Skip to content

Pslb 4 ncs version example finalize and build for pslb#26

Merged
ParthSanepara merged 8 commits intomainfrom
PSLB-4-NCS-Version-example-finalize-and-build-for-PSLB
Jul 14, 2025
Merged

Pslb 4 ncs version example finalize and build for pslb#26
ParthSanepara merged 8 commits intomainfrom
PSLB-4-NCS-Version-example-finalize-and-build-for-PSLB

Conversation

@ParthSanepara
Copy link
Copy Markdown
Member

@ParthSanepara ParthSanepara commented Jul 14, 2025

No description provided.

@ParthSanepara ParthSanepara requested a review from Copilot July 14, 2025 19:02
github-advanced-security[bot]
github-advanced-security AI found potential problems Jul 14, 2025
View reviewed changes
Comment thread .github/workflows/build.yml
Comment on lines +21 to +75
runs-on: ubuntu-latest
container: ghcr.io/nrfconnect/sdk-nrf-toolchain:v3.0.2
defaults:
run:
# Bash shell is needed to set toolchain related environment variables in docker container
# It is a workaround for GitHub Actions limitation https://github.com/actions/runner/issues/1964
shell: bash
strategy:
matrix:
board: [nrf54l15dk/nrf54l15/cpuapp] # Add


steps:
- name: Checkout repository pslabel
uses: actions/checkout@v4
with:
path: pslabel

- name: Prepare west project
run: |
west init -l pslabel
west update -o=--depth=1 -n

- name: Build Firmware
working-directory: pslabel
run: |
west build app -b ${{ matrix.board }}

- name: Extract version and create prefix
run: |
MAJOR=$(grep VERSION_MAJOR pslabel/app/VERSION | awk -F'=' '{print $2}' | tr -d '\r' | xargs)
MINOR=$(grep VERSION_MINOR pslabel/app/VERSION | awk -F'=' '{print $2}' | tr -d '\r' | xargs)
PATCH=$(grep PATCHLEVEL pslabel/app/VERSION | awk -F'=' '{print $2}' | tr -d '\r' | xargs)
VERSION="${MAJOR}.${MINOR}.${PATCH}"
echo "PREFIX=${{ github.event.repository.name }}-v${VERSION}" >> $GITHUB_ENV

- name: Generate short SHA
uses: benjlevesque/short-sha@v3.0

- name: Prepare artifacts
run: |
cd pslabel/build
mkdir -p artifacts
mv merged.hex artifacts/${{ env.PREFIX }}-${{ env.SHA }}.hex
if [ -f dfu_application.zip ]; then
mv dfu_application.zip artifacts/${{ env.PREFIX }}-FOTA-${{ env.SHA }}.zip
fi

# Run IDs are unique per repo but are reused on re-runs
- name: Save artifact
uses: actions/upload-artifact@v4
with:
name: build_artifacts_${{ github.run_id }}
path: |
pslabel/build/artifacts/*

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 10 months ago

To fix the issue, we will explicitly add a permissions block to the workflow. The permissions block will limit the GITHUB_TOKEN access to only the permissions required for the workflow's operations. Based on the tasks in the workflow (checking out the repository, building firmware, preparing artifacts, and uploading artifacts), the following permissions will be set:

  • contents: read — Required for reading repository contents (e.g., actions/checkout).
  • actions: write — Required for uploading artifacts (actions/upload-artifact).

The permissions block will be added at the root of the workflow, ensuring that all jobs inherit these minimal permissions unless overridden.

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+  actions: write
 name: Build code
 
 concurrency:
EOF
@@ -1,3 +1,6 @@
permissions:
contents: read
actions: write
name: Build code

concurrency:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread .github/workflows/release.yml
Comment on lines +60 to +63
needs: stage-release
uses: ./.github/workflows/build.yml

upload-binaries:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 10 months ago

To fix the issue, we will add a permissions key at the root of the workflow file, setting the least privileges necessary for all jobs. Additionally, we will review the permissions for each job that does not already define them explicitly. For example:

  • At the root level, set default permissions to contents: read, which is usually sufficient for most workflows.
  • For the stage-release and upload-binaries jobs, which require elevated permissions, retain their explicit permissions: write-all configuration.
  • Ensure that all jobs or workflows that use GITHUB_TOKEN explicitly declare permissions.
Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,9 @@
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
   
+permissions:
+  contents: read
+
 on:
   push:
     tags:
@@ -59,6 +62,8 @@
   build-binaries:
     needs: stage-release
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
 
   upload-binaries:
     needs: [build-binaries, stage-release]
EOF
@@ -4,6 +4,9 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

on:
push:
tags:
@@ -59,6 +62,8 @@
build-binaries:
needs: stage-release
uses: ./.github/workflows/build.yml
permissions:
contents: read

upload-binaries:
needs: [build-binaries, stage-release]
Copilot is powered by AI and may make mistakes. Always verify output.

This comment was marked as outdated.

Sign in to view

Copilot AI reviewed Jul 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Finalize and streamline the PSLabel application build by bumping NCS revisions, removing example libraries/tests, renaming the project, and updating CI/CD workflows.

  • Bump NCS sdk-nrf revision and strip out sample libraries, drivers, and tests
  • Rename CMake project from app to pslabel and adjust source references
  • Revise GitHub Actions for SonarCloud, documentation, build, and release

Reviewed Changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
west.yml Updated sdk-nrf revision to v3.0.2 and removed example west-commands section
app/CMakeLists.txt Renamed project to pslabel but left target_sources referencing app
.github/workflows/sonarcloud.yml Swapped Twister build for coverage build and adjusted exclusion patterns
doc/Doxyfile Changed STRIP_FROM_PATH to point at ../app/src instead of ../include
.github/workflows/build.yml Updated Docker container version, checkout path, and left an incomplete comment in matrix
Comments suppressed due to low confidence (4)

.github/workflows/sonarcloud.yml:86

  • This line lacks a trailing backslash, so the subsequent --define sonar.scm.revision isn't included in the same command. Add \ to continue the shell command.
            --define sonar.exclusions=build/**,modules/**,bootloader/**,doc/**,boards/**,west.yml,*.md,*.txt,*.json,*.yml,*.yaml

doc/Doxyfile:187

  • [nitpick] The original ../include path was removed. If your headers still live under include/, consider listing both paths here (e.g., = ../app/src ../include).
STRIP_FROM_PATH        = ../app/src \

.github/workflows/build.yml:30

  • [nitpick] The # Add comment is incomplete and may confuse future readers. Either remove it or clarify what additional entries should be added.
        board: [nrf54l15dk/nrf54l15/cpuapp] # Add

west.yml:4

  • [nitpick] The self: section and its west-commands entry were removed without adjusting indentation. Verify that the manifest structure is still valid and re-add or correctly indent the self block if needed.
manifest:

Comment thread app/CMakeLists.txt
hprstech and others added 2 commits July 15, 2025 01:01
@hprstech
Update app/CMakeLists.txt
fc23d85 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@ParthSanepara
fix: correct target_sources reference from 'pslabel' to 'app' in CMak…
0d4969f 
…eLists.txt
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jul 14, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ParthSanepara ParthSanepara merged commit 823f23f into main Jul 14, 2025
10 checks passed
@ParthSanepara ParthSanepara deleted the PSLB-4-NCS-Version-example-finalize-and-build-for-PSLB branch July 14, 2025 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hprstech hprstech hprstech approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ParthSanepara @github-advanced-security @hprstech