nrfconnect · balaji-srin · Nov 30, 2022 · Nov 28, 2022 · Dec 8, 2022 · Dec 9, 2022
@@ -0,0 +1,110 @@
+name: Clang-tidy review
+on:
+  pull_request:
+
+jobs:
+  build:
+    name: Clang tidy review
+    runs-on: ubuntu-latest
+    container: zephyrprojectrtos/ci-base:v0.26.4
+    env:
+      CMAKE_PREFIX_PATH: /opt/toolchains
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+        with:
+          path: nrf
+          fetch-depth: 0
+
+      - name: Install deps
+        run: |
+          apt-get update
+          apt-get install -y jq clang clang-tidy ruby-full
+
+      - name: West init and update
+        working-directory: nrf
+        run: |
+          west init -l .
+          west update --narrow -o=--depth=1
+
+      - name: Build for native_posix
+        shell: bash
+        working-directory: nrf
+        continue-on-error: true # The llvm build fails with a non-zero exit code due to link stage error. But we still want to run clang-tidy. The clang-tidy will catch compile errors anyway. The point here is to get the compile_commands.json file and all the necessary headerfiles generated with clang as the compiler.
+        run: |
+          export ZEPHYR_TOOLCHAIN_VARIANT=llvm
+          ../zephyr/scripts/twister -b -v -i -T ./ -p native_posix --quarantine-list scripts/quarantine_downstream.yaml
+
+      - name: Use jq to combine compile_commands.json files
+        shell: bash
+        working-directory: nrf
+        run: |
+          jq -s 'map(.[])' `find . -name compile_commands.json` > compile_commands.json
+
+      - name: Analyze
+        shell: bash
+        working-directory: nrf
+        run: |
+          mkdir clang-tidy-result
+          git fetch origin ${{ github.event.pull_request.base.sha }}
+          git diff -U0  ${{ github.event.pull_request.base.sha }} | clang-tidy-diff -p1 -path . -export-fixes clang-tidy-result/fixes.yml
+
+      - name: Print clang tidy results (yml format))
+        shell: bash
+        working-directory: nrf
+        run: |
+          ls clang-tidy-result
+          cat clang-tidy-result/fixes.yml
+
+      - name: Strip docker path so that the publisher workflow can find the files without being in a container
+        shell: bash
+        working-directory: nrf
+        run: |
+          sed -i "s/\/__w\/sdk-nrf\/sdk-nrf\/nrf\///g" clang-tidy-result/fixes.yml
+
+      - name: Upload clang tidy result as artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: clang-tidy-result
+          path: nrf/clang-tidy-result
+
+      - name: Upload compile_commands.json as artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: compile_commands.json
+          path: nrf/compile_commands.json
+
+  publish-review:
+    name: Publish clang tidy review
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: clang-tidy-result
+          path: clang-tidy-result
+
+      - name: Debug
+        shell: bash
+        run: |
+          ls clang-tidy-result
+          cat clang-tidy-result/fixes.yml
+
+      - name: Run clang-tidy-pr-comments action
+        uses: platisd/clang-tidy-pr-comments@master
+        with:
+          # The GitHub token (or a personal access token)
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          # The path to the clang-tidy fixes generated previously
+          clang_tidy_fixes: clang-tidy-result/fixes.yml
+          # Optionally set the number of comments per review
+          # to avoid GitHub API timeouts for heavily loaded
+          # pull requests
+          suggestions_per_comment: 10
+
@@ -0,0 +1,65 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.rst'
+      - '**/*.txt'
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    container: nordicplayground/nrfconnect-sdk:main
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@v2
+      with:
+        path: ncs/nrf
+        fetch-depth: 0
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: 'c'
+
+    # Install more dependencies that are not part of the docker image but are needed by the workflow
+    - name: Install more deps
+      shell: bash
+      run: |
+        apt install -y gcc-multilib
+
+    # The docker image comes pre-initialized with west dependencies. We want to do west update ourselves to to be sure that we get the latest changes in all repos.
+    # The docker image is built nightly. So it may contain slightly out of date repos.
