New ignore file and reworked fossid workflow to reduce false positives#31
New ignore file and reworked fossid workflow to reduce false positives#31danielsoden0404 wants to merge 4 commits intodevelopfrom
Conversation
…d-cicd image to fossid-toolbox
There was a problem hiding this comment.
Pull request overview
This PR updates the FossID pre-merge diff scan setup to reduce false positives by switching to the recommended fossid-toolbox image/CLI and replacing the previous ignore-file approach with a generated ignore list.
Changes:
- Added a generated
ignored_projects_listcontaining Gerrit OSS project IDs and GitHub org wildcards to ignore. - Removed the older
ignore_projects_fossidignore file. - Reworked the FossID GitHub Actions workflow to use
quay.io/fossid/fossid-toolboxand updated CLI flags/file paths accordingly.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
ignored_projects_list |
Introduces the new generated ignore list used to reduce false positives. |
ignore_projects_fossid |
Deletes the previous ignore file in favor of the new list. |
.github/workflows/fossid_integration_stateless_diffscan.yml |
Switches workflow execution to fossid-toolbox/fossid diffscan and updates ignore-projects handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout ignore projects file | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: rdkcentral/build_tools_workflows | ||
| sparse-checkout: | | ||
| ignore_projects_fossid | ||
| ref: develop | ||
| path: tools | ||
| token: ${{ secrets.RDKCM_RDKE }} | ||
| - name: Run fossid-cicd | ||
| repository: rdkcentral/build_tools_workflows | ||
| sparse-checkout: | | ||
| ignored_projects_list | ||
| ref: develop | ||
| path: tools |
There was a problem hiding this comment.
This checkout pulls from rdkcentral/build_tools_workflows without providing a token. In this repo, other workflows use ${{ secrets.RDKCM_RDKE }} when checking out rdkcentral/build_tools_workflows, and without a token this step can fail (private repo) or hit stricter rate limits. Consider adding a token: input (or making it a required secret for this workflow) for consistency and reliability.
| - name: Checkout ignore projects file | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: rdkcentral/build_tools_workflows | ||
| sparse-checkout: | | ||
| ignore_projects_fossid | ||
| ref: develop | ||
| path: tools | ||
| token: ${{ secrets.RDKCM_RDKE }} | ||
| - name: Run fossid-cicd | ||
| repository: rdkcentral/build_tools_workflows | ||
| sparse-checkout: | | ||
| ignored_projects_list | ||
| ref: develop |
There was a problem hiding this comment.
This repository now includes an ignored_projects_list file at the repo root, but the workflow ignores it and instead checks out tools/ignored_projects_list from rdkcentral/build_tools_workflows@develop. This can lead to the checked-in list going stale/confusing. Either remove the root file, or update the workflow to use the in-repo list (and drop the extra checkout) so there is a single source of truth.
|
7de58ed6dfb35940bf3521ed00000000 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
In this change I used a script to generate a list of ids of open source Gerrit repos to ignore and included the rdkcentral and rdkcmf ignore wildcards.
I also reworked the workflow file according to advice from fossid in that the image we should be using is fossid-toolbox for diffscan, not fossid-cicd. From here I adjusted some of the flags accordingly