issue_58 added sonarcloud workflow #59
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build and analyze | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Trigger | ||
| run: echo "Triggered by ${{ github.event_name }} event" | ||
| - name: Install Dependencies | ||
| run: | | ||
| sudo apt-get update && \ | ||
| sudo apt-get install --no-install-recommends -y \ | ||
| clang \ | ||
| clang-tidy \ | ||
| cppcheck \ | ||
| git \ | ||
| build-essential \ | ||
| curl \ | ||
| jq \ | ||
| python3-dev \ | ||
| python3-pip \ | ||
| ninja-build \ | ||
| make \ | ||
| wget \ | ||
| zip \ | ||
| unzip \ | ||
| libgl1 \ | ||
| libglib2.0-0 \ | ||
| libpcre2-dev | ||
| - name: CMake 3.25.4 | ||
| run: | | ||
| wget https://github.com/Kitware/CMake/releases/download/v3.25.3/cmake-3.25.3-linux-${{ env.ARCH }}.sh \ | ||
| -q -O /tmp/cmake-install.sh \ | ||
| && chmod u+x /tmp/cmake-install.sh \ | ||
| && mkdir /opt/cmake-3.25.3 \ | ||
| && /tmp/cmake-install.sh --skip-license --prefix=/opt/cmake-3.25.3 \ | ||
| && rm /tmp/cmake-install.sh \ | ||
| && ln -sf /opt/cmake-3.25.3/bin/* /usr/local/bin | ||
| - name: Install GNU Arm Embedded Toolchain | ||
| run: | | ||
| cd /tmp/ \ | ||
| && wget ${{ env.ARM_GCC_URL }} \ | ||
| && tar -xf arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi.tar.xz \ | ||
| && mv arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi /opt/gcc-arm-none-eabi \ | ||
| && rm arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi.tar.xz -f | ||
| - name: Simplicity Commander | ||
| run: | | ||
| wget https://www.silabs.com/documents/login/software/SimplicityCommander-Linux.zip \ | ||
| && unzip SimplicityCommander-Linux.zip \ | ||
| && tar -xf SimplicityCommander-Linux/Commander-cli_linux_${{ env.ARCH }}_*.tar.bz \ | ||
| && mv commander-cli /opt/commander-cli \ | ||
| && rm -rf SimplicityCommander-Linux.zip SimplicityCommander-Linux | ||
| - name: Install Build Wrapper | ||
| uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v5 | ||
| - name: Run Build Wrapper | ||
| run: | | ||
| cd ${{ github.workspace }} && \ | ||
| build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make all | ||
| - name: SonarQube Scan | ||
| uses: SonarSource/sonarqube-scan-action@v5 | ||
| env: | ||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
| with: | ||
| args: > | ||
| --define sonar.projectKey=${{ env.REPO_OWNER }}_${{ env.REPO_NAME }} | ||
| --define sonar.projectName=${{ env.REPO_NAME }} | ||
| --define sonar.organization=${{ env.SONAR_ORG }} | ||
| --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 19 days ago
In general, the fix is to add an explicit permissions block to the workflow (or to the individual job) to restrict the default GITHUB_TOKEN to the least privilege necessary. For a typical analysis workflow that only needs to read the repository contents, contents: read at the workflow level is a safe baseline.
For this specific file .github/workflows/05-sonarcloud.yml, we can keep current behavior and satisfy the CodeQL rule by adding a top‑level permissions: block with contents: read. None of the steps require write access to the repository or other scopes: they install tools, build the project, and run the SonarQube scan using a secret SONAR_TOKEN. So the single best minimal change is to insert:
permissions:
contents: readright after the on: block and before the top‑level env: block. No other code changes, imports, or definitions are required.
