Skip to content

Commit 4506a93

Browse files
committed
Merge remote-tracking branch 'private/master' into gpl-new-virtual-cts
2 parents c59e98b + a507dc9 commit 4506a93

69 files changed

Lines changed: 13270 additions & 3182 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/black.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,6 @@ jobs:
1313
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
1414
steps:
1515
- name: Checkout Code
16-
uses: actions/checkout@v6
16+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1717
- name: Run black
18-
uses: psf/black@stable
18+
uses: psf/black@87928e6d6761a4a6d22250e1fee5601b3998086e # 26.5.1

.github/workflows/buildifier.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,11 +30,11 @@ jobs:
3030

3131
steps:
3232
- name: Checkout Code
33-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3434

3535
- name: Cache buildifier
3636
id: cache-buildifier
37-
uses: actions/cache@v5
37+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
3838
with:
3939
path: ./buildifier
4040
key: ${{ runner.os }}-buildifier-${{ env.BUILDIFIER_VERSION }}

.github/workflows/first-time-contributor.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
pull-requests: write
1515
steps:
1616
- name: Greet First-Time Contributor
17-
uses: actions/first-interaction@v1
17+
uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0
1818
with:
1919
repo-token: ${{ secrets.GITHUB_TOKEN }}
2020
issue-message: |

.github/workflows/github-actions-are-differences-found.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
99
steps:
1010
- name: Check out repository code
11-
uses: actions/checkout@v6
11+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1212
with:
1313
fetch-depth: 0
1414
- name: Check ok files

.github/workflows/github-actions-are-odb-files-generated.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
1414
steps:
1515
- name: Check out repository code
16-
uses: actions/checkout@v6
16+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1717
with:
1818
fetch-depth: 0
1919
submodules: 'recursive'

.github/workflows/github-actions-check-bazel-lock.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
runs-on: ubuntu-latest
1111
steps:
1212
- name: Check out repository code
13-
uses: actions/checkout@v6
13+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1414

1515
- name: Verify lock file is up to date
1616
run: bazelisk mod deps --lockfile_mode=error
Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
name: clang-tidy-bazel-post
2+
3+
# Runs in the base repository's context with a writable GITHUB_TOKEN, so it
4+
# can post reviewdog comments on PRs opened from forks (which the upstream
5+
# `clang-tidy-bazel` workflow cannot, since fork pull_request runs get a
6+
# read-only token by GitHub's design).
7+
#
8+
# Security: this workflow MUST NOT execute untrusted PR code. It only reads
9+
# the text artifact (clang-tidy.txt) produced by the upstream workflow and
10+
# the metadata file we wrote there ourselves. No checkout of the PR head,
11+
# no bazel build, no scripts from the fork.
12+
13+
on:
14+
workflow_run:
15+
workflows: ["clang-tidy-bazel"]
16+
types:
17+
- completed
18+
19+
permissions:
20+
contents: read
21+
pull-requests: write
22+
# Needed for actions/download-artifact@v4 to fetch from another workflow.
23+
actions: read
24+
25+
jobs:
26+
Post-Reviewdog:
27+
# Run on success AND failure: Stage A intentionally exits non-zero when
28+
# clang-tidy findings exist on the PR diff (to fail the required PR
29+
# check), but the artifact is uploaded *before* that fail step, so the
30+
# findings are still posted as review comments. Only skip on cancelled.
31+
if: ${{ github.event.workflow_run.conclusion != 'cancelled' }}
32+
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
33+
steps:
34+
# Reviewdog's github-pr-review reporter resolves the local git root
35+
# before flushing comments and silently no-ops if .git is missing.
36+
# Check out the base repo (default branch, shallow) so reviewdog has
37+
# a .git directory to operate against. No fork code involved — this
38+
# is the base repo at HEAD of its default branch.
39+
- name: Check out base repo for reviewdog .git requirement
40+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
41+
with:
42+
fetch-depth: 1
43+
# Default ref in workflow_run context is the base repo's default
44+
# branch, which is the safe choice here. Reviewdog uses GitHub
45+
# API to fetch the actual PR diff, so the local SHA need not
46+
# match the PR head.
47+
48+
- name: Download clang-tidy artifact
49+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
50+
with:
51+
name: clang-tidy-bazel
52+
run-id: ${{ github.event.workflow_run.id }}
53+
github-token: ${{ secrets.GITHUB_TOKEN }}
54+
55+
- name: Load PR metadata
56+
id: meta
57+
run: |
58+
# pr-meta.txt is produced by the upstream workflow from the
59+
# pull_request event payload. It is text we wrote ourselves —
60+
# not arbitrary fork content — and is parsed with a strict
61+
# allowlist below before being exported.
62+
if [ ! -f pr-meta.txt ]; then
63+
echo "::error::pr-meta.txt missing from artifact"
64+
exit 1
65+
fi
66+
while IFS='=' read -r key value; do
67+
case "$key" in
68+
pr_number|head_sha|base_sha|head_repo|base_repo) ;;
69+
*) continue ;;
70+
esac
71+
# Validate values: numbers, hex SHAs, or owner/repo slugs only.
72+
case "$key" in
73+
pr_number)
74+
[[ "$value" =~ ^[0-9]+$ ]] || { echo "::error::bad pr_number"; exit 1; } ;;
75+
head_sha|base_sha)
76+
[[ "$value" =~ ^[0-9a-f]{40}$ ]] || { echo "::error::bad $key"; exit 1; } ;;
77+
head_repo|base_repo)
78+
[[ "$value" =~ ^[A-Za-z0-9._-]+/[A-Za-z0-9._-]+$ ]] || { echo "::error::bad $key"; exit 1; } ;;
79+
esac
80+
echo "$key=$value" >> "$GITHUB_OUTPUT"
81+
done < pr-meta.txt
82+
83+
- name: Synthesize pull_request event payload
84+
id: event
85+
env:
86+
PR_NUMBER: ${{ steps.meta.outputs.pr_number }}
87+
HEAD_SHA: ${{ steps.meta.outputs.head_sha }}
88+
BASE_SHA: ${{ steps.meta.outputs.base_sha }}
89+
HEAD_REPO: ${{ steps.meta.outputs.head_repo }}
90+
BASE_REPO: ${{ steps.meta.outputs.base_repo }}
91+
run: |
92+
# Reviewdog's `github-pr-review` reporter reads GITHUB_EVENT_PATH
93+
# expecting a pull_request payload. The real event here is
94+
# workflow_run, so we synthesize the minimum payload reviewdog
95+
# needs and point GITHUB_EVENT_PATH at it for the next step.
96+
EVENT_PATH="${RUNNER_TEMP}/pr-event.json"
97+
python3 - <<'PY' > "$EVENT_PATH"
98+
import json, os
99+
payload = {
100+
"action": "synchronize",
101+
"number": int(os.environ["PR_NUMBER"]),
102+
"pull_request": {
103+
"number": int(os.environ["PR_NUMBER"]),
104+
"head": {
105+
"sha": os.environ["HEAD_SHA"],
106+
"repo": {"full_name": os.environ["HEAD_REPO"]},
107+
},
108+
"base": {
109+
"sha": os.environ["BASE_SHA"],
110+
"repo": {"full_name": os.environ["BASE_REPO"]},
111+
},
112+
},
113+
"repository": {
114+
"full_name": os.environ["BASE_REPO"],
115+
"owner": {"login": os.environ["BASE_REPO"].split("/")[0]},
116+
"name": os.environ["BASE_REPO"].split("/")[1],
117+
},
118+
}
119+
print(json.dumps(payload))
120+
PY
121+
echo "event_path=${EVENT_PATH}" >> "$GITHUB_OUTPUT"
122+
123+
- name: Set up reviewdog
124+
uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # v1.5.0
125+
with:
126+
reviewdog_version: latest
127+
128+
- name: Run reviewdog
129+
env:
130+
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
131+
GITHUB_EVENT_NAME: pull_request
132+
GITHUB_EVENT_PATH: ${{ steps.event.outputs.event_path }}
133+
GITHUB_SHA: ${{ steps.meta.outputs.head_sha }}
134+
GITHUB_REPOSITORY: ${{ steps.meta.outputs.base_repo }}
135+
run: |
136+
reviewdog \
137+
-efm="%E%f:%l:%c: error: %m" \
138+
-efm="%W%f:%l:%c: warning: %m" \
139+
-name="clang-tidy" \
140+
-reporter=github-pr-review \
141+
-filter-mode=added \
142+
-fail-level=any \
143+
< clang-tidy.txt

.github/workflows/github-actions-clang-tidy-bazel.yml

Lines changed: 47 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -5,36 +5,36 @@ on:
55
branches:
66
- master
77

