diff --git a/.github/workflows/clang-tidy-review.yml b/.github/workflows/clang-tidy-review.yml new file mode 100644 index 000000000000..a4b19a93f1ca --- /dev/null +++ b/.github/workflows/clang-tidy-review.yml @@ -0,0 +1,110 @@ +name: Clang-tidy review +on: + pull_request: + +jobs: + build: + name: Clang tidy review + runs-on: ubuntu-latest + container: zephyrprojectrtos/ci-base:v0.26.4 + env: + CMAKE_PREFIX_PATH: /opt/toolchains + steps: + - name: Checkout the code + uses: actions/checkout@v2 + with: + path: nrf + fetch-depth: 0 + + - name: Install deps + run: | + apt-get update + apt-get install -y jq clang clang-tidy ruby-full + + - name: West init and update + working-directory: nrf + run: | + west init -l . + west update --narrow -o=--depth=1 + + - name: Build for native_posix + shell: bash + working-directory: nrf + continue-on-error: true # The llvm build fails with a non-zero exit code due to link stage error. But we still want to run clang-tidy. The clang-tidy will catch compile errors anyway. The point here is to get the compile_commands.json file and all the necessary headerfiles generated with clang as the compiler. + run: | + export ZEPHYR_TOOLCHAIN_VARIANT=llvm + ../zephyr/scripts/twister -b -v -i -T ./ -p native_posix --quarantine-list scripts/quarantine_downstream.yaml + + - name: Use jq to combine compile_commands.json files + shell: bash + working-directory: nrf + run: | + jq -s 'map(.[])' `find . -name compile_commands.json` > compile_commands.json + + - name: Analyze + shell: bash + working-directory: nrf + run: | + mkdir clang-tidy-result + git fetch origin ${{ github.event.pull_request.base.sha }} + git diff -U0 ${{ github.event.pull_request.base.sha }} | clang-tidy-diff -p1 -path . -export-fixes clang-tidy-result/fixes.yml + + - name: Print clang tidy results (yml format)) + shell: bash + working-directory: nrf + run: | + ls clang-tidy-result + cat clang-tidy-result/fixes.yml + + - name: Strip docker path so that the publisher workflow can find the files without being in a container + shell: bash + working-directory: nrf + run: | + sed -i "s/\/__w\/sdk-nrf\/sdk-nrf\/nrf\///g" clang-tidy-result/fixes.yml + + - name: Upload clang tidy result as artifact + uses: actions/upload-artifact@v2 + with: + name: clang-tidy-result + path: nrf/clang-tidy-result + + - name: Upload compile_commands.json as artifact + uses: actions/upload-artifact@v2 + with: + name: compile_commands.json + path: nrf/compile_commands.json + + publish-review: + name: Publish clang tidy review + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout the code + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Download artifacts + uses: actions/download-artifact@v2 + with: + name: clang-tidy-result + path: clang-tidy-result + + - name: Debug + shell: bash + run: | + ls clang-tidy-result + cat clang-tidy-result/fixes.yml + + - name: Run clang-tidy-pr-comments action + uses: platisd/clang-tidy-pr-comments@master + with: + # The GitHub token (or a personal access token) + github_token: ${{ secrets.GITHUB_TOKEN }} + # The path to the clang-tidy fixes generated previously + clang_tidy_fixes: clang-tidy-result/fixes.yml + # Optionally set the number of comments per review + # to avoid GitHub API timeouts for heavily loaded + # pull requests + suggestions_per_comment: 10 + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000000..058080fa8496 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,65 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + paths-ignore: + - '**/*.md' + - '**/*.rst' + - '**/*.txt' + schedule: + - cron: '0 0 * * *' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + container: nordicplayground/nrfconnect-sdk:main + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout the code + uses: actions/checkout@v2 + with: + path: ncs/nrf + fetch-depth: 0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: 'c' + + # Install more dependencies that are not part of the docker image but are needed by the workflow + - name: Install more deps + shell: bash + run: | + apt install -y gcc-multilib + + # The