Skip to content

Commit f74c516

Browse files
authored
Fixed security vulnerabilities & improvements (#2437)
## Changes - Instead of referencing the shared workflow via `Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main`, switch to a local reference (`./.github/workflows/shared_setup_env.yml`). This removes the dependency on updating and merging the shared workflow first before applying changes in the caller. With this approach, both workflows can be updated together within a single PR. - Also, this removes the [security warning](https://github.com/Open-CMSIS-Pack/devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3AScorecard) to pin the workflow to a specific commit. - Pinned dependencies in global.yml to updated versions. - Added Pull request template file - Scorecard cron job schedule time changed, in order to avoid any conflict
1 parent f85c849 commit f74c516

10 files changed

Lines changed: 40 additions & 25 deletions

File tree

.github/pull_request_template.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
## Fixes
2+
<!-- List the issue(s) this PR resolves -->
3+
-
4+
5+
## Changes
6+
<!-- List the changes this PR introduces -->
7+
-
8+
9+
## Checklist
10+
<!-- Put an `x` in the boxes. All tasks must be completed and boxes checked before merging. -->
11+
- [ ] 🤖 This change is covered by unit tests (if applicable).
12+
- [ ] 🤹 Manual testing has been performed (if necessary).
13+
- [ ] 🛡️ Security impacts have been considered (if relevant).
14+
- [ ] 📖 Documentation updates are complete (if required).
15+
- [ ] 🧠 Third-party dependencies and TPIP updated (if required).

.github/workflows/buildmgr.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,13 @@ permissions:
4040

4141
jobs:
4242
setup:
43-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main
43+
uses: ./.github/workflows/shared_setup_env.yml
4444
with:
4545
run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/buildmgr/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }}
4646

4747
matrix_prep:
4848
needs: setup
49-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main
49+
uses: ./.github/workflows/shared_matrix_prep.yml
5050
with:
5151
workflow_name: buildmgr
5252

@@ -140,7 +140,7 @@ jobs:
140140
sudo apt-get install ninja-build python3
141141
wget -q http://security.ubuntu.com/ubuntu/pool/main//d/doxygen/doxygen_1.8.6-2_amd64.deb
142142
sudo dpkg -i doxygen_1.8.6-2_amd64.deb
143-
sudo pip install LinkChecker
143+
sudo pip install LinkChecker==10.6.0
144144
- name: Create build folder
145145
run: mkdir build
146146

.github/workflows/global.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
- name: Check copyright notice
2424
run: |
2525
pip install \
26-
pre-commit \
27-
python-magic==0.4.18 \
28-
comment-parser>=1.2.3
26+
pre-commit==4.5.1 \
27+
python-magic==0.4.24 \
28+
comment-parser==1.2.4
2929
pre-commit run --all-files

.github/workflows/nightly.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,27 +11,27 @@ permissions:
1111
jobs:
1212
buildmgr:
1313
if: github.repository == 'Open-CMSIS-Pack/devtools'
14-
uses: Open-CMSIS-Pack/devtools/.github/workflows/buildmgr.yml@main
14+
uses: ./.github/workflows/buildmgr.yml
1515
secrets: inherit
1616
packchk:
1717
needs: [buildmgr]
18-
uses: Open-CMSIS-Pack/devtools/.github/workflows/packchk.yml@main
18+
uses: ./.github/workflows/packchk.yml
1919
secrets: inherit
2020
packgen:
2121
needs: [packchk]
22-
uses: Open-CMSIS-Pack/devtools/.github/workflows/packgen.yml@main
22+
uses: ./.github/workflows/packgen.yml
2323
secrets: inherit
2424
projmgr:
2525
needs: [packgen]
26-
uses: Open-CMSIS-Pack/devtools/.github/workflows/projmgr.yml@main
26+
uses: ./.github/workflows/projmgr.yml
2727
secrets: inherit
2828
svdconv:
2929
needs: [projmgr]
30-
uses: Open-CMSIS-Pack/devtools/.github/workflows/svdconv.yml@main
30+
uses: ./.github/workflows/svdconv.yml
3131
secrets: inherit
3232
test_libs:
3333
needs: [svdconv]
34-
uses: Open-CMSIS-Pack/devtools/.github/workflows/test_libs.yml@main
34+
uses: ./.github/workflows/test_libs.yml
3535
coverage:
3636
runs-on: ubuntu-22.04
3737
needs: [ buildmgr, packchk, packgen, projmgr, svdconv, test_libs ]

