-Convention.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: 00-Check-Code-Convention

permissions:
contents: read

on:
push:
branches-ignore:
Expand All @@ -11,37 +15,37 @@ on:
workflow_dispatch:
inputs:
branch:
description: 'Branch to test'
description: "Branch to test"
type: string
default: 'master'
default: "master"

jobs:
job1:
name: Check coding convention
runs-on: ubuntu-22.04 #uncrustify 0.64 can not be compiled on ubuntu-24.04
steps:
- name: Trigger
run: echo "Triggered by ${{github.event_name}} event"
- name: Check Branch Input
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
if [ -z "${{ github.event.inputs.branch }}" ]; then
echo "Branch input is required for manual trigger."
exit 1
fi
- name: Trigger
run: echo "Triggered by ${{github.event_name}} event"
- name: Check Branch Input
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
if [ -z "${{ github.event.inputs.branch }}" ]; then
echo "Branch input is required for manual trigger."
exit 1
fi
- name: Checkout
uses: actions/checkout@v4.1.7
with:
ref: "${{ github.event_name == 'workflow_dispatch' && github.event.inputs.branch || github.ref }}"
submodules: true
fetch-depth: 0
- name: Log Current Branch and Commit
run: |
fi
- name: Checkout
uses: actions/checkout@v4.1.7
with:
ref: "${{ github.event_name == 'workflow_dispatch' && github.event.inputs.branch || github.ref }}"
submodules: true
fetch-depth: 0
- name: Log Current Branch and Commit
run: |
echo "Current branch: $(git rev-parse --abbrev-ref HEAD)"
echo "Current commit: $(git rev-parse HEAD)"
- name: Install commit check tools
run: |
- name: Install commit check tools
run: |
echo "Installing pre-commit ..."
python3 -m pip install pre-commit
echo "Installing uncrustify 0.64 from source code ..."
Expand All @@ -60,33 +64,33 @@ jobs:
sudo cp ./.github/coding-convention-tool/tools/uncrustify/uncrustify.cfg ./uncrustify/uncrustify.cfg
echo "Install clang-tidy"
sudo apt-get install clang-tidy
- name: Run test
run: |
pre-commit install --config .github/coding-convention-tool/.pre-commit-config.yaml
pre-commit run --config .github/coding-convention-tool/.pre-commit-config.yaml --all-files 2>&1 | tee CodingConventionTool.txt
git diff > code-fix.patch || echo "No changes to patch."
ls -lah code-fix.patch
- name: Run test
run: |
pre-commit install --config .github/coding-convention-tool/.pre-commit-config.yaml
pre-commit run --config .github/coding-convention-tool/.pre-commit-config.yaml --all-files 2>&1 | tee CodingConventionTool.txt
git diff > code-fix.patch || echo "No changes to patch."
ls -lah code-fix.patch

- name: Upload Result
uses: actions/upload-artifact@v4.3.4
with:
name: CodingConventionResult
path: CodingConventionTool.txt
retention-days: 90
- name: Upload Patch
uses: actions/upload-artifact@v4.3.4
with:
name: code-fix.patch
path: code-fix.patch
retention-days: 90
- name: Check log file to set status of the job
run: |
keywords=("Failed")
for keyword in "${keywords[@]}"; do
if grep -q "$keyword" CodingConventionTool.txt; then
echo "Keyword '$keyword' found in the file."
exit 1
else
echo "Keyword '$keyword' not found in the file."
fi
done
- name: Upload Result
uses: actions/upload-artifact@v4.3.4
with:
name: CodingConventionResult
path: CodingConventionTool.txt
retention-days: 1
- name: Upload Patch
uses: actions/upload-artifact@v4.3.4
with:
name: code-fix.patch
path: code-fix.patch
retention-days: 1
- name: Check log file to set status of the job
run: |
keywords=("Failed")
for keyword in "${keywords[@]}"; do
if grep -q "$keyword" CodingConventionTool.txt; then
echo "Keyword '$keyword' found in the file."
exit 1
else
echo "Keyword '$keyword' not found in the file."
fi
done
6 changes: 3 additions & 3 deletions .github/workflows/01-CLA-Assistant.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
issue_comment:
types: [created]
pull_request_target:
types: [opened,closed,synchronize,reopened]
types: [opened, closed, synchronize, reopened]

permissions:
actions: write
Expand All @@ -28,15 +28,15 @@ jobs:
repositories: contributor-license-agreements

