[security] Too permissive permissions set in RteFsUtils functions #10… #612
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: packchk | |
| on: | |
| workflow_call: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '.github/workflows/packchk.yml' | |
| - '.github/workflows/unit_test_results.yml' | |
| - '.github/matrix_includes_packchk.json' | |
| - 'CMakeLists.txt' | |
| - 'tools/packchk/**' | |
| - 'libs/xml**' | |
| - 'libs/rte**' | |
| - 'external/cxxopts' | |
| - 'external/cxxopts.patch' | |
| - 'external/xerces-c' | |
| - 'external/xerces-c.patch' | |
| - '!**/docs/**/*' | |
| - '!**/*.md' | |
| pull_request: | |
| paths: | |
| - '.github/workflows/packchk.yml' | |
| - '.github/workflows/unit_test_results.yml' | |
| - '.github/matrix_includes_packchk.json' | |
| - 'CMakeLists.txt' | |
| - 'tools/packchk/**' | |
| - 'libs/xml**' | |
| - 'libs/rte**' | |
| - 'external/cxxopts' | |
| - 'external/cxxopts.patch' | |
| - 'external/xerces-c' | |
| - 'external/xerces-c.patch' | |
| - '!**/docs/**/*' | |
| - '!**/*.md' | |
| release: | |
| types: [published] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| setup: | |
| uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main | |
| with: | |
| run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packchk/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }} | |
| matrix_prep: | |
| needs: setup | |
| uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main | |
| with: | |
| workflow_name: packchk | |
| build: | |
| needs: [ setup, matrix_prep ] | |
| runs-on: ${{ matrix.runs_on }} | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: true | |
| matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }} | |
| steps: | |
| - name: Checkout devtools | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build packchk | |
| uses: Open-CMSIS-Pack/devtools-build-action@arm64 | |
| with: | |
| target: packchkdist | |
| arch: ${{ matrix.arch }} | |
| - name: Archive packchk binary | |
| if: ${{ github.event_name != 'release' }} | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: packchk-${{ matrix.target }}-${{ matrix.arch }} | |
| path: build/tools/packchk/packchk-*-${{ matrix.target }}-${{ matrix.arch }}.* | |
| retention-days: ${{ needs.setup.outputs.retention_days }} | |
| if-no-files-found: error | |
| - name: Attach zipped binary to the release | |
| if: ${{ github.event_name == 'release' }} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: ${{ github.ref }} | |
| overwrite: true | |
| file_glob: true | |
| file: build/tools/packchk/packchk-*-${{ matrix.target }}-${{ matrix.arch }}.* | |
| test: | |
| needs: [ setup, matrix_prep ] | |
| runs-on: ${{ matrix.runs_on }} | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }} | |
| steps: | |
| - name: Checkout devtools | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkUnitTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@arm64 | |
| with: | |
| arch: ${{ matrix.arch }} | |
| build_type: Debug | |
| target: PackChkUnitTests | |
| - name: Run packchk unit tests | |
| if: matrix.arch != 'arm64' | |
| run: | | |
| ctest -V -R PackChkUnitTests | |
| working-directory: ./build | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkIntegTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@arm64 | |
| with: | |
| arch: ${{ matrix.arch }} | |
| build_type: Debug | |
| target: PackChkIntegTests | |
| - name: Run packchk integ tests | |
| if: matrix.arch != 'arm64' | |
| run: | | |
| ctest -V -R PackChkIntegTests | |
| working-directory: ./build | |
| - name: Archive unit test results | |
| if: always() && (matrix.arch != 'arm64') | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: unit_test_result-${{ matrix.target }}-${{ matrix.arch }} | |
| path: ./build/test_reports/packchkunittests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ needs.setup.outputs.retention_days }} | |
| - name: Archive integration test results | |
| if: always() && (matrix.arch != 'arm64') | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: integ_test_result-${{ matrix.target }}-${{ matrix.arch }} | |
| path: ./build/test_reports/packchkintegtests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ needs.setup.outputs.retention_days }} | |
| coverage: | |
| if: | | |
| (github.event_name == 'pull_request') || | |
| (github.event_name == 'push') || | |
| (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packchk/')) || | |
| ((github.event.schedule != '') && (!github.event.repository.private)) | |
