Merge branch 'main' into codeql

Author: elvin03

.github/workflows/unit-test-and-coverage-gate.yml

@@ -46,8 +46,15 @@ jobs:
           INPUT_COV_THRESHOLD: ${{ inputs.cov_threshold }}
         run: |
           # Read threshold from file, allow manual override
-          FILE_THRESHOLD=$(cat .coverage-threshold 2>/dev/null || echo "65.0")
+          # Use fallback 65.0 if file is missing, empty, or unreadable
+          FILE_THRESHOLD=$(cat .coverage-threshold 2>/dev/null | tr -d '[:space:]')
+          FILE_THRESHOLD="${FILE_THRESHOLD:-65.0}"
           COV_THRESHOLD="${INPUT_COV_THRESHOLD:-$FILE_THRESHOLD}"
+          # Validate it's a number, otherwise use fallback
+          if ! [[ "$COV_THRESHOLD" =~ ^[0-9]+\.?[0-9]*$ ]]; then
+            echo "::warning::Invalid threshold '$COV_THRESHOLD', using 65.0"
+            COV_THRESHOLD="65.0"
+          fi
           echo "cov_threshold=${COV_THRESHOLD}" >> "$GITHUB_OUTPUT"
           echo "build_id=${GITHUB_RUN_ID}" >> "$GITHUB_OUTPUT"
           if [[ -n "${INPUT_COV_THRESHOLD}" ]]; then
@@ -89,7 +96,8 @@ jobs:
               # Extract numeric values using simpler patterns
               OVERALL=$(grep "Overall Coverage:" coverage_report.txt | sed 's/[^0-9.]*\([0-9.]\+\)%.*/\1/')%
               THRESHOLD=$(grep "Threshold:" coverage_report.txt | sed 's/[^0-9.]*\([0-9.]\+\)%.*/\1/')%
-              STATUS=$(grep "Status:" coverage_report.txt | sed 's/[^A-Z]*\([A-Z]\+\).*/\1/')
+              # Get last word on the Status line (PASSED or FAILED)
+              STATUS=$(grep "Status:" coverage_report.txt | awk '{print $NF}')
               
               # Status badge
               if [[ "$STATUS" == "PASSED" ]]; then

Earthfile

@@ -153,9 +153,13 @@ test:
 
     # Run the comprehensive coverage tests using our script
     # Args: COV_THRESHOLD PRINT_TS FAIL_ON_NO_TESTS DEBUG
-    # If COV_THRESHOLD not provided, read from .coverage-threshold file
+    # If COV_THRESHOLD not provided or empty, read from .coverage-threshold file
     RUN cd /work && \
-        THRESHOLD="${COV_THRESHOLD:-$(cat .coverage-threshold 2>/dev/null || echo 65.0)}" && \
+        FILE_THRESH=$(cat .coverage-threshold 2>/dev/null | tr -d '[:space:]') && \
+        FILE_THRESH="${FILE_THRESH:-65.0}" && \
+        THRESHOLD="${COV_THRESHOLD:-$FILE_THRESH}" && \
+        THRESHOLD="${THRESHOLD:-65.0}" && \
+        echo "Using coverage threshold: ${THRESHOLD}%" && \
         ./scripts/run_coverage_tests.sh "${THRESHOLD}" "${PRINT_TS}" "${FAIL_ON_NO_TESTS}"
 
     # Save coverage artifacts locally
@@ -176,9 +180,13 @@ test-debug:
 
     # Run the coverage tests with debug output (keeps temp files for inspection)
     # Args: COV_THRESHOLD PRINT_TS FAIL_ON_NO_TESTS DEBUG
-    # If COV_THRESHOLD not provided, read from .coverage-threshold file
+    # If COV_THRESHOLD not provided or empty, read from .coverage-threshold file
     RUN cd /work && \
-        THRESHOLD="${COV_THRESHOLD:-$(cat .coverage-threshold 2>/dev/null || echo 65.0)}" && \
+        FILE_THRESH=$(cat .coverage-threshold 2>/dev/null | tr -d '[:space:]') && \
+        FILE_THRESH="${FILE_THRESH:-65.0}" && \
+        THRESHOLD="${COV_THRESHOLD:-$FILE_THRESH}" && \
+        THRESHOLD="${THRESHOLD:-65.0}" && \
+        echo "Using coverage threshold: ${THRESHOLD}%" && \
         ./scripts/run_coverage_tests.sh "${THRESHOLD}" "${PRINT_TS}" "${FAIL_ON_NO_TESTS}" "true"
 