- name: "CLA Assistant"
if: ${{ contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA') }} || github.event_name == 'pull_request_target'
if: ${{ contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' }}
uses: SiliconLabsSoftware/action-cla-assistant@silabs_flavour_v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
with:
path-to-signatures: "cla_signatures_db.json"
path-to-document: "https://github.com/SiliconLabsSoftware/agreements-and-guidelines/blob/main/contributor_license_agreement.md"
branch: 'cla-database'
branch: "cla-database"
allowlist: silabs-*,bot*
# the following are the optional inputs - If the optional inputs are not given, then default values will be taken
remote-organization-name: "SiliconLabsInternal"
Expand Down
144 changes: 74 additions & 70 deletions .github/workflows/02-Build-Firmware.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,75 +1,79 @@
name: 02-Build-Firmware

permissions:
contents: read

on:
pull_request:
pull_request:
branches:
- master
workflow_dispatch:
- master
workflow_dispatch:
env:
ARCH: x86_64
POST_BUILD_EXE: "/opt/commander-cli/commander-cli"
ARM_GCC_DIR: "/opt/gcc-arm-none-eabi/"
ARM_GCC_URL: "https://developer.arm.com/-/media/Files/downloads/gnu/12.2.rel1/binrel/arm-gnu-toolchain-12.2.rel1-x86_64-arm-none-eabi.tar.xz"
ARCH: x86_64
POST_BUILD_EXE: "/opt/commander-cli/commander-cli"
ARM_GCC_DIR: "/opt/gcc-arm-none-eabi/"
ARM_GCC_URL: "https://developer.arm.com/-/media/Files/downloads/gnu/12.2.rel1/binrel/arm-gnu-toolchain-12.2.rel1-x86_64-arm-none-eabi.tar.xz"
jobs:
FW_build:
runs-on: ubuntu-22.04
steps:
- name: Trigger
run: echo "Triggered by ${{ github.event_name }} event"
- name: Checkout
uses: actions/checkout@v4.2.2
- name: Install Dependencies
run: |
sudo apt-get update && \
sudo apt-get install --no-install-recommends -y \
clang \
clang-tidy \
cppcheck \
git \
build-essential \
curl \
jq \
python3-dev \
python3-pip \
ninja-build \
make \
wget \
zip \
unzip \
libgl1 \
libglib2.0-0 \
libpcre2-dev
- name: CMake 3.25.4
run: |
wget https://github.com/Kitware/CMake/releases/download/v3.25.3/cmake-3.25.3-linux-${{ env.ARCH }}.sh \
-q -O /tmp/cmake-install.sh \
&& chmod u+x /tmp/cmake-install.sh \
&& mkdir /opt/cmake-3.25.3 \
&& /tmp/cmake-install.sh --skip-license --prefix=/opt/cmake-3.25.3 \
&& rm /tmp/cmake-install.sh \
&& ln -sf /opt/cmake-3.25.3/bin/* /usr/local/bin
- name: Install GNU Arm Embedded Toolchain
run: |
cd /tmp/ \
&& wget ${{ env.ARM_GCC_URL }} \
&& tar -xf arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi.tar.xz \
&& mv arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi /opt/gcc-arm-none-eabi \
&& rm arm-gnu-toolchain-12.2.rel-${{ env.ARCH }}-arm-none-eabi -rf
- name: Simplicity Commander
run: |
wget https://www.silabs.com/documents/login/software/SimplicityCommander-Linux.zip \
&& unzip SimplicityCommander-Linux.zip \
&& tar -xf SimplicityCommander-Linux/Commander-cli_linux_${{ env.ARCH }}_*.tar.bz \
&& mv commander-cli /opt/commander-cli \
&& rm -rf SimplicityCommander-Linux.zip SimplicityCommander-Linux
- name: Build the project
run: |
cd ${{ github.workspace}} \
&& make all
- name: Upload Build Artifacts
uses: actions/upload-artifact@v4.4.3
with:
name: build-artifacts-${{ github.run_number }}
path: |
locator_ncp/build/locator_ncp.s37
locator_host/build/locator_host.s37
retention-days: 90
FW_build:
runs-on: ubuntu-22.04
steps:
- name: Trigger
run: echo "Triggered by ${{ github.event_name }} event"
- name: Checkout
uses: actions/checkout@v4.2.2
- name: Install Dependencies
run: |
sudo apt-get update && \
sudo apt-get install --no-install-recommends -y \
clang \
clang-tidy \
cppcheck \
git \
build-essential \
curl \
jq \
python3-dev \
python3-pip \
ninja-build \
make \
wget \
zip \
unzip \
libgl1 \
libglib2.0-0 \
libpcre2-dev
- name: CMake 3.25.4
run: |
wget https://github.com/Kitware/CMake/releases/download/v3.25.3/cmake-3.25.3-linux-${{ env.ARCH }}.sh \
-q -O /tmp/cmake-install.sh \
&& chmod u+x /tmp/cmake-install.sh \
&& mkdir /opt/cmake-3.25.3 \
&& /tmp/cmake-install.sh --skip-license --prefix=/opt/cmake-3.25.3 \
&& rm /tmp/cmake-install.sh \
&& ln -sf /opt/cmake-3.25.3/bin/* /usr/local/bin
- name: Install GNU Arm Embedded Toolchain
run: |
cd /tmp/ \
&& wget ${{ env.ARM_GCC_URL }} \
&& tar -xf arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi.tar.xz \
&& mv arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi /opt/gcc-arm-none-eabi \
&& rm arm-gnu-toolchain-12.2.rel-${{ env.ARCH }}-arm-none-eabi -rf
- name: Simplicity Commander
run: |
wget https://www.silabs.com/documents/login/software/SimplicityCommander-Linux.zip \
&& unzip SimplicityCommander-Linux.zip \
&& tar -xf SimplicityCommander-Linux/Commander-cli_linux_${{ env.ARCH }}_*.tar.bz \
&& mv commander-cli /opt/commander-cli \
&& rm -rf SimplicityCommander-Linux.zip SimplicityCommander-Linux
- name: Build the project
run: |
cd ${{ github.workspace}} \
&& make all
- name: Upload Build Artifacts
uses: actions/upload-artifact@v4.4.3
with:
name: build-artifacts-${{ github.run_number }}
path: |
locator_ncp/build/locator_ncp.s37
locator_host/build/locator_host.s37
retention-days: 1
Comment on lines +18 to +79

