zephyr/.github/workflows/coding_guidelines_full.yml at main · ck-telecom/zephyr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: Coding Guidelines Scanning
on:
  push:
    branches:
      - main
      - v*-branch
      - collab-*
permissions:
  contents: read
concurrency:
  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  coding_guideline_scan:
    if: github.repository_owner == 'zephyrproject-rtos'
    runs-on:
      group: zephyr-runner-v2-linux-x64-4xlarge
    container:
      image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.29.2.20260422
      options: '--entrypoint /bin/bash'
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Print cloud service information
        run: |
          echo "ZEPHYR_RUNNER_CLOUD_PROVIDER = ${ZEPHYR_RUNNER_CLOUD_PROVIDER}"
          echo "ZEPHYR_RUNNER_CLOUD_NODE = ${ZEPHYR_RUNNER_CLOUD_NODE}"
          echo "ZEPHYR_RUNNER_CLOUD_POD = ${ZEPHYR_RUNNER_CLOUD_POD}"

      - name: Apply container owner mismatch workaround
        run: |
          # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
          #        match the container user UID because of the way GitHub
          #        Actions runner is implemented. Remove this workaround when
          #        GitHub comes up with a fundamental fix for this problem.
          git config --global --add safe.directory ${GITHUB_WORKSPACE}

      - name: Clone cached Zephyr repository
        continue-on-error: true
        run: |
          git clone --shared /repo-cache/zephyrproject/zephyr .
          git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          persist-credentials: false

      - name: Environment Setup
        run: |
          echo "$HOME/.local/bin" >> $GITHUB_PATH
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH

          west init -l . || true
          west config manifest.group-filter -- +ci,+optional
          west config --global update.narrow true
          west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /repo-cache/zephyrproject)
          west forall -c 'git reset --hard HEAD'

          echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV

      - name: Check Environment
        run: |
          cmake --version
          gcc --version
          cargo --version
          rustup target list --installed
          ls -la
          echo "github.ref: ${{ github.ref }}"
          echo "github.base_ref: ${{ github.base_ref }}"
          echo "github.ref_name: ${{ github.ref_name }}"

      - name: SCA Setup
        uses: zephyrproject-rtos/action-sca-setup@681d9f46f28d391eb57e6f15fdb76af25d6c46bc
        with:
          tool-name: eclair
          tool-version: 3.15.0
          install-dir: eclair
          s3-access-key-id: ${{ secrets.TOOLDIST_ACCESS_KEY }}
          s3-secret-access-key: ${{ secrets.TOOLDIST_SECRET_ACCESS_KEY }}
          license-server: ${{ secrets.TOOLDIST_ECLAIR_LICENSE_SERVER }}
          license-key-ttl: 480

      - name: Set Up Python 3.12
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: 3.12
          cache: pip
          cache-dependency-path: scripts/requirements-actions.txt

      - name: install-packages
        run: |
          pip install -r scripts/requirements-actions.txt --require-hashes
          sudo apt-get update
          sudo apt-get install -y jq

      - name: Scan code with Eclair
        run: |
          #./scripts/twister -j 16 -p qemu_x86  -T samples/synchronization -i --build-only -v  \
          #  -xZEPHYR_SCA_VARIANT=eclair \
          #  -xUSE_CCACHE=0 \
          #  -xECLAIR_REPORTS_SARIF=1 \
          #  -xECLAIR_RULESET_ZEPHYR_GUIDELINES=ON \
          #  -xECLAIR_RULESET_FIRST_ANALYSIS=OFF

          # Initially we use west to build just one single application on one
          # platform and address rules with large number of findings. This is
          # to make sure we can complete the scan within the time limit of
          # GitHub Actions and also to make sure we can get the results in
          # SARIF format without running into any issues. Once we have that
          # working, we can expand the scan to cover more applications and
          # platforms and start posting findings to GitHub Security tab.
          export ZEPHYR_BASE=${PWD}
          west -v build -p -b qemu_x86 tests/integration/kernel/ -- \
            -DZEPHYR_SCA_VARIANT=eclair \
            -DUSE_CCACHE=0 \
            -DECLAIR_REPORTS_SARIF=1 \
            -DECLAIR_RULESET_ZEPHYR_GUIDELINES=ON \
            -DECLAIR_RULESET_FIRST_ANALYSIS=OFF

          cp build/sca/eclair/reports.sarif .
          cp build/sca/eclair/DIAGNOSTIC.txt .

          jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }'  $(find build -name "reports.sarif")  > results.sarif
          cp results.sarif results_${GITHUB_SHA}.sarif
          jq --arg basepath "file://${GITHUB_WORKSPACE}/" '
            .runs[].results[] |= (
             # Remove partialFingerprints if it exists
             del(.partialFingerprints)
             |
            .locations[]? |= (
            .physicalLocation.artifactLocation.uri
            |= if type == "string" then ($basepath + .) else . end
            )
            | .relatedLocations[]? |= (
            .physicalLocation.artifactLocation.uri
            |= if type == "string" then ($basepath + .) else . end
            )
            )
            ' results.sarif > results_tmp.sarif
          mv results_tmp.sarif results.sarif

          ver=`git describe`
          echo "PAYLOAD_VERSION=${ver}" >> $GITHUB_ENV
          echo "PAYLOAD_DESC=${ver}" >> $GITHUB_ENV
      - name: Clean up
        if: always()
        run: |
          eclair_licman -c 57350

      - name: Upload SARIF as artifact
        if: always() && github.event_name == 'push'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: sarif
          if-no-files-found: ignore
          path: |
            DIAGNOSTIC.txt
            results_*.sarif

      - name: Summarize SARIF results
        if: always()
        run: |
          if [ -s results_${GITHUB_SHA}.sarif ]; then
            python3 scripts/ci/sarif_summary.py results_${GITHUB_SHA}.sarif
          fi

      # disabled for now
      # - name: Upload Analysis Results
      #   if: always()
      #   uses: github/codeql-action/upload-sarif@v4
      #   with:
      #     sarif_file: results.sarif