-
Notifications
You must be signed in to change notification settings - Fork 26
158 lines (142 loc) · 5.97 KB
/
Copy patheclair.yaml
File metadata and controls
158 lines (142 loc) · 5.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Eclair Code Scanning
on:
pull_request:
branches:
- main
push:
branches:
- main
- v*-branch
- collab-*
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
EclairScanCode:
if: github.repository_owner == 'zephyrproject-rtos'
runs-on:
group: zephyr-runner-v2-linux-x64-4xlarge
container:
image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.29.2.20260422
options: '--entrypoint /bin/bash'
permissions:
pull-requests: write # to create/update pull request comments
security-events: write
steps:
- name: Print cloud service information
run: |
echo "ZEPHYR_RUNNER_CLOUD_PROVIDER = ${ZEPHYR_RUNNER_CLOUD_PROVIDER}"
echo "ZEPHYR_RUNNER_CLOUD_NODE = ${ZEPHYR_RUNNER_CLOUD_NODE}"
echo "ZEPHYR_RUNNER_CLOUD_POD = ${ZEPHYR_RUNNER_CLOUD_POD}"
- name: Apply container owner mismatch workaround
run: |
# FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
# match the container user UID because of the way GitHub
# Actions runner is implemented. Remove this workaround when
# GitHub comes up with a fundamental fix for this problem.
git config --global --add safe.directory ${GITHUB_WORKSPACE}
- name: Clone cached Zephyr repository
continue-on-error: true
run: |
git clone --shared /repo-cache/zephyrproject/zephyr .
git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
persist-credentials: false
- name: Environment Setup
run: |
if [ "${{github.event_name}}" = "pull_request" ]; then
git config --global user.email "bot@zephyrproject.org"
git config --global user.name "Zephyr Builder"
rm -fr ".git/rebase-apply"
rm -fr ".git/rebase-merge"
git rebase origin/${BASE_REF}
git clean -f -d
git log --pretty=oneline | head -n 10
fi
echo "$HOME/.local/bin" >> $GITHUB_PATH
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
west init -l . || true
west config manifest.group-filter -- +ci,+optional
west config --global update.narrow true
west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /repo-cache/zephyrproject)
west forall -c 'git reset --hard HEAD'
echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
- name: Check Environment
run: |
cmake --version
gcc --version
cargo --version
rustup target list --installed
ls -la
echo "github.ref: ${{ github.ref }}"
echo "github.base_ref: ${{ github.base_ref }}"
echo "github.ref_name: ${{ github.ref_name }}"
- name: SCA Setup
uses: zephyrproject-rtos/action-sca-setup@main
with:
tool-name: eclair
install-dir: eclair
s3-access-key-id: ${{ secrets.TOOLDIST_ACCESS_KEY }}
s3-secret-access-key: ${{ secrets.TOOLDIST_SECRET_ACCESS_KEY }}
license-server: ${{ secrets.TOOLDIST_ECLAIR_LICENSE_SERVER }}
license-key-ttl: 480
- name: Set Up Python 3.12
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.12
cache: pip
cache-dependency-path: scripts/requirements-actions.txt
- name: install-packages
run: |
pip install -r scripts/requirements-actions.txt --require-hashes
sudo apt-get update
sudo apt-get install -y jq
- name: Scan code with Eclair
run: |
#./scripts/twister -j 16 -p qemu_x86 -T samples/synchronization -i --build-only -v -xZEPHYR_SCA_VARIANT=eclair -x=USE_CCACHE=0 -xECLAIR_REPORTS_SARIF=1
export ZEPHYR_BASE=${PWD}
west -v build -p -b qemu_x86 samples/synchronization -- -DZEPHYR_SCA_VARIANT=eclair -DUSE_CCACHE=0 -DECLAIR_REPORTS_SARIF=1
jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }' $(find twister-out -name "reports.sarif") > results.sarif
jq --arg basepath "file://${GITHUB_WORKSPACE}/" '
.runs[].results[] |= (
# Remove partialFingerprints if it exists
del(.partialFingerprints)
|
.locations[]? |= (
.physicalLocation.artifactLocation.uri
|= if type == "string" then ($basepath + .) else . end
)
| .relatedLocations[]? |= (
.physicalLocation.artifactLocation.uri
|= if type == "string" then ($basepath + .) else . end
)
)
' results.sarif > results_tmp.sarif
mv results_tmp.sarif results.sarif
ver=`git describe`
echo "PAYLOAD_VERSION=${ver}" >> $GITHUB_ENV
echo "PAYLOAD_DESC=${ver}" >> $GITHUB_ENV
- name: Clean up
if: always()
run: |
eclair_licman -c 57350
- name: Upload SARIF as artifact
if: always() && github.event_name == 'push'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sarif
if-no-files-found: ignore
path: |
results.sarif
build
- name: Upload Analysis Results
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: results.sarif