docker image comes pre-initialized with west dependencies. We want to do west update ourselves to to be sure that we get the latest changes in all repos. + # The docker image is built nightly. So it may contain slightly out of date repos. + # Hence we remove the .west folder and do a re-init + - name: West init and update + shell: bash + run: | + rm -rf /workdir/.west/ + west init -l ncs/nrf + cd ncs + west update --narrow -o=--depth=1 + + - name: Build with twister + shell: bash + run: | + source ncs/zephyr/zephyr-env.sh + echo "Run, Build Application using script" + ncs/zephyr/scripts/twister -b -v -i -T ncs/nrf/ -p native_posix --quarantine-list ncs/nrf/scripts/quarantine_downstream.yaml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:c" diff --git a/.github/workflows/rebase_to_ncs_main.yml b/.github/workflows/rebase_to_ncs_main.yml new file mode 100644 index 000000000000..668d3a9dcb48 --- /dev/null +++ b/.github/workflows/rebase_to_ncs_main.yml @@ -0,0 +1,43 @@ +name: Rebase from ncs main + +on: + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + + +jobs: + update: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Rebase from main + run: | + git config --global user.email "actions@example.com" + git config --global user.name "github-actions[bot]" + git remote add ncs https://github.com/nrfconnect/sdk-nrf + git fetch ncs + git rev-parse HEAD + git rebase --verbose ncs/main + + - name: Check if changes were made + run: | + if [[ `git diff origin/main --exit-code` ]]; then + echo "HAS_CHANGES=1" >> $GITHUB_ENV + else + echo "HAS_CHANGES=0" >> $GITHUB_ENV + fi + + - name: Create Pull Request + if: env.HAS_CHANGES == '1' + uses: peter-evans/create-pull-request@v4 + with: + token: ${{ secrets.PR_CREATOR_TOKEN }} # Personal access token of balaji-nordic with contents:write and pull requestes:write permission + title: 'Updates from upstream ncs' + assignees: balaji-nordic + reviewers: balaji-nordic + draft: true diff --git a/.github/workflows/sonarcloud-native-posix.yml b/.github/workflows/sonarcloud-native-posix.yml new file mode 100644 index 000000000000..26a09611f1e4 --- /dev/null +++ b/.github/workflows/sonarcloud-native-posix.yml @@ -0,0 +1,116 @@ +name: Sonarcloud analysis (native_posix only) +on: + push: + branches: + - main + pull_request_target: + +jobs: + build: + name: Sonar cloud analysis + runs-on: ubuntu-latest + container: zephyrprojectrtos/ci:v0.26.4 + env: + BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed + CMAKE_PREFIX_PATH: /opt/toolchains + steps: + - name: Checkout the code + uses: actions/checkout@v2 + if: github.event_name == 'pull_request_target' + with: + ref: ${{ github.event.pull_request.head.sha }} # Checkout the PR's head sha instead of the target branch's sha + path: ncs/nrf + fetch-depth: 0 + + - name: Checkout the code + uses: actions/checkout@v2 + if: github.event_name != 'pull_request_target' + with: + path: ncs/nrf + fetch-depth: 0 + + # Install more dependencies that are not part of the docker image but are needed by the workflow + - name: Install more deps + run: | + apt-get update + apt install -y lcov curl ruby-full + pip3 install zcbor + + - name: Install sonar-scanner and build-wrapper + uses: sonarsource/sonarcloud-github-c-cpp@v2.0.2 + + # The docker image comes pre-initialized with west dependencies. We want to do west update ourselves to to be sure that we get the latest changes in all repos. + # The docker image is built nightly. So it may contain slightly out of date repos. + # Hence we remove the .west folder and do a re-init + - name: West init and update + run: | + rm -rf /workdir/.west/ + west init -l ncs/nrf + cd ncs + west update --narrow -o=--depth=1 + + # Download the quarantine file base branch. This is needed to build and run the tests. + - name: Download quarentine file from nrf (PR only) + if: github.event_name == 'pull_request_target' + run: | + wget https://raw.githubusercontent.com/balaji-nordic/sdk-nrf/master/scripts/quarantine_downstream.yaml -P ncs/nrf/scripts/ + + - name: Build native_posix tests with coverage enabled (via