check rust flags in check_makefile.sh #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

mbrousset-ledger merged 4 commits into master from mbr/fix-forbidden-flags

Jan 9, 2026

.github/workflows/_check_makefile.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -97,49 +97,7 @@ jobs: @@
               echo "BOLOS_SDK=${BOLOS_SDK}" >> "${GITHUB_ENV}"
               echo "BOLOS_SDK will be set to: ${BOLOS_SDK}"
-          - name: Check for forbidden flags
-            id: check-no-debug-flag
-            shell: bash
-            if: ${{ needs.call_get_app_metadata.outputs.is_rust == 'false' }}
-            working-directory: app-repository
-            run: |
-              forbidden_flags=$(jq -r '.forbidden.c[]' ../ledger-app-workflows/config/forbidden-flags.json)
-              BUILD_DEVICE_NAME="${{ matrix.device }}"
-              BUILD_DEVICE_NAME="${BUILD_DEVICE_NAME/sp/s2}"
-              entrypoint_filepath=$(grep -rP \
-                                             --exclude-dir='deps' \
-                                             --exclude-dir='tests' \
-                                             --exclude-dir='vendor' \
-                                             --include='*.c' \
-                                             '\b(app_)?main\s*\([^)]*\)' . | cut -d':' -f1 | head -n1)
-              entrypoint_filepath=${entrypoint_filepath#./}
-              entrypoint_filepath=${entrypoint_filepath%.c}.o
-              build_dir=$(ledger-manifest -ob ledger_app.toml)
-              if [ -z "${build_dir}" ]; then
-                echo "build directory not found in ledger_app.toml!" >&2
-                exit 1
-              fi
-              make ${{ needs.call_get_app_metadata.outputs.flags }} \
-                   ${ADDITIONAL_ARGS} \
-                   BOLOS_SDK="${BOLOS_SDK}" \
-                   --dry-run build/${BUILD_DEVICE_NAME}/obj/app/${entrypoint_filepath} 2>&1 | tee -a build_dry_run_output.txt
-              for forbidden_flag in $forbidden_flags; do
-                echo "[INFO] Checking for forbidden flag $forbidden_flag"
-                if grep -q "$forbidden_flag" build_dry_run_output.txt; then
-                  echo "[ERROR] Detected forbidden flag $forbidden_flag in build output. Aborting."
-                  exit 1
-                else
-                  echo "[INFO] Did not find forbidden flag $forbidden_flag in build output. Continuing."
-                fi
-              done
           - name: Run script
             run: |
                 ./ledger-app-workflows/scripts/check_all.sh -c makefile -t "${{ matrix.device }}" \
-                  -a ./app-repository -m "${DOWNLOAD_MANIFEST_ARTIFACT_NAME}"
+                  -a ./app-repository -m "${DOWNLOAD_MANIFEST_ARTIFACT_NAME}" -w ../ledger-app-workflows

CHANGELOG.md

-Original file line number
+Diff line change
@@ Expand Up @@
     The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
     and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+    ## [1.91.2] - 2026-01-08
+    ### Fixed
+    - Following 1.91.0, check that no forbidden rust flags are delivered.
     ## [1.91.1] - 2026-01-08
     ### Fixed
@@ Expand Down @@

config/forbidden-flags.json

-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,10 @@ @@
             "PRODUCTION_BUILD=0"
         ],
         "rust":[
-            "TBD"
+            "DEBUG\\s*?=\\s*1",
+            "DEBUG_OVER_USB\\s*?=\\s*1",
+            "PRODUCTION_BUILD\\s*?=\\s*0",
+            "debug\\s*?=\\s*true"
         ]
       }
     }

scripts/check_all.sh

-Original file line number
+Diff line change
@@ Expand Up / @@ -33,6 +33,7 @@ help() { @@
         echo
         echo "  -c <check>  : Requested check from (${ALL_CHECKS}). Default is all."
         echo "  -d <dir>    : Database directory"
+        echo "  -w <dir>    : Workflows directory"
         echo "  -a <dir>    : Application directory"
         echo "  -b <dir>    : Application build directory"
         echo "  -m <file>   : Manifest (file or directory)"
@@ Expand All / @@ -50,14 +51,15 @@ help() { @@
     #
     #===============================================================================
-    while getopts ":a:b:c:d:m:t:rvh" opt; do
+    while getopts ":a:b:c:d:m:t:w:rvh" opt; do
         case ${opt} in
             a)  APP_DIR=${OPTARG}   ;;
             b)  BUILD_DIR=${OPTARG} ;;
             c)  REQUESTED_CHECK=${OPTARG} ;;
             d)  DATABASE_DIR=${OPTARG} ;;
             m)  MANIFEST=${OPTARG}  ;;
             t)  TARGET=${OPTARG}    ;;
+            w)  WORKFLOWS_DIR=${OPTARG} ;;
             r)  IS_RUST=true ;;
             v)  VERBOSE=true ;;
             h)  help ;;
@@ Expand Down Expand Up @@
         fi
     fi
+    if [[ (-z ${REQUESTED_CHECK}) || ("${REQUESTED_CHECK}" == makefile) ]]; then
+        if [[ -z "${WORKFLOWS_DIR}" ]]; then
+            # Check if WORKFLOWS_DIR is already present
+            WORKFLOWS_DIR="/tmp/ledger-app-workflows"
+            if [[ ! -d "$WORKFLOWS_DIR" ]]; then
+                git clone "${verbose_mode[@]}" https://github.com/LedgerHQ/ledger-app-workflows.git "${WORKFLOWS_DIR}"
+            fi
+        fi
+    fi
     #===============================================================================
     #
     #     log functions
@@ Expand Down Expand Up / @@ -206,7 +218,7 @@ call_step() { @@
                 COMMAND="python3 ${DATABASE_DIR}/scripts/app_load_params_check.py --database_path ${DATABASE_DIR}/app-load-params-db.json --app_manifests_path ${MANIFEST_DIR}"
                 ;;
             "makefile")
-                COMMAND="${dirName}/check_makefile.sh ${APP_DIR} ${REPO_NAME} ${MