-
Notifications
You must be signed in to change notification settings - Fork 5
RDKB-62988 [GitHub Coverity] Enable Coverity Scan for cable-modem-agent using Native Build Integration #24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from 8 commits
af32193
76ad893
ecd7d8d
4cb46ea
c992c34
b456008
51fb043
e04eb49
045f105
c82a0fb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,27 @@ | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| name: Build Cable Modem Agent Component in Native Environment | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| on: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| push: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| branches: [ main, 'sprint/**', 'release/**', develop ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pull_request: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| branches: [ main, 'sprint/**', 'release/**', topic/RDK*, develop ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| jobs: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| build-cable-modem-agent-on-pr: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| name: Build Cable Modem Agent component in github rdkcentral | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
| name: Build Cable Modem Agent component in github rdkcentral | |
| name: Build Cable Modem Agent component in github rdkcentral | |
| if: ${{ github.event_name != 'pull_request' || ! github.event.pull_request.head.repo.fork }} |
Copilot
AI
Jan 29, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using actions/checkout@v3 which may be outdated. Consider using actions/checkout@v4 for improved performance and features, unless there's a specific reason to use v3.
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 14 days ago
In general, to fix this issue you should explicitly declare a permissions block either at the workflow root (applies to all jobs) or under the specific job, granting only the scopes actually needed (often just contents: read as a minimum). This constrains the automatic GITHUB_TOKEN created by GitHub Actions, even if your steps never reference it directly, and documents the minimal required permissions.
For this workflow, the simplest change that does not affect existing behavior is to add a minimal permissions block at the job level for build-cable-modem-agent-on-pr. The steps only check out the repository and run local scripts; there is no evidence they need write access to the repo or other resources via GITHUB_TOKEN. Therefore, adding:
permissions:
contents: readunder the job definition (aligned with runs-on:) is sufficient and safest. No additional imports, methods, or definitions are required, since this is purely a YAML configuration change in .github/workflows/native-build.yml.
-
Copy modified lines R13-R14
| @@ -10,6 +10,8 @@ | ||
| build-cable-modem-agent-on-pr: | ||
| name: Build Cable Modem Agent component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||
|
|
Copilot
AI
Jan 29, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The environment variable GITHUB_TOKEN is set to a secret named RDKCM_RDKE, but GITHUB_TOKEN is a reserved name used by GitHub Actions. If this is meant to be a custom token for accessing private repositories, it should use a different name (e.g., CUSTOM_GITHUB_TOKEN or ACCESS_TOKEN) to avoid confusion with the automatic GITHUB_TOKEN provided by Actions.
| chmod +x cov_docker_script/run_setup_dependencies.sh | |
| ./cov_docker_script/run_setup_dependencies.sh | |
| chmod +x cov_docker_script/run_native_build.sh | |
| ./cov_docker_script/run_native_build.sh | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} | |
| export GITHUB_TOKEN="$CUSTOM_GITHUB_TOKEN" | |
| chmod +x cov_docker_script/run_setup_dependencies.sh | |
| ./cov_docker_script/run_setup_dependencies.sh | |
| chmod +x cov_docker_script/run_native_build.sh | |
| ./cov_docker_script/run_native_build.sh | |
| env: | |
| CUSTOM_GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow does not declare permissions, unlike the fossid workflow which explicitly declares "contents: read" and "pull-requests: read" permissions. Following security best practices and the pattern established in other workflows in this repository, add explicit permissions to follow the principle of least privilege.