Merge branch 'zephyrproject-rtos:main' into staging

Author: ajsacco

.clang-format

@@ -99,6 +99,7 @@ IndentCaseLabels: false
 IndentGotoLabels: false
 IndentWidth: 8
 InsertBraces: true
+InsertNewlineAtEOF: true
 SpaceBeforeInheritanceColon: False
 SpaceBeforeParens: ControlStatementsExceptControlMacros
 SortIncludes: Never

.github/ISSUE_TEMPLATE/007_ext-source.md

@@ -49,6 +49,15 @@ required to maintain ...)
 Why is this the right component to solve it (e.g., SQLite is small,
 easy to use, and has a very liberal license.)
 
+## Security
+
+Does this component include any cryptographic functionality?
+If so, please describe the cryptographic algorithms and protocols used.
+
+How does this component handle security vulnerabilities and updates?
+Are there any known vulnerabilities in this component? If so, please
+provide details and references to any CVEs or security advisories.
+
 ## Dependencies
 
 What other components does this package depend on?

.github/SECURITY.md

@@ -11,9 +11,9 @@ updates:
 At this time, with the latest release of v4.0, the supported
 versions are:
 
-  - v4.0: Current release
-  - v3.7: Prior release and Current LTS
-  - v2.7: Prior LTS
+  - v4.1: Current release
+  - v4.0: Prior release
+  - v3.7: Current LTS
 
 ## Reporting process
 

.github/codeql/codeql-actions-config.yml

@@ -0,0 +1,2 @@
+paths:
+  - .github

.github/codeql/codeql-js-config.yml

@@ -0,0 +1,2 @@
+paths:
+  - doc

.github/dependabot.yml

@@ -1,4 +1,5 @@
 version: 2
+enable-beta-ecosystems: true
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -11,3 +12,15 @@ updates:
       actions-deps:
         patterns:
           - "*"
+
+  - package-ecosystem: "uv"
+    directory: "/doc"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci: doc: "
+    labels: []
+    groups:
+      doc-deps:
+        patterns:
+          - "*"

.github/workflows/assigner.yml

@@ -15,23 +15,36 @@ on:
     types:
     - labeled
 
+permissions:
+  contents: read
+
 jobs:
   assignment:
     name: Pull Request Assignment
     if: github.event.pull_request.draft == false
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write # to add assignees to pull requests
+      issues: write        # to add assignees to issues
 
     steps:
-    - name: Install Python dependencies
-      run: |
-        pip install -U PyGithub>=1.55 west
-
     - name: Check out source code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Set up Python
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      with:
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
+
+    - name: Install Python packages
+      run: |
+        pip install -r scripts/requirements-actions.txt --require-hashes
 
     - name: Run assignment script
       env:
-        GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         FLAGS="-v"
         FLAGS+=" -o ${{ github.event.repository.owner.login }}"

.github/workflows/backport.yml

@@ -7,10 +7,17 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     name: Backport
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write       # to create/push backport branches
+      pull-requests: write  # to create backport PRs
+      issues: write         # to add labels to issue created if backport fails
     # Only react to merged PRs for security reasons.
     # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
     if: >
@@ -24,8 +31,8 @@ jobs:
       )
     steps:
       - name: Backport
-        uses: zephyrproject-rtos/action-backport@v2.0.3-3
+        uses: zephyrproject-rtos/action-backport@7e74f601d11eaca577742445e87775b5651a965f # v2.0.3-3
         with:
-          github_token: ${{ secrets.ZB_GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           issue_labels: Backport
           labels_template: '["Backport"]'

.github/workflows/backport_issue_check.yml

@@ -10,29 +10,41 @@ on:
     branches:
       - v*-branch
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     name: Backport Issue Check
     concurrency:
       group: backport-issue-check-${{ github.ref }}
       cancel-in-progress: true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: github.repository == 'zephyrproject-rtos/zephyr'
+    permissions:
+      issues: read # to check if associated issue exists for backport
 
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Python
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: 3.12
+          cache: pip
+          cache-dependency-path: scripts/requirements-actions.txt
 
-      - name: Install Python dependencies
+      - name: Install Python packages
         run: |
-          pip install -U pygithub
+          pip install -r scripts/requirements-actions.txt --require-hashes
 
       - name: Run backport issue checker
         env:
-          GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ./scripts/release/list_backports.py \
-            -o ${{ github.event.repository.owner.login }} \
-            -r ${{ github.event.repository.name }} \
-            -b ${{ github.event.pull_request.base.ref }} \
-            -p ${{ github.event.pull_request.number }}
+          -o ${{ github.event.repository.owner.login }} \
+          -r ${{ github.event.repository.name }} \
+          -b ${{ github.event.pull_request.base.ref }} \
+          -p ${{ github.event.pull_request.number }}

.github/workflows/bsim-tests-publish.yaml

@@ -5,20 +5,26 @@ on:
     workflows: ["BabbleSim Tests"]
     types:
       - completed
+
+permissions:
+  contents: read
+
 jobs:
   bsim-test-results:
     name: "Publish BabbleSim Test Results"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: github.event.workflow_run.conclusion != 'skipped'
+    permissions:
+      checks: write # to create the check run entry with test results
 
     steps:
       - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v8
+        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
         with:
           run_id: ${{ github.event.workflow_run.id }}
 
       - name: Publish BabbleSim Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
         with:
           check_name: BabbleSim Test Results
           comment_mode: off