From e1c1fdf893aa8f37932e6a4dd621f8710236e6df Mon Sep 17 00:00:00 2001 From: Ulrich Huber Date: Tue, 3 Feb 2026 16:54:31 +0100 Subject: [PATCH] Clean permissions of workflows and enable coverage reporting for PRs Reduce the permissions of all workflows as far as possible. Further, actively specify permissions as action to the codeql findings. This also enables us to run the coverage report workflow on PRs. --- ...ress_undefined_behavior_leak_sanitizer.yml | 2 + .github/workflows/automated_release.yml | 84 +++++++++---------- .github/workflows/build_and_test_host.yml | 2 + .github/workflows/build_and_test_qnx.yml | 1 - ...overage_report.yml => coverage_report.yml} | 31 +++---- .github/workflows/thread_sanitizer.yml | 2 + 6 files changed, 65 insertions(+), 57 deletions(-) rename .github/workflows/{release_coverage_report.yml => coverage_report.yml} (78%) diff --git a/.github/workflows/address_undefined_behavior_leak_sanitizer.yml b/.github/workflows/address_undefined_behavior_leak_sanitizer.yml index e68875e2..9117222b 100644 --- a/.github/workflows/address_undefined_behavior_leak_sanitizer.yml +++ b/.github/workflows/address_undefined_behavior_leak_sanitizer.yml @@ -25,6 +25,8 @@ on: jobs: build_and_test_asan_ubsan_lsan: runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/automated_release.yml b/.github/workflows/automated_release.yml index 619917b2..92633b1e 100644 --- a/.github/workflows/automated_release.yml +++ b/.github/workflows/automated_release.yml @@ -45,6 +45,12 @@ jobs: echo "Release version tag: $RELEASE_VERSION" echo "release-tag=$RELEASE_VERSION" >> $GITHUB_OUTPUT + - name: Delete trigger tag + run: | + gh api repos/${{ github.repository }}/git/refs/tags/${{ github.ref_name }} -X DELETE + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create draft release id: create-release uses: softprops/action-gh-release@v2 @@ -65,7 +71,6 @@ jobs: uses: ./.github/workflows/build_and_test_qnx.yml permissions: contents: read - pull-requests: read secrets: SCORE_QNX_LICENSE: ${{ secrets.SCORE_QNX_LICENSE }} SCORE_QNX_USER: ${{ secrets.SCORE_QNX_USER }} @@ -81,11 +86,27 @@ jobs: run-coverage-report: needs: create-draft-release - uses: ./.github/workflows/release_coverage_report.yml - with: - release_tag: ${{ needs.create-draft-release.outputs.release-tag }} + uses: ./.github/workflows/coverage_report.yml + + upload-coverage-report: + needs: + - create-draft-release + - run-coverage-report + runs-on: ubuntu-24.04 permissions: contents: write + steps: + - name: Download coverage report artifact + uses: actions/download-artifact@v4 + with: + name: ${{ needs.run-coverage-report.outputs.artifact-name }} + path: ./ + + - name: Upload coverage report to existing draft release + run: | + gh release upload "${{ needs.create-draft-release.outputs.release-tag }}" "${{ needs.run-coverage-report.outputs.artifact-name }}.zip" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} finalize-release: runs-on: ubuntu-24.04 @@ -96,46 +117,30 @@ jobs: - run-thread-sanitizer - run-address-sanitizer - run-coverage-report - if: always() + - upload-coverage-report + if: ${{ success() }} permissions: contents: write steps: - name: Checkout repository uses: actions/checkout@v4.2.2 - - name: Check workflow results - id: check-results + - name: Report success + if: steps.check-results.outputs.all-success == 'true' run: | - RESULT_HOST="${{ needs.run-build-and-test-host.result }}" - RESULT_QNX="${{ needs.run-build-and-test-qnx.result }}" - RESULT_TSAN="${{ needs.run-thread-sanitizer.result }}" - RESULT_ASAN="${{ needs.run-address-sanitizer.result }}" - RESULT_COVERAGE="${{ needs.run-coverage-report.result }}" - - echo "Build and test host: $RESULT_HOST" - echo "Build and test QNX: $RESULT_QNX" - echo "Thread sanitizer: $RESULT_TSAN" - echo "Address sanitizer: $RESULT_ASAN" - echo "Coverage report: $RESULT_COVERAGE" - - if [[ "$RESULT_HOST" == "success" ]] && \ - [[ "$RESULT_QNX" == "success" ]] && \ - [[ "$RESULT_TSAN" == "success" ]] && \ - [[ "$RESULT_ASAN" == "success" ]] && \ - [[ "$RESULT_COVERAGE" == "success" ]]; then - echo "all-success=true" >> $GITHUB_OUTPUT - else - echo "all-success=false" >> $GITHUB_OUTPUT - fi + echo "All workflows succeeded. Draft release ${{ needs.create-draft-release.outputs.release-tag }} is ready for manual publishing." - - name: Delete trigger tag - run: | - gh api repos/${{ github.repository }}/git/refs/tags/${{ github.ref_name }} -X DELETE - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + delete-release-on-failure: + runs-on: ubuntu-24.04 + needs: create-draft-release + if: ${{ failure() || cancelled() }} + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v4.2.2 - - name: Delete draft release (on failure) - if: steps.check-results.outputs.all-success == 'false' + - name: Delete draft release due to failure run: | gh release delete ${{ needs.create-draft-release.outputs.release-tag }} --yes env: @@ -144,10 +149,5 @@ jobs: - name: Report failure if: steps.check-results.outputs.all-success == 'false' run: | - echo "❌ One or more workflows failed. Draft release has been deleted." - exit 1 - - - name: Report success - if: steps.check-results.outputs.all-success == 'true' - run: | - echo "✅ All workflows succeeded. Draft release ${{ needs.create-draft-release.outputs.release-tag }} is ready for manual publishing." + echo "One or more workflows failed. Draft release has been deleted." + exit 1 \ No newline at end of file diff --git a/.github/workflows/build_and_test_host.yml b/.github/workflows/build_and_test_host.yml index 88c889d2..395b049f 100644 --- a/.github/workflows/build_and_test_host.yml +++ b/.github/workflows/build_and_test_host.yml @@ -28,6 +28,8 @@ jobs: matrix: toolchain: ["@llvm_toolchain//:cc-toolchain-x86_64-linux", "@gcc_toolchain//:host_gcc_12"] runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/build_and_test_qnx.yml b/.github/workflows/build_and_test_qnx.yml index 123b844c..23e6da22 100644 --- a/.github/workflows/build_and_test_qnx.yml +++ b/.github/workflows/build_and_test_qnx.yml @@ -48,7 +48,6 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: read - pull-requests: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/release_coverage_report.yml b/.github/workflows/coverage_report.yml similarity index 78% rename from .github/workflows/release_coverage_report.yml rename to .github/workflows/coverage_report.yml index f28797af..8e635a53 100644 --- a/.github/workflows/release_coverage_report.yml +++ b/.github/workflows/coverage_report.yml @@ -13,18 +13,21 @@ name: Coverage Report on: + pull_request: + types: [ opened, reopened, synchronize ] workflow_call: - inputs: - release_tag: - description: 'Release tag to upload artifacts to' - required: true - type: string + outputs: + artifact-name: + description: 'Name of the coverage report artifact' + value: ${{ jobs.coverage-report.outputs.artifact-name }} jobs: coverage-report: runs-on: ubuntu-24.04 permissions: contents: write # required to upload release assets + outputs: + artifact-name: ${{ steps.set-artifact-name.outputs.artifact-name }} steps: - name: Checkout Repository @@ -66,18 +69,18 @@ jobs: mkdir -p artifacts find bazel-testlogs/score/ -name 'test.xml' -print0 | xargs -0 -I{} cp --parents {} artifacts/ cp -r cpp_coverage artifacts/ - zip -r ${{ github.event.repository.name }}_coverage_report.zip artifacts/ + zip -r ${{ github.event.repository.name }}_coverage_report_${{ github.sha }}.zip artifacts/ shell: bash + - name: Set artifact name + id: set-artifact-name + run: | + echo "artifact-name=${{ github.event.repository.name }}_coverage_report_${{ github.sha }}" >> $GITHUB_OUTPUT + - name: Upload coverage artifacts uses: actions/upload-artifact@v4 with: - name: ${{ github.event.repository.name }}_coverage_report.zip - path: ${{ github.event.repository.name }}_coverage_report.zip + name: ${{ steps.set-artifact-name.outputs.artifact-name }} + path: ${{ github.event.repository.name }}_coverage_report_${{ github.sha }}.zip + - - name: Upload coverage report to existing draft release - run: | - # Upload the file to the existing release - gh release upload "${{ inputs.release_tag }}" "${{ github.event.repository.name }}_coverage_report.zip" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/thread_sanitizer.yml b/.github/workflows/thread_sanitizer.yml index 2278d77f..2a5b810f 100644 --- a/.github/workflows/thread_sanitizer.yml +++ b/.github/workflows/thread_sanitizer.yml @@ -24,6 +24,8 @@ on: jobs: build_and_test_tsan: runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2