sonarcloud build wrapper) + shell: bash + run: | + source ncs/zephyr/zephyr-env.sh + build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} ncs/zephyr/scripts/twister -b -C -v -i -T ncs/nrf/ -p native_posix --quarantine-list ncs/nrf/scripts/quarantine_downstream.yaml --coverage-tool gcovr + + - name: Run native_posix tests + shell: bash + run: | + source ncs/zephyr/zephyr-env.sh + ncs/zephyr/scripts/twister --test-only -v -i -C -T ncs/nrf/ -p native_posix + + # Exclude twister-out because we dont need coverage reports for mocks and generated files. + # Exclude tests/unity because it is not interesting + # Exclude folders that contain source code with multiple definitions of the same function + # depending on preprocessor macros. gcovr misbehaves due to this. + # Issue: https://github.com/gcovr/gcovr/issues/586 + - name: Collect coverage into one XML report + shell: bash + run: | + gcovr twister-out -v \ + --exclude=twister-out \ + --exclude=tests/unity \ + --exclude=ncs/nrf/tests/subsys/dfu/dfu_target_stream/src/main.c \ + --exclude=ncs/zephyr/subsys/net/ip \ + --exclude=ncs/nrf/lib/hw_id/hw_id.c \ + --exclude=ncs/zephyr/subsys/net/lib/sockets/sockets_tls.c \ + --sonarqube coverage.xml + + - name: Run sonar-scanner on main + if: github.event_name != 'pull_request_target' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + sonar-scanner -X \ + --define project.settings=ncs/nrf/sonar-project.properties \ + --define sonar.coverageReportPaths=coverage.xml \ + --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}" + + - name: Run sonar-scanner on PR + if: github.event_name == 'pull_request_target' + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_BRANCH: ${{ github.event.pull_request.head.ref }} + BASE_REF: ${{ github.event.pull_request.base.ref }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + wget https://raw.githubusercontent.com/balaji-nordic/sdk-nrf/main/sonar-project.properties -P ncs/nrf + sonar-scanner -X \ + --define project.settings=ncs/nrf/sonar-project.properties \ + --define sonar.coverageReportPaths=coverage.xml \ + --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}" \ + --define sonar.scm.revision=${{ env.HEAD_SHA }} \ + --define sonar.pullrequest.key=${{ env.PR_NUMBER }} \ + --define sonar.pullrequest.branch=${{ env.PR_BRANCH }} \ + --define sonar.pullrequest.base=${{ env.BASE_REF }} diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 000000000000..18d81a0f4b79 --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,73 @@ +# Workflow that runs static code analysis using sonarcloud.io. +name: Sonarcloud analysis +on: + push: + branches: + - main + workflow_dispatch: # This is added to be able to trigger this manually from github's web UI. + +jobs: + build: + name: Sonar cloud analysis + runs-on: self-hosted + container: zephyrprojectrtos/ci:v0.26.4 + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: + CMAKE_PREFIX_PATH: /opt/toolchains + steps: + - name: Checkout the code + uses: actions/checkout@v2 + with: + path: ncs/nrf + fetch-depth: 0 + + # Install more dependencies that are not part of the docker image but are needed by the workflow + - name: Install more deps + run: | + apt-get update + apt install -y curl ruby-full jq + + - name: Install sonar-scanner and build-wrapper + uses: sonarsource/sonarcloud-github-c-cpp@v2.0.2 + + # The docker image comes pre-initialized with west dependencies. We want to do west update ourselves to to be sure that we get the latest changes in all repos. + # The docker image is built nightly. So it may contain slightly out of date repos. + # Hence we remove the .west folder and do a re-init + - name: West init and update + run: | + rm -rf /workdir/.west/ + west init -l ncs/nrf + cd ncs + west update --narrow -o=--depth=1 + + # For the sake of speed, stop the build at cmake stage. This is enough to get twister to + # generate the compilation database (compile_commands.json) for each sample/test. + # Note that the syscalls do not get generated by the build system. This will result in + # slightly incorrect analysis. But this is