Skip to content

VPLAY-11240: Add Coverity Test build workflow for AAMP #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Vinish100 wants to merge 1 commit into
base: dev_sprint_25_2
Choose a base branch
from
Open

VPLAY-11240: Add Coverity Test build workflow for AAMP #538

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/Linux-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Build AAMP in Linux Environment

on:
pull_request:
branches: [ develop, dev_sprint_25_2 ]
workflow_dispatch:

jobs:
build-aamp-on-pr:
name: Build AAMP in Linux environment
runs-on: ubuntu-latest
# The docker image is used for coverity scans as well.
container:
image: ghcr.io/rdkcentral/docker-rdk-ci:latest

steps:
# Checkout the aamp repository
- name: Checkout aamp code
uses: actions/checkout@v3

# Install AAMP
# Option D builds dependencies only.
# Option A builds AAMP only (assuming dependencies are already installed).
# Option K skips Kotlin build.
# 'yes' is used to auto-confirm any prompts during installation
- name: Install AAMP
run: |
chmod +x ./install-aamp.sh
yes | ./install-aamp.sh -D
yes | ./install-aamp.sh -Ak
Comment on lines +10 to +30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 months ago

To fix the problem, add an explicit permissions block, ideally at the workflow root for broad effect, but it can also be added at the job level if specific jobs have different requirements. In this workflow, neither the root nor job has permissions, so the best practice is to add at least contents: read globally, unless more granular write permissions are needed for particular tasks (which does not appear to be the case here).

Edit .github/workflows/Linux-build.yml and insert the following after the name: line and before on::

permissions:
  contents: read

This ensures that the GITHUB_TOKEN issued to steps in the workflow has only read-access to repository contents, reducing risk from default write privileges. No other lines or blocks need changes.

Suggested changeset 1
.github/workflows/Linux-build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/Linux-build.yml b/.github/workflows/Linux-build.yml
--- a/.github/workflows/Linux-build.yml
+++ b/.github/workflows/Linux-build.yml
@@ -1,4 +1,6 @@
 name: Build AAMP in Linux Environment
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Build AAMP in Linux Environment
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.

47 changes: 47 additions & 0 deletions install-aamp.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,45 @@ if [ ! -d ${LOCAL_DEPS_BUILD_DIR} ]; then
fi


# Check if we're in AAMP-only mode
if [ ${OPTION_AAMP_ONLY} = true ] ; then
echo ""
echo "*** AAMP-only mode: Skipping dependency installation ***"
echo "*** Assuming dependencies are already installed ***"

# Still need to create build directory and do minimal setup
aampcli_install_prebuild_fn ${OPTION_CLEAN}

# Set CLEAN variable for AAMP build
CLEAN=false
if [ ${OPTION_CLEAN} = true ] ; then
CLEAN=true
fi

# Jump directly to AAMP CLI build
subtec_install_run_script_fn
INSTALL_STATUS_ARR+=("subtec_install_run_script check passed.")

aampcli_install_build_fn "${CLEAN}"
INSTALL_STATUS_ARR+=("aampcli_install_build check passed.")

if [ ${OPTION_AAMPCLIKOTLIN_SKIP} = false ] ; then
cd ${AAMP_DIR}
build_kotlin_libraries_fn
build_aampcli_kotlin_bindings_fn
create_aampcli_kotlin_executable_fn
INSTALL_STATUS_ARR+=("aampcli_install_build_kotlin check passed.")
else
INSTALL_STATUS_ARR+=("aampcli_install_build_kotlin check SKIPPED.")
fi

aampcli_install_postbuild_fn "${CLEAN}"
INSTALL_STATUS_ARR+=("aampcli_install_postbuild check passed.")

tools_print_summary_fn
exit 0
fi

# Install prebuilt dependencies
#
if [ ${OPTION_QUICK} = false ] ; then
Expand Down Expand Up @@ -174,6 +213,14 @@ fi
rialto_install_build_fn "${OPTION_CLEAN}"
INSTALL_STATUS_ARR+=("rialto_install_build_fn check passed.")

# Check if we're in dependencies-only mode
if [ ${OPTION_DEPS_ONLY} = true ] ; then
echo ""
echo "*** Dependencies-only mode: Skipping AAMP CLI build ***"
tools_print_summary_fn
exit 0
fi

# Install subtec-app script
# Needs the AAMP build directory to be created by aampcli_install_build first
subtec_install_run_script_fn
Expand Down
24 changes: 21 additions & 3 deletions scripts/install_options.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,15 @@ OPTION_SUBTEC_BUILD=true
OPTION_SUBTEC_CLEAN=false
OPTION_CLEAN_BUILD=false
OPTION_GOOGLETEST_REFERENCE="tags/release-1.11.0"
OPTION_DEPS_ONLY=false
OPTION_AAMP_ONLY=false



function install_options_fn()
{
# Parse optional command line parameters
while getopts ":d:b:cf:np:r:g:qskt" OPT; do
while getopts ":d:b:cf:np:r:g:qsktDA" OPT; do
case ${OPT} in
d ) # process option d install base directory name
OPTION_BUILD_DIR=${OPTARG}
Expand Down Expand Up @@ -91,6 +93,14 @@ function install_options_fn()
OPTION_CLEAN_BUILD=true
echo "Will remove .libs and build directories before build"
;;
D )
OPTION_DEPS_ONLY=true
echo "Dependencies only mode - will install only dependencies"
;;
A )
OPTION_AAMP_ONLY=true
echo "AAMP only mode - will install only AAMP CLI (dependencies must be pre-installed)"
;;
* )
echo "'Usage: No flags/options specified - build AAMP with default options
[-b] Specify aamp branch name (default: current sprint branch)
Expand All @@ -103,8 +113,10 @@ function install_options_fn()
[-s] Skip subtec build and installation]"
echo " Note: Subtec is built by default but can be rebuilt separately with the subtec
[-k] Skip aamp-cli Kotlin build and installation]
[-t] Remove .libs and build directories before build (full rebuild)"

[-t] Remove .libs and build directories before build (full rebuild)
[-D] Dependencies only - install only dependencies (gstreamer, libdash, subtec, rialto, gtest)
[-A] AAMP only - install only AAMP CLI (requires dependencies to be pre-installed)"

echo "
[-r] Specify rialto to be built
[-p] Specify protobuf branch name] (Linux only)"
Expand Down Expand Up @@ -137,5 +149,11 @@ function install_options_fn()
shift
fi

# Validate mutually exclusive options
if [[ ${OPTION_DEPS_ONLY} = true && ${OPTION_AAMP_ONLY} = true ]]; then
echo "ERROR: -D (deps-only) and -A (aamp-only) options are mutually exclusive"
return 1
fi

}

Loading