-
Notifications
You must be signed in to change notification settings - Fork 9
RDKB-62985 RDKB-62986: Native build for Coverity #39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 1 commit
111e0f9
ade908b
cde2cec
3e3633a
e576e65
919e89e
beae32e
76dfd24
78d72b0
a48ab3e
155de65
056451a
c2a5b41
2615d01
2bcf44c
bc067ea
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,28 @@ | ||||||||||||||
| name: Build Advanced Security Component in Native Environment | ||||||||||||||
|
|
||||||||||||||
| on: | ||||||||||||||
| push: | ||||||||||||||
| branches: [ main, 'sprint/**', 'release/**', develop ] | ||||||||||||||
| pull_request: | ||||||||||||||
| branches: [ main, 'sprint/**', 'release/**', topic/RDK*, develop ] | ||||||||||||||
|
|
||||||||||||||
| jobs: | ||||||||||||||
| build-advanced-security-on-pr: | ||||||||||||||
| name: Build advanced-security component in github rdkcentral | ||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||
| container: | ||||||||||||||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||||||||||||||
|
|
||||||||||||||
| steps: | ||||||||||||||
| - name: Checkout code | ||||||||||||||
| uses: actions/checkout@v3 | ||||||||||||||
|
||||||||||||||
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
Copilot
AI
Feb 11, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actions/checkout@v3 is outdated and misses fixes/features added in newer major versions. Bump to the current supported major version (and consider pinning to a commit SHA for supply-chain hardening).
| uses: actions/checkout@v3 | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
Outdated
Copilot
AI
Jan 19, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow explicitly sets execute permissions on scripts that should already be executable in the repository. If the scripts aren't executable in the repository, they should be committed with the correct permissions. Alternatively, if this is intentional to ensure permissions, it would be clearer to do this for all scripts (common_external_build.sh is not made executable here but is mentioned in the README as the recommended entry point).
| chmod +x cov_docker_script/setup_dependencies.sh | |
| ./cov_docker_script/setup_dependencies.sh | |
| chmod +x cov_docker_script/build_native.sh | |
| ./cov_docker_script/setup_dependencies.sh |
Outdated
Copilot
AI
Jan 19, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The chmod commands are redundant since bash scripts can be executed directly by passing them to bash, or the executable bit can be set in the repository. Additionally, setup_dependencies.sh and build_native.sh already have shebangs and should have executable permissions set in git. Consider either removing the chmod commands or setting the executable bit when committing the scripts to the repository.
| chmod +x cov_docker_script/setup_dependencies.sh | |
| ./cov_docker_script/setup_dependencies.sh | |
| chmod +x cov_docker_script/build_native.sh | |
| ./cov_docker_script/build_native.sh | |
| bash cov_docker_script/setup_dependencies.sh | |
| bash cov_docker_script/build_native.sh |
Outdated
Copilot
AI
Jan 19, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow runs the scripts individually rather than using common_external_build.sh which is documented in the README as the recommended entry point for complete builds. This inconsistency could lead to confusion and may result in different behavior between manual builds and CI builds.
| chmod +x cov_docker_script/setup_dependencies.sh | |
| ./cov_docker_script/setup_dependencies.sh | |
| chmod +x cov_docker_script/build_native.sh | |
| ./cov_docker_script/build_native.sh | |
| chmod +x common_external_build.sh | |
| ./common_external_build.sh |
Fixed
Show fixed
Hide fixed
Outdated
Copilot
AI
Jan 19, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The GITHUB_TOKEN environment variable is set but never used in the workflow. If this token is needed for accessing private repositories during the build, it should be passed to the git clone operations. Otherwise, this secret exposure is unnecessary and should be removed to follow the principle of least privilege.
| ./cov_docker_script/build_native.sh | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} | |
| ./cov_docker_script/build_native.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the
latesttag makes CI non-reproducible and can break builds when the image changes. Pin the container image to a specific version tag or immutable digest (e.g.,@sha256:...) so Coverity/native builds are stable over time.