8+
# Read-only by design: fork PRs get a read-only GITHUB_TOKEN regardless of
9+
# what this block requests, so this workflow only builds clang-tidy and
10+
# uploads the findings as an artifact. The companion workflow
11+
# `clang-tidy-bazel-post` runs on `workflow_run` in the base repo context
12+
# with a writable token and posts the reviewdog comments.
813
permissions:
914
contents: read
10-
pull-requests: write
1115

1216
jobs:
1317
Clang-Tidy-Bazel:
1418
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
1519
steps:
1620
- name: Check out repository code
17-
uses: actions/checkout@v6
21+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1822
with:
1923
submodules: 'recursive'
20-
# Need full history so reviewdog can diff against the PR base.
24+
# Need full history so the post workflow's reviewdog can diff
25+
# against the PR base via the API.
2126
fetch-depth: 0
2227

2328
- name: Set up bazel
2429
# GitHub-hosted ubuntu-latest preinstalls bazelisk, but self-hosted
2530
# runners do not. Install it explicitly so the workflow works on
2631
# both runner types. bazel-contrib/setup-bazel's default uses a
2732
# pre-installed bazelisk; passing bazelisk-version forces install.
28-
uses: bazel-contrib/setup-bazel@0.19.0
33+
uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0
2934
with:
3035
bazelisk-version: 1.x
3136
bazelisk-cache: true
3237

33-
- name: Set up reviewdog
34-
uses: reviewdog/action-setup@v1
35-
with:
36-
reviewdog_version: latest
37-
3838
- name: Run bazel clang-tidy
3939
env:
4040
BAZEL_CACHE_PASSWORD: ${{ secrets.BAZEL_CACHE_PASSWORD }}
@@ -88,15 +88,50 @@ jobs:
8888
echo "::endgroup::"
8989
echo "Findings: $(wc -l < clang-tidy.txt)"
9090
91-
- name: Run reviewdog
91+
- name: Save PR metadata for post workflow
92+
run: |
93+
# workflow_run.event.pull_requests[] is empty for fork PRs, so the
94+
# post workflow needs the PR number and head SHA delivered via the
95+
# artifact itself.
96+
{
97+
echo "pr_number=${{ github.event.pull_request.number }}"
98+
echo "head_sha=${{ github.event.pull_request.head.sha }}"
99+
echo "base_sha=${{ github.event.pull_request.base.sha }}"
100+
echo "head_repo=${{ github.event.pull_request.head.repo.full_name }}"
101+
echo "base_repo=${{ github.event.pull_request.base.repo.full_name }}"
102+
} > pr-meta.txt
103+
104+
- name: Upload clang-tidy artifact
105+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
106+
with:
107+
name: clang-tidy-bazel
108+
path: |
109+
clang-tidy.txt
110+
pr-meta.txt
111+
retention-days: 7
112+
if-no-files-found: error
113+
114+
- name: Set up reviewdog
115+
uses: reviewdog/action-setup@v1
116+
with:
117+
reviewdog_version: latest
118+
119+
- name: Fail check on clang-tidy findings in PR diff
120+
# Runs after the artifact upload so the post workflow always has the
121+
# findings to comment on, even when this step exits non-zero.
122+
# Uses -reporter=local because the fork-PR token is read-only here;
123+
# local mode just prints to stdout and exits with -fail-level=any if
124+
# findings exist. The post workflow does the actual review posting.
92125
env:
93-
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
126+
BASE_SHA: ${{ github.event.pull_request.base.sha }}
127+
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
94128
run: |
95129
reviewdog \
96130
-efm="%E%f:%l:%c: error: %m" \
97131
-efm="%W%f:%l:%c: warning: %m" \
98132
-name="clang-tidy" \
99-
-reporter=github-pr-review \
133+
-reporter=local \
134+
-diff="git diff ${BASE_SHA}...${HEAD_SHA}" \
100135
-filter-mode=added \
101136
-fail-level=any \
102137
< clang-tidy.txt

.github/workflows/github-actions-format-on-push.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,12 @@ jobs:
1313
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
1414
steps:
1515
- name: Check out repository code
16-
uses: actions/checkout@v6
16+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1717
with:
1818
fetch-depth: 0
1919
- name: Get changed files
2020
id: changed-files
21-
uses: tj-actions/changed-files@v47
21+
uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
2222
- name: Check format of cpp changed files
2323
run: |
2424
clang-format --version

.github/workflows/github-actions-lint-tcl.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
1414
steps:
1515
- name: Checkout repository
16-
uses: actions/checkout@v6
16+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1717
with:
1818
submodules: 'recursive'
1919
- name: Install Dependencies

0 commit comments

Comments
 (0)