Pin python dependencies to hashes and cleanup/unify python setup steps in
various workflows.
We now have one dependency file containing all requirements for github
actions that is managed centrally with hashes. No direct pip installs
are needed in workflow files and everything shall go via the
requirements file.
Pinning to specific version and hashes helps with preventing supply
chain attacks.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Move PR body check to a workflow that monitors editing of PRs.
Avoids rerunnin compliance check and other heavy weights workflows on
just an edit of the PR body.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit introduces a new workflow that checks for SHA-pinned GitHub
Actions on pull requests.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Integrate codeql code scanning from github to do basic static code
analysis on python, actions, js.
c/cpp to be added later.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Moved away from a texlive docker container to a vanilla ubuntu runner
so that we can better track the actual dependencies a user needs to
build the PDF rather than relying on the gigabytes of random stuff
that the texlive docker container pulls in.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Removed coverxygen installation from the CI workflow and added it to the
requirements.txt/.in files and make it easier for anyone to potentially
use it locally.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Default to `permissions: read-all` in all workflows and then add
additional permissions as needed at the job level
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Building docs just works on vanilla GH runner so it can be convenient
to not prevent the workflow to run on forks.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Ensure we run the latest version of this action (and align with what is
already used for bsim-tests)
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Following the revert in the previous commit, pin the actions/checkout
action to align with what is now the accepted practice in the project.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This reverts commit b80526658c
and restores the original use of looking for changed files
before triggering a documentation build.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Apply dependabot suggested updates to the `scorecard` workflow to pull
latest versions of the actions.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This commit follows up on e808ccfxy and completes the pinning of *all*
GitHub Actions to SHAs, including GitHub-owned `actions/*` actions.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This commit updates all GitHub Actions workflows to use specific
SHAs for the actions when they're not GitHub owned (`actions/*`)
instead of using tag-based versioning since tags are mutable.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Add a security section in the external source code issue template
requesting information about known vulnerabilities and cryptographic
usage.
Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com>
Remove check for changed files for now until we have a better way to do
that without the 3rd party action.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Updates the GitHub security page with the current supported versions
after the v4.1.0 release.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Reduce the number of parallel jobs for documentation build since we use
GH-hosted runner with only 4 vCPUs and 16GiB of RAM.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Make CI run on latest Ubuntu LTS so that default Python version
is effectively 3.12.
This allows to build against latest Sphinx 8.2 release, as it
dropped support for Python 3.10.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Setup a fully working Zephyr workspace so that documentation steps that
require e.g. building Zephyr apps have the ability to do so.
The "turbo" builds running on pull requests get a minimal setup, with
no toolchain being installed.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
The "raw" junit.xml is a useful artifact to make available to developers
as it can be ingested by various tools to help dig into failures, look
at evolution of test results over time, etc.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This reverts commit 2dcb61858b.
Completely breaks CI due to concurrency key being wrong and
the same for every PR...
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
This addresses issues were CI jobs would wrongly get cancelled due to
sharing the concurrency group as other workflows.
For example:
- Twister runs being cancelled if both contributor submitting PRs named
their branch the same (often, `main` :))
- The scheduled doc-build systematically kills any ongoing
"on_pull_request_target" workflow runs.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Increase matrix size to deal with builds aborting under heavy load or
when running out of resources.
Also increase number of tests per node to deal with growth.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
There is no point in including source .rst files in html-output.tar.xz
as it unnecessarily slows down the creation of html-output.tar.xz as well
as transfer to/decompression on S3. Same for Doxygen XML output which is
only useful at build time.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Checkout code early, so files are downloaded and read from one single
place.
Check for job results, only run script on failures.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Twister supports building with multiple toolchains in the same workflow
already, so there is no need for doing this in own workflow.
This will allow us to have a few targeted tests that are built with
multiple toolchains and frees up resources spent on duplicated builds in
a second workflow.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Added steps to analyze Twister reports and upload the results
if Twister build fails
Signed-off-by: Grzegorz Chwierut <grzegorz.chwierut@nordicsemi.no>
Reconfigure the manifest action to use a manifest specific DNM label, so
that the "DNM" one can be used by humans.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Add "DNM (manifest)" to the "do not merge" labels. This is meant to be a
DNM controlled by the manifest action specific, so that the normal one
can be used by humans and the two are not going to fight with each
other.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