| env: | |
| lcov_base: https://github.com/linux-test-project/lcov/releases/download/v1.15/ | |
| lcov_installer: lcov-1.15.tar.gz | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install \ | |
| lcov | |
| - name: Checkout devtools | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkUnitTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@arm64 | |
| with: | |
| add_cmake_variables: -DCOVERAGE=ON | |
| arch: amd64 | |
| build_type: Debug | |
| target: PackChkUnitTests | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkIntegTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@arm64 | |
| with: | |
| add_cmake_variables: -DCOVERAGE=ON | |
| arch: amd64 | |
| build_type: Debug | |
| target: PackChkIntegTests | |
| - name: Run packchk tests | |
| run: | | |
| ctest -V -C Debug -R PackChkUnitTests | |
| ctest -V -C Debug -R PackChkIntegTests | |
| working-directory: ./build | |
| - name: Get retention days | |
| id: var | |
| run: | | |
| echo "retention_days=$(echo '${{ (!github.event.repository.private && (github.event_name == 'push' || github.event.schedule != '')) && '7' || '1' }}')" >> $GITHUB_OUTPUT | |
| - name: Archive unit test results | |
| if: (github.event_name == 'push') | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: unit_test_result-linux-amd64 | |
| path: ./build/test_reports/packchkunittests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ steps.var.outputs.retention_days }} | |
| - name: Archive integration test results | |
| if: (github.event_name == 'push') | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: integ_test_result-linux-amd64 | |
| path: ./build/test_reports/packchkintegtests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ steps.var.outputs.retention_days }} | |
| # Needs to be removed once the bug is resolved | |
| # lcov reporting 1.14 on 1.15 version | |
| # https://groups.google.com/g/linux.debian.bugs.dist/c/a9SZGCENJ2s?pli=1 | |
| - name: Setup lcov1.15 | |
| run: | | |
| wget -q ${{ env.lcov_base }}/${{ env.lcov_installer }} | |
| tar -xvf ${{ env.lcov_installer }} | |
| working-directory: ./build/tools/packchk | |
| - name: Generate coverage report | |
| run: | | |
| lcov-1.15/bin/lcov --rc lcov_branch_coverage=1 --rc geninfo_no_exception_branch=1 -c --directory . --output-file full_coverage.info | |
| lcov-1.15/bin/lcov --rc lcov_branch_coverage=1 --rc geninfo_no_exception_branch=1 -e full_coverage.info '*/tools/packchk/include/*' '*/tools/packchk/src/*' -o coverage_packchk.info | |
| genhtml coverage_packchk.info --output-directory coverage_packchk --branch-coverage | |
| working-directory: ./build/tools/packchk | |
| - name: Upload Report to Codecov | |
| if: ${{ !github.event.repository.private }} | |
| uses: Wandalen/[email protected] | |
| with: | |
| action: codecov/codecov-action@v3 | |
| with: | | |
| files: ./build/tools/packchk/coverage_packchk.info | |
| fail_ci_if_error: true | |
| flags: packchk-cov | |
| functionalities: fix | |
| attempt_limit: 3 | |
| attempt_delay: 5000 | |
| - name: Archive coverage report | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: coverage-report | |
| path: | | |
| ./build/tools/packchk/coverage_packchk/ | |
| ./build/tools/packchk/coverage_packchk.info | |
| retention-days: ${{ steps.var.outputs.retention_days }} | |
| if-no-files-found: error | |
| release: | |
| if: | | |
| github.event_name == 'release' && | |
| startsWith(github.ref, 'refs/tags/tools/packchk/') | |
| needs: [ build, test, coverage ] | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout devtools | |
| uses: actions/checkout@v3 | |
| - name: Create distribution folders | |
| run: | | |
| mkdir -p tools/packchk/distribution/ | |
| - name: Download coverage report | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: coverage-report | |
| path: tools/packchk/distribution/coverage/ | |
| - name: Zip distribution folder | |
| run: zip -r code-coverage.zip * | |
| working-directory: tools/packchk/distribution | |
| - name: Attach zip archive to release assets | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: tools/packchk/distribution/code-coverage.zip | |
| tag: ${{ github.ref }} | |
| overwrite: true | |
| asset_name: code-coverage.zip | |
| test-results-preparation: | |
| name: "Publish Tests Results" | |
| needs: [ test ] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Event File | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: Event File | |
| path: ${{ github.event_path }} |