SDLe fix: Github workflow vulnerabilities and migration to github runner

.github/actions/analysis/coverity/action.yml

@@ -4,25 +4,60 @@
 # SPDX-License-Identifier: BSD-3-Clause
 #
 name: 'Coverity Scan'
-description: 'Run Coverity static analysis (assumes Coverity pre-installed on runner)'
+description: 'Install (if needed) and run Coverity static analysis'
+
+inputs:
+  coverity-url:
+    description: 'URL to download the Coverity analysis tarball'
+    required: true
+  coverity-user:
+    description: 'Artifactory username for Coverity download'
+    required: true
+  coverity-password:
+    description: 'Artifactory password for Coverity download'
+    required: true
 
 runs:
   using: composite
   steps:
+    - name: Install Coverity
+      shell: bash
+      env:
+        COVERITY_URL: ${{ inputs.coverity-url }}
+        COVERITY_USER: ${{ inputs.coverity-user }}
+        COVERITY_PASSWORD: ${{ inputs.coverity-password }}
+      run: |
+        echo "===== Coverity Setup ====="
+        COVERITY_DIR="$HOME/coverity"
+        if [ -x "$COVERITY_DIR/bin/cov-build" ]; then
+          echo "  [OK] Coverity already installed at $COVERITY_DIR"
+          "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true
+          exit 0
+        fi
+        echo "  Downloading Coverity..."
+        mkdir -p "$COVERITY_DIR"
+        wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \
+          -O /tmp/coverity.tar.gz "$COVERITY_URL"
+        echo "  Extracting Coverity..."
+        tar xzf /tmp/coverity.tar.gz --strip-components=1 -C "$COVERITY_DIR"
+        rm -f /tmp/coverity.tar.gz
+        echo "  Coverity installed:"
+        "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true
+
     - name: Coverity Scan
       shell: bash
       run: |
-        # Resolve MTL pkg-config path without writing to GITHUB_ENV
+        # Resolve MTL pkg-config path
+        export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-}
         if ! pkg-config --exists mtl 2>/dev/null; then
           MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1)
           if [ -z "$MTL_PC" ]; then
-            echo "ERROR: MTL pkg-config file not found under /usr, /home, or /opt."
-            echo "Please ensure Media Transport Library is built and installed on the runner."
+            echo "ERROR: MTL pkg-config file not found."
             exit 1
           fi
           MTL_PC_DIR=$(dirname "$MTL_PC")
           echo "Found MTL pkgconfig at: $MTL_PC_DIR"
-          export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH:-}"
+          export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}"
         fi
 
         cd "$GITHUB_WORKSPACE"

.github/actions/analysis/cppcheck/action.yml

@@ -9,6 +9,18 @@ description: 'Run cppcheck static analysis'
 runs:
   using: composite
   steps:
+    - name: Install cppcheck
+      shell: bash
+      run: |
+        if command -v cppcheck &>/dev/null; then
+          echo "[OK] cppcheck already installed: $(cppcheck --version)"
+          exit 0
+        fi
+        echo "Installing cppcheck..."
+        sudo apt-get update -qq
+        sudo apt-get install -y -qq cppcheck
+        echo "Installed: $(cppcheck --version)"
+
     - name: cppcheck
       shell: bash
       run: |

.github/actions/analysis/shellcheck/action.yml

@@ -9,6 +9,18 @@ description: 'Run shellcheck on shell scripts. Report written to $GITHUB_WORKSPA
 runs:
   using: composite
   steps:
+    - name: Install ShellCheck
+      shell: bash
+      run: |
+        if command -v shellcheck &>/dev/null; then
+          echo "[OK] shellcheck already installed: $(shellcheck --version | head -2)"
+          exit 0
+        fi
+        echo "Installing shellcheck..."
+        sudo apt-get update -qq
+        sudo apt-get install -y -qq shellcheck
+        echo "Installed: $(shellcheck --version | head -2)"
+
     - name: shellcheck scripts
       shell: bash
       run: |

.github/actions/analysis/trivy/action.yml

@@ -9,15 +9,22 @@ description: 'Run Trivy filesystem, config, and secret scans'
 runs:
   using: composite
   steps:
-    - name: Verify Trivy installation
+    - name: Install Trivy
       shell: bash
       run: |
-        if ! command -v trivy > /dev/null 2>&1; then
-          echo "ERROR: Trivy is not installed or not available in PATH for the runner user."
-          echo "Install Trivy on the self-hosted runner and ensure PATH includes the binary location."
-          echo "If installed via snap, verify /snap/bin is available to the runner service."
-          exit 1
+        echo "===== Trivy Setup ====="
+        if command -v trivy &>/dev/null; then
+          echo "  [OK] Trivy already installed"
+          trivy --version
+          exit 0
         fi
+        echo "  Installing Trivy..."
+        sudo apt-get update -qq
+        sudo apt-get install -y -qq wget apt-transport-https gnupg
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update -qq
+        sudo apt-get install -y -qq trivy
         trivy --version
 
     - name: Trivy filesystem scan

.github/actions/analysis/zizmor/action.yml

@@ -0,0 +1,34 @@
+#
+# BSD 3-Clause License
+# Copyright (C) 2026 Intel Corporation
+# SPDX-License-Identifier: BSD-3-Clause
+#
+name: 'zizmor Scan'
+description: 'Install zizmor and scan all GitHub Actions workflow and action files'
+
+runs:
+  using: composite
+  steps:
+    - name: Install zizmor
+      shell: bash
+      run: |
+        echo "===== zizmor Setup ====="
+        if command -v zizmor > /dev/null 2>&1; then
+          echo "  [OK] zizmor already installed: $(zizmor --version)"
+        else
+          pip3 install --break-system-packages zizmor
+          echo "  zizmor installed: $(zizmor --version)"
+        fi
+
+    - name: zizmor scan
+      shell: bash
+      run: |
+        REPORT_DIR="$GITHUB_WORKSPACE/reports"
+        mkdir -p "$REPORT_DIR"
+        echo "===== zizmor Workflow Security Scan ====="
+        zizmor --pedantic --format sarif "$GITHUB_WORKSPACE" \
+          > "$REPORT_DIR/zizmor-report.sarif" 2>&1 || ZIZMOR_EXIT=$?
+        zizmor --pedantic "$GITHUB_WORKSPACE" \
+          2>&1 | tee "$REPORT_DIR/zizmor-scan.txt" || true
+        echo "zizmor scan complete. Reports: $REPORT_DIR/zizmor-scan.txt, $REPORT_DIR/zizmor-report.sarif"
+        exit "${ZIZMOR_EXIT:-0}"