     # Save coverage artifacts locally

docs/tutorial/configure-multiple-package-repositories.md

@@ -0,0 +1,315 @@
+# Configuring Multiple Package Repositories
+
+## Overview
+
+The OS Image Composer supports adding multiple custom package repositories to your image builds through the `packageRepositories` section in image template files. This feature allows you to include packages from additional repositories beyond the default OS repositories, enabling you to integrate specialized software, proprietary packages, or packages from specific vendors into your custom images.
+
+## How It Works
+
+Package repositories are configured during the image build process and are added to the package manager configuration before any packages are installed. This ensures that packages from custom repositories are available during the package installation phase, allowing you to install packages from multiple sources in a single build.
+
+## Configuration Structure
+
+The `packageRepositories` section should be placed at the root level of your image template YAML file, alongside other top-level configuration sections:
+
+```yaml
+image:
+  name: your-image-name
+  version: "1.0"
+
+target:
+  os: ubuntu
+  dist: ubuntu24
+  arch: x86_64
+  imageType: raw
+
+# Package repositories are configured before any other operations
+packageRepositories:
+  - codename: "EdgeAI"
+    url: "https://yum.repos.intel.com/edgeai/"
+    pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg"
+
+disk:
+  name: ....
+  # .... other disk configuration
+
+systemConfig:
+  name: ....
+  packages:
+    - ubuntu-minimal
+    - edge-ai-package    # This package comes from the EdgeAI repository
+    # .... other packages
+```
+
+## Repository Configuration Properties
+
+Each repository entry supports the following properties:
+
+- **codename** (required): A unique identifier for the repository
+- **url** (required): The base URL of the package repository
+- **pkey** (strongly recommended): URL to the GPG public key for repository authentication. Technically this field is optional, but omitting it (or using `[trusted=yes]` to bypass GPG verification) should be limited to explicitly trusted internal repositories, as it disables signature verification and reduces security.
+
+## Complete Template Structure
+
+Here's how the packageRepositories section fits within a complete image template:
+
+```yaml
+image:
+  name: multi-repo-image
+  version: "1.0"
+
+target:
+  os: ubuntu
+  dist: ubuntu24
+  arch: x86_64
+  imageType: raw
+
+# Multiple package repositories configuration
+packageRepositories:
+  - codename: "EdgeAI"
+    url: "https://yum.repos.intel.com/edgeai/"
+    pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg"
+  
+  - codename: "edge-base"
+    url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base"
+    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+
+disk:
+  name: ....
+  # .... disk configuration
+
+systemConfig:
+  name: ....
+  description: ....
+  
+  packages:
+    - ubuntu-minimal
+    - openvino-toolkit     # From OpenVINO repository
+    - edge-ai-runtime      # From EdgeAI repository
+    - microvisor-base      # From edge-base repository
+    # .... other packages from various repositories
+  
+  kernel:
+    version: ....
+    # .... kernel configuration
+    
+  configurations:
+    # .... custom configurations
+```
+
+## Real-World Example
+
+A comprehensive multi-repository configuration for edge computing and AI workloads:
+
+```yaml
+packageRepositories:
+  - codename: "EdgeAI"
+    url: "https://yum.repos.intel.com/edgeai/"
+    pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg"
+
+  - codename: "edge-base"
+    url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base"
+    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+
+  - codename: "OpenVINO"
+    url: "https://yum.repos.intel.com/openvino/"
+    pkey: "https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB"
+
+  - codename: "mariner"
+    url: "https://packages.microsoft.com/yumrepos/cbl-mariner-2.0-prod-extended-x86_64/"
+    pkey: "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key"
+```
+
+## Repository Configuration Examples
+
+### Intel Edge AI Stack
+
+```yaml
+packageRepositories:
+  - codename: "EdgeAI"
+    url: "https://yum.repos.intel.com/edgeai/"
+    pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg"
+  
+  - codename: "OpenVINO"
+    url: "https://yum.repos.intel.com/openvino/"
+    pkey: "https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB"
+
+systemConfig:
+  packages:
+    - openvino-toolkit
+    - edge-ai-runtime
+    - intel-media-driver
+    # ....
+```
+
+### Microsoft and Intel Integration
+
+```yaml
+packageRepositories:
+  - codename: "mariner"
+    url: "https://packages.microsoft.com/yumrepos/cbl-mariner-2.0-prod-extended-x86_64/"
+    pkey: "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key"
+  
+  - codename: "edge-base"
+    url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base"