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 1 month ago

To fix the problem, explicitly declare restricted GITHUB_TOKEN permissions in the workflow. The minimal safe default for a build-and-artifact-upload job that only checks out code is contents: read. This can be set either at the workflow root (affecting all jobs) or at the job level. Since there is only one job (FW_build), either is acceptable; using a top-level permissions: block is simple and clear.

Concretely, in .github/workflows/02-Build-Firmware.yml, add a permissions: section near the top of the file (e.g., after on: or before env:) specifying contents: read. No steps rely on write access to issues, PRs, or contents, and artifact upload does not need repository write scopes, so we do not grant any additional permissions. No imports or extra methods are required; it is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/02-Build-Firmware.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/02-Build-Firmware.yml b/.github/workflows/02-Build-Firmware.yml
--- a/.github/workflows/02-Build-Firmware.yml
+++ b/.github/workflows/02-Build-Firmware.yml
@@ -4,6 +4,8 @@
     branches:
       - master
   workflow_dispatch:
+permissions:
+  contents: read
 env:
   ARCH: x86_64
   POST_BUILD_EXE: "/opt/commander-cli/commander-cli"
EOF
@@ -4,6 +4,8 @@
branches:
- master
workflow_dispatch:
permissions:
contents: read
env:
ARCH: x86_64
POST_BUILD_EXE: "/opt/commander-cli/commander-cli"
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copy link
Contributor Author

@AndrasZiegler AndrasZiegler Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed it.

28 changes: 16 additions & 12 deletions .github/workflows/04-TruffleHog-Security-Scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,22 @@
name: 04-TruffleHog-Security-Scan

permissions:
contents: read

on:
pull_request:
branches:
- master
workflow_dispatch:
pull_request:
branches:
- master
workflow_dispatch:
jobs:
trufflehog_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret Scanning
uses: trufflesecurity/trufflehog@v3.84.0
with:
extra_args: --only-verified
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Secret Scanning
uses: trufflesecurity/trufflehog@v3.84.0
with:
extra_args: --only-verified
Loading
Loading