+    # Hence we remove the .west folder and do a re-init
+    - name: West init and update
+      shell: bash
+      run: |
+        rm -rf /workdir/.west/
+        west init -l ncs/nrf
+        cd ncs
+        west update --narrow -o=--depth=1
+
+    - name: Build with twister
+      shell: bash
+      run: |
+        source ncs/zephyr/zephyr-env.sh
+        echo "Run, Build Application using script"
+        ncs/zephyr/scripts/twister -b -v -i -T ncs/nrf/ -p native_posix --quarantine-list ncs/nrf/scripts/quarantine_downstream.yaml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:c"
@@ -0,0 +1,43 @@
+name: Rebase from ncs main
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Rebase from main
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "github-actions[bot]"
+          git remote add  ncs https://github.com/nrfconnect/sdk-nrf
+          git fetch ncs
+          git rev-parse HEAD
+          git rebase --verbose ncs/main
+
+      - name: Check if changes were made
+        run: |
+          if [[ `git diff origin/main --exit-code` ]]; then
+            echo "HAS_CHANGES=1" >> $GITHUB_ENV
+          else
+            echo "HAS_CHANGES=0" >> $GITHUB_ENV
+          fi
+
+      - name: Create Pull Request
+        if: env.HAS_CHANGES == '1'
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.PR_CREATOR_TOKEN }} # Personal access token of balaji-nordic with contents:write and pull requestes:write permission
+          title: 'Updates from upstream ncs'
+          assignees: balaji-nordic
+          reviewers: balaji-nordic
+          draft: true
@@ -0,0 +1,116 @@
+name: Sonarcloud analysis (native_posix only)
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+
+jobs:
+  build:
+    name: Sonar cloud analysis
+    runs-on: ubuntu-latest
+    container: zephyrprojectrtos/ci:v0.26.4
+    env:
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+      CMAKE_PREFIX_PATH: /opt/toolchains
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+        if: github.event_name == 'pull_request_target'
+        with:
+          ref: ${{ github.event.pull_request.head.sha  }} # Checkout the PR's head sha instead of the target branch's sha
+          path: ncs/nrf
+          fetch-depth: 0
+
+      - name: Checkout the code
+        uses: actions/checkout@v2
+        if: github.event_name != 'pull_request_target'
+        with:
+          path: ncs/nrf
+          fetch-depth: 0
+
+      # Install more dependencies that are not part of the docker image but are needed by the workflow
+      - name: Install more deps
+        run: |
+          apt-get update
+          apt install -y lcov curl ruby-full
+          pip3 install zcbor
+
+      - name: Install sonar-scanner and build-wrapper
+        uses: sonarsource/[email protected]
+
+      # The docker image comes pre-initialized with west dependencies. We want to do west update ourselves to to be sure that we get the latest changes in all repos.
+      # The docker image is built nightly. So it may contain slightly out of date repos.
+      # Hence we remove the .west folder and do a re-init
+      - name: West init and update
+        run: |
+          rm -rf /workdir/.west/
+          west init -l ncs/nrf
+          cd ncs
+          west update --narrow -o=--depth=1
+
+      # Download the quarantine file base branch. This is needed to build and run the tests.
+      - name: Download quarentine file from nrf (PR only)
+        if: github.event_name == 'pull_request_target'
+        run: |
+          wget https://raw.githubusercontent.com/balaji-nordic/sdk-nrf/master/scripts/quarantine_downstream.yaml -P ncs/nrf/scripts/
+
+      - name: Build native_posix tests with coverage enabled (via sonarcloud build wrapper)
+        shell: bash
+        run: |
+          source ncs/zephyr/zephyr-env.sh
+          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} ncs/zephyr/scripts/twister -b -C -v -i -T ncs/nrf/ -p native_posix --quarantine-list ncs/nrf/scripts/quarantine_downstream.yaml --coverage-tool gcovr
+
+      - name: Run native_posix tests
+        shell: bash
+        run: |
+          source ncs/zephyr/zephyr-env.sh
+          ncs/zephyr/scripts/twister --test-only -v -i -C -T ncs/nrf/ -p native_posix
+
+      # Exclude twister-out because we dont need coverage reports for mocks and generated files.
+      # Exclude tests/unity because it is not interesting
+      # Exclude folders that contain source code with multiple definitions of the same function
+      # depending on preprocessor macros. gcovr misbehaves due to this.
+      # Issue: https://github.com/gcovr/gcovr/issues/586
+      - name: Collect coverage into one XML report
+        shell: bash
+        run: |
+          gcovr twister-out -v \
+            --exclude=twister-out \
+            --exclude=tests/unity \
+            --exclude=ncs/nrf/tests/subsys/dfu/dfu_target_stream/src/main.c \
+            --exclude=ncs/zephyr/subsys/net/ip \
+            --exclude=ncs/nrf/lib/hw_id/hw_id.c \
+            --exclude=ncs/zephyr/subsys/net/lib/sockets/sockets_tls.c \
+            --sonarqube coverage.xml
+
+      - name: Run sonar-scanner on main
+        if: github.event_name != 'pull_request_target'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          sonar-scanner -X \
+                        --define project.settings=ncs/nrf/sonar-project.properties \
+                        --define sonar.coverageReportPaths=coverage.xml \
+                        --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
+
+      - name: Run sonar-scanner on PR
+        if: github.event_name == 'pull_request_target'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_BRANCH: ${{ github.event.pull_request.head.ref }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          wget https://raw.githubusercontent.com/balaji-nordic/sdk-nrf/main/sonar-project.properties -P ncs/nrf
+          sonar-scanner -X \
+                        --define project.settings=ncs/nrf/sonar-project.properties \
+                        --define sonar.coverageReportPaths=coverage.xml \
+                        --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}" \
+                        --define sonar.scm.revision=${{ env.HEAD_SHA }} \
+                        --define sonar.pullrequest.key=${{ env.PR_NUMBER }} \
+                        --define sonar.pullrequest.branch=${{ env.PR_BRANCH }} \
+                        --define sonar.pullrequest.base=${{ env.BASE_REF }}