.github/workflows/packchk.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,13 +45,13 @@ permissions:
4545

4646
jobs:
4747
setup:
48-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main
48+
uses: ./.github/workflows/shared_setup_env.yml
4949
with:
5050
run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packchk/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }}
5151

5252
matrix_prep:
5353
needs: setup
54-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main
54+
uses: ./.github/workflows/shared_matrix_prep.yml
5555
with:
5656
workflow_name: packchk
5757

.github/workflows/packgen.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,13 @@ permissions:
4040

4141
jobs:
4242
setup:
43-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main
43+
uses: ./.github/workflows/shared_setup_env.yml
4444
with:
4545
run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packgen/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }}
4646

4747
matrix_prep:
4848
needs: setup
49-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main
49+
uses: ./.github/workflows/shared_matrix_prep.yml
5050
with:
5151
workflow_name: packgen
5252

.github/workflows/projmgr.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -44,21 +44,21 @@ permissions:
4444

4545
jobs:
4646
setup:
47-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main
47+
uses: ./.github/workflows/shared_setup_env.yml
4848
with:
4949
run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/projmgr/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }}
5050

5151
matrix_prep:
5252
needs: setup
53-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main
53+
uses: ./.github/workflows/shared_matrix_prep.yml
5454
with:
5555
workflow_name: projmgr
5656

5757
build:
5858
needs: [ setup, matrix_prep ]
5959
runs-on: ${{ matrix.runs_on }}
6060
name: build (${{ matrix.runs_on }},${{ matrix.arch }})
61-
timeout-minutes: 15
61+
timeout-minutes: 20
6262
strategy:
6363
# fail-fast: true
6464
matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }}
@@ -136,7 +136,7 @@ jobs:
136136
needs: [ setup, matrix_prep ]
137137
name: build-swig (${{ matrix.runs_on }}, ${{ matrix.arch }})
138138
runs-on: ${{ matrix.runs_on }}
139-
timeout-minutes: 15
139+
timeout-minutes: 20
140140
strategy:
141141
# fail-fast: true
142142
matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }}

.github/workflows/scorecard.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ on:
66
# To guarantee Maintained check is occasionally updated. See
77
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
88
schedule:
9-
- cron: '0 0 * * *'
9+
- cron: '0 6 * * *'
1010
push:
1111
branches: [ "main" ]
1212
workflow_dispatch:

.github/workflows/svdconv.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,13 +37,13 @@ permissions:
3737

3838
jobs:
3939
setup:
40-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main
40+
uses: ./.github/workflows/shared_setup_env.yml
4141
with:
4242
run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/svdconv/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }}
4343

4444
matrix_prep:
4545
needs: setup
46-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main
46+
uses: ./.github/workflows/shared_matrix_prep.yml
4747
with:
4848
workflow_name: svdconv
4949

.github/workflows/test_libs.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,13 +29,13 @@ permissions:
2929

3030
jobs:
3131
setup:
32-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main
32+
uses: ./.github/workflows/shared_setup_env.yml
3333
with:
3434
run_if: ${{ ((github.event.schedule != '') && github.event.repository.private) == false }}
3535

3636
matrix_prep:
3737
needs: setup
38-
uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main
38+
uses: ./.github/workflows/shared_matrix_prep.yml
3939
with:
4040
workflow_name: test_libs
4141

0 commit comments

Comments
 (0)