acceptable for the sake of speed. + - name: Invoke twister. + shell: bash + continue-on-error: true # Some samples fail to compile due to missing tools in the docker image. + run: | + source ncs/zephyr/zephyr-env.sh + west twister --ninja --integration --quarantine-list ncs/nrf/scripts/quarantine.yaml --clobber-output --cmake-only -v -i -T ncs/nrf + + # Since sonarscanner accepts just one json file for compilation database, we need to + # combine all the compile_commands.json files into one and then flatten it. + # The process of flattening is needed to avoid the error + # "Expected BEGIN_OBJECT but was BEGIN_ARRAY". + - name: Combine compilation database. + shell: bash + run: | + jq -s . `find . -name compile_commands.json` > combined_compile_commands_unflattened.json + cat combined_compile_commands_unflattened.json + jq -c '.[] | .[]' combined_compile_commands_unflattened.json | jq -s '.' > combined_compile_commands.json + cat combined_compile_commands.json + + - name: Run sonar-scanner + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + sonar-scanner -X --define project.settings=ncs/nrf/sonar-project.properties diff --git a/scripts/quarantine_downstream.yaml b/scripts/quarantine_downstream.yaml new file mode 100644 index 000000000000..e51fbc4a54b2 --- /dev/null +++ b/scripts/quarantine_downstream.yaml @@ -0,0 +1,58 @@ +# The configurations resulting as a product of scenarios and platforms +# will be skipped if quarantine is used. More details here: +# https://docs.zephyrproject.org/latest/guides/test/twister.html#quarantine +# To have an empty list use: +# - scenarios: +# - None +# platforms: +# - all + +- scenarios: + - sample.tfm.psa_test_crypto + - sample.tfm.psa_test_initial_attestation + - sample.tfm.psa_test_internal_trusted_storage + - sample.tfm.psa_test_protected_storage + - sample.tfm.psa_test_storage + - sample.tfm.regression_ipc_lvl1 + - sample.tfm.regression_ipc_lvl2 + - sample.tfm.regression_lib_mode + platforms: + - all + comment: "Disable zephyr Regression and PSA Arch tests, we maintain copies of these in sdk-nrf" + +- scenarios: + - sample.matter.lock.debug + - sample.matter.lock.release + - sample.matter.lock.smp_dfu + - sample.matter.lock.no_dfu + - sample.matter.lock.release.ffs + - sample.matter.lock.debug.ffs + - sample.matter.lock.release.smp_dfu_ffs + - sample.matter.light_bulb.debug + - sample.matter.light_bulb.release + - sample.matter.light_bulb.smp_dfu + - sample.matter.light_bulb.ffs + - sample.matter.light_bulb.no_dfu + - applications.matter_weather_station.debug + - applications.matter_weather_station.release + - sample.matter.light_switch.debug + - sample.matter.light_switch.release + - sample.matter.light_switch.smp_dfu + - sample.matter.light_switch.no_dfu + - sample.matter.template.debug + - sample.matter.template.release + - sample.matter.template.no_dfu + - sample.matter.window_cover.debug + - sample.matter.window_cover.release + - sample.matter.window_cover.smp_dfu + platforms: + - all + comment: "Disable building selected Matter samples to limit resources usage" + +- scenarios: + - applications.asset_tracker_v2.nrf7002ek_wifi-debug + - applications.asset_tracker_v2.nrf7002ek_wifi-release + - net.lib.download_client + platforms: + - all + comment: "Temporary disable till the issue is fixed. net.lib.download_client is disabled as it started failing on native_posix because of ioctl call returning 2. This happened after https://github.com/nrfconnect/sdk-nrf/pull/10876 was merged." diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 000000000000..49f251e5c45e --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,7 @@ +sonar.organization=balaji-nordic +sonar.projectKey=balaji-nordic_sdk-nrf +sonar.host.url=https://sonarcloud.io +sonar.exclusions=ncs/modules/**,ncs/zephyr/**,ncs/nrf/ext/**,**/*.vsdx,**twister-out**,**/*.java,**/*.html,**/*.xml,**/*.php,**/*.json +sonar.cpd.exclusions=**CMakeFiles** +# Use compilation database for scanning. This database will be generated by the sonarcloud workflow. +sonar.cfamily.compile-commands=combined_compile_commands.json