+    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+
+systemConfig:
+  packages:
+    - mariner-base-packages
+    - microvisor-runtime
+    - edge-orchestration-tools
+    # ....
+```
+
+### Development Environment
+
+```yaml
+packageRepositories:
+  - codename: "docker-ce"
+    url: "https://download.docker.com/linux/ubuntu"
+    pkey: "https://download.docker.com/linux/ubuntu/gpg"
+  
+  - codename: "nodejs"
+    url: "https://deb.nodesource.com/node_18.x"
+    pkey: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
+
+systemConfig:
+  packages:
+    - docker-ce
+    - docker-ce-cli
+    - nodejs
+    - npm
+    # ....
+```
+
+### Trusted Repository (No GPG Verification)
+
+```yaml
+# WARNING: "[trusted=yes]" disables signature verification.
+# Only use this for repositories fully controlled by your organization,
+# typically in development or testing, and never for public or third-party repos.
+packageRepositories:
+  - codename: "internal-repo"
+    url: "https://internal.company.com/packages"
+    pkey: "[trusted=yes]"  # Bypasses GPG verification; ONLY for internal, organization-controlled repos.
+  
+  - codename: "test-repo"
+    url: "https://test.example.com/packages"
+    pkey: "[trusted=yes]"  # No signature verification; for internal dev/test only, not public/third-party repos.
+
+systemConfig:
+  packages:
+    - internal-package
+    - test-package
+    # ....
+```
+
+## Execution Process
+
+### Repository Setup Phase
+
+The build process follows this sequence when multiple repositories are configured:
+
+1. **Repository Configuration**: All repositories in `packageRepositories` are added to the package manager
+2. **GPG Key Import**: Public keys are downloaded and imported for repository authentication (skipped for `[trusted=yes]` repositories)
+3. **Repository Refresh**: Package lists are updated from all configured repositories
+4. **Package Installation**: Packages from all repositories become available for installation
+
+### Package Resolution
+
+When packages are installed:
+
+- The package manager searches all configured repositories
+- Dependencies can be resolved across multiple repositories
+- Repository priority may affect package selection when conflicts exist
+
+## Best Practices
+
+### 1. Always Include GPG Keys
+
+Include GPG keys for repository authentication and security:
+
+```yaml
+packageRepositories:
+  # Good - includes GPG key for security
+  - codename: "secure-repo"
+    url: "https://example.com/packages"
+    pkey: "https://example.com/gpg-key.pub"
+  
+  # Use trusted=yes only for internal/trusted repositories
+  - codename: "internal-repo"
+    url: "https://internal.company.com/packages"
+    pkey: "[trusted=yes]"
+  
+  # Avoid - missing pkey entirely reduces security
+  - codename: "insecure-repo"
+    url: "https://example.com/packages"
+```
+
+### 2. Use Descriptive Codenames
+
+Choose clear, descriptive codenames that indicate the repository purpose:
+
+```yaml
+packageRepositories:
+  # Good - descriptive codenames
+  - codename: "EdgeAI"
+  - codename: "OpenVINO"
+  - codename: "docker-ce"
+  
+  # Avoid - unclear codenames
+  - codename: "repo1"
+  - codename: "custom"
+```
+
+### 3. Verify Repository URLs
+
+Ensure repository URLs are correct and accessible:
+
+```yaml
+packageRepositories:
+  # Verify these URLs are accessible during build
+  - codename: "EdgeAI"
+    url: "https://yum.repos.intel.com/edgeai/"
+    pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg"
+```
+
+### 4. Document Repository Sources
+
+Add comments to document repository purposes:
+
+```yaml
+packageRepositories:
+  # Intel Edge AI packages for computer vision and inference
+  - codename: "EdgeAI"
+    url: "https://yum.repos.intel.com/edgeai/"
+    pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg"
+  
+  # Microsoft CBL-Mariner extended packages
+  - codename: "mariner"
+    url: "https://packages.microsoft.com/yumrepos/cbl-mariner-2.0-prod-extended-x86_64/"
+    pkey: "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key"
+```
+
+## Security Considerations
+
+### Repository Trust
+
+- Only add repositories from trusted sources
+- Always include GPG keys for repository authentication when available
+- Use `pkey: "[trusted=yes]"` only when GPG keys are unavailable and the repository is under your organization's direct control
+- Regularly review and update repository configurations
+- Be cautious with repositories that don't provide GPG keys
+
+### Network Security
+
+- Use HTTPS URLs when available
+- Consider using local repository mirrors for improved security and performance
+- Validate GPG key fingerprints when possible
+
+## Related Documentation
+
+- [Image Template Format](../architecture/image-template-format.md)
+- [Understanding the OS Image Build Process](../architecture/os-image-composer-build-process.md)
+- [Configuring Custom Commands During Image Build](configure-additional-actions-for-build.md)