| @@ -8,6 +8,9 @@ | ||
| - master | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| ARCH: x86_64 | ||
| REPO_OWNER: ${{ github.repository_owner }} |
AndrasZiegler
force-pushed
the
58-feature-add-sonarcloud-implementation
branch
from
54004dc to
5899ec4
Compare
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - name: Trigger | ||
| run: echo "Triggered by ${{ github.event_name }} event" | ||
| - name: Checkout | ||
| uses: actions/checkout@v4.2.2 | ||
| - name: Install Dependencies | ||
| run: | | ||
| sudo apt-get update && \ | ||
| sudo apt-get install --no-install-recommends -y \ | ||
| clang \ | ||
| clang-tidy \ | ||
| cppcheck \ | ||
| git \ | ||
| build-essential \ | ||
| curl \ | ||
| jq \ | ||
| python3-dev \ | ||
| python3-pip \ | ||
| ninja-build \ | ||
| make \ | ||
| wget \ | ||
| zip \ | ||
| unzip \ | ||
| libgl1 \ | ||
| libglib2.0-0 \ | ||
| libpcre2-dev | ||
| - name: CMake 3.25.4 | ||
| run: | | ||
| wget https://github.com/Kitware/CMake/releases/download/v3.25.3/cmake-3.25.3-linux-${{ env.ARCH }}.sh \ | ||
| -q -O /tmp/cmake-install.sh \ | ||
| && chmod u+x /tmp/cmake-install.sh \ | ||
| && mkdir /opt/cmake-3.25.3 \ | ||
| && /tmp/cmake-install.sh --skip-license --prefix=/opt/cmake-3.25.3 \ | ||
| && rm /tmp/cmake-install.sh \ | ||
| && ln -sf /opt/cmake-3.25.3/bin/* /usr/local/bin | ||
| - name: Install GNU Arm Embedded Toolchain | ||
| run: | | ||
| cd /tmp/ \ | ||
| && wget ${{ env.ARM_GCC_URL }} \ | ||
| && tar -xf arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi.tar.xz \ | ||
| && mv arm-gnu-toolchain-12.2.rel1-${{ env.ARCH }}-arm-none-eabi /opt/gcc-arm-none-eabi \ | ||
| && rm arm-gnu-toolchain-12.2.rel-${{ env.ARCH }}-arm-none-eabi -rf | ||
| - name: Simplicity Commander | ||
| run: | | ||
| wget https://www.silabs.com/documents/login/software/SimplicityCommander-Linux.zip \ | ||
| && unzip SimplicityCommander-Linux.zip \ | ||
| && tar -xf SimplicityCommander-Linux/Commander-cli_linux_${{ env.ARCH }}_*.tar.bz \ | ||
| && mv commander-cli /opt/commander-cli \ | ||
| && rm -rf SimplicityCommander-Linux.zip SimplicityCommander-Linux | ||
| - name: Build the project | ||
| run: | | ||
| cd ${{ github.workspace}} \ | ||
| && make all | ||
| - name: Upload Build Artifacts | ||
| uses: actions/upload-artifact@v4.4.3 | ||
| with: | ||
| name: build-artifacts-${{ github.run_number }} | ||
| path: | | ||
| locator_ncp/build/locator_ncp.s37 | ||
| locator_host/build/locator_host.s37 | ||
| retention-days: 1 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 19 days ago
To fix the problem, explicitly declare restricted GITHUB_TOKEN permissions in the workflow. The minimal safe default for a build-and-artifact-upload job that only checks out code is contents: read. This can be set either at the workflow root (affecting all jobs) or at the job level. Since there is only one job (FW_build), either is acceptable; using a top-level permissions: block is simple and clear.
Concretely, in .github/workflows/02-Build-Firmware.yml, add a permissions: section near the top of the file (e.g., after on: or before env:) specifying contents: read. No steps rely on write access to issues, PRs, or contents, and artifact upload does not need repository write scopes, so we do not grant any additional permissions. No imports or extra methods are required; it is purely a YAML configuration change.
| @@ -4,6 +4,8 @@ | ||
| branches: | ||
| - master | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| ARCH: x86_64 | ||
| POST_BUILD_EXE: "/opt/commander-cli/commander-cli" |
also fixed permission comments and the conditional check for CLA assist
AndrasZiegler
force-pushed
the
58-feature-add-sonarcloud-implementation
branch
from
5899ec4 to
2bd227d
Compare
|
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2bd227d1f1
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| --define sonar.projectKey=${{ env.REPO_OWNER }}_${{ env.REPO_NAME }} | ||
| --define sonar.projectName=${{ env.REPO_NAME }} | ||
| --define sonar.organization=${{ env.SONAR_ORG }} | ||
| --define sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json |
There was a problem hiding this comment.
The Sonar scan is configured to read a compile database from ${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json, but this workflow never generates or copies a compile_commands.json into that directory. make all drives CMake builds that (when enabled) emit compile_commands.json into the per-target build folders (e.g., locator_host/build), while the build wrapper writes its own output files to ${BUILD_WRAPPER_OUT_DIR}. In CI runs where that file is absent, the scan will fail or skip C/C++ analysis. Either pass sonar.cfamily.build-wrapper-output=${{ env.BUILD_WRAPPER_OUT_DIR }} when using the build wrapper, or point sonar.cfamily.compile-commands at the actual build directory that contains compile_commands.json.
Useful? React with 👍 / 👎.
|
Description
Related Issue
Closes #<issue_number>
Changes Made
Checklist
Screenshots (if applicable)
Additional Notes