Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build data-model-cli component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: native build | ||
| run: | | ||
| # Trust the workspace | ||
| git config --global --add safe.directory '*' | ||
| # Pull the latest changes for the native build system | ||
| git submodule update --init --recursive --remote | ||
| # Build and install dependencies | ||
| chmod +x build_tools_workflows/cov_docker_script/setup_dependencies.sh | ||
| ./build_tools_workflows/cov_docker_script/setup_dependencies.sh ./cov_docker_script/component_config.json | ||
| # Build component | ||
| chmod +x build_tools_workflows/cov_docker_script/build_native.sh | ||
| ./build_tools_workflows/cov_docker_script/build_native.sh ./cov_docker_script/component_config.json "$(pwd)" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the fix is to explicitly declare permissions for the workflow or for the individual job, granting only the minimal scopes required. For a build job that just needs to read the repository contents, the appropriate minimal setting is typically contents: read. Additional scopes (like packages: read) should only be added if the job actually needs them (not evident from the snippet), so we keep it to contents: read.
The single best way to fix this, without changing existing behavior, is to add a permissions block to the build-data-model-cli-on-pr job. According to GitHub’s documentation, actions/checkout can operate with contents: read, and there is no code here that requires write access to the repository or to other resources mediated by GITHUB_TOKEN. We therefore insert:
permissions:
contents: readdirectly under the job definition (e.g., below name:), indented to align with other job-level keys. No additional imports or external libraries are needed, as this is purely a workflow configuration change in .github/workflows/native-build.yml.
| @@ -9,6 +9,8 @@ | ||
| jobs: | ||
| build-data-model-cli-on-pr: | ||
| name: Build data-model-cli component in github rdkcentral | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest |
There was a problem hiding this comment.
Pull request overview
Adds configuration and CI wiring to support Coverity “Native Build” integration for the dm-cli component (RDKB-62989).
Changes:
- Introduces a dependency/build configuration JSON and a shared configure-options file for native/autotools builds.
- Adds a Git submodule pointing at
rdkcentral/build_tools_workflowsand a GitHub Actions workflow to run the native build in CI. - Adds a pointer README to the centralized native build system documentation.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
cov_docker_script/configure_options.conf |
Adds centralized CPP/C/LDFLAGS and libraries for the native/autotools build. |
cov_docker_script/component_config.json |
Defines dependency repos, header staging, pre-build codegen, and autotools build settings for dm-cli. |
cov_docker_script/README.md |
Points readers to centralized documentation (but link formatting needs correction). |
build_tools_workflows |
Adds the native build system as a submodule pinned to a commit. |
.gitmodules |
Registers the build_tools_workflows submodule and its default branch. |
.github/workflows/native-build.yml |
Adds CI job to run native build + dependency setup inside the RDK CI container. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows] | ||
| (https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) | ||
|
|
There was a problem hiding this comment.
The Markdown link is currently split across two lines, which prevents it from rendering as a clickable link. Combine it into a single inline link like [rdkcentral/build_tools_workflows](https://...).
| The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows] | |
| (https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) | |
| The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows](https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) |
| - name: native build | ||
| run: | | ||
| # Trust the workspace | ||
| git config --global --add safe.directory '*' |
There was a problem hiding this comment.
Setting safe.directory to '*' is overly permissive and weakens Git’s safety checks. Prefer scoping it to the repository workspace only (e.g., ${GITHUB_WORKSPACE} or the explicit checkout path).
| git config --global --add safe.directory '*' | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" |
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
actions/checkout@v3 is outdated; update to actions/checkout@v4 to pick up the latest fixes and improvements.
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
|
|
||
| # MoCA specific | ||
| -DMOCA_HOME_ISOLATION | ||
| -DMOCA_DIAGONISTIC |
There was a problem hiding this comment.
Possible typo in macro name: MOCA_DIAGONISTIC looks like it should be MOCA_DIAGNOSTIC. If the code checks for the correctly-spelled macro, this define will have no effect.
| -DMOCA_DIAGONISTIC | |
| -DMOCA_DIAGNOSTIC |
| -Wl,--allow-shlib-undefined | ||
| -Wl,--unresolved-symbols=ignore-all |
There was a problem hiding this comment.
These linker flags can mask real missing-symbol/linkage problems by allowing unresolved symbols through. If they are required for this native/Coverity flow, consider documenting the rationale here and/or scoping them to only the specific binaries that need them to avoid hiding genuine link errors.
There was a problem hiding this comment.
This file is not specific to component. please get the list from do_compile log of component.
These changes add support for coverity enanbling for datamodel-cli component as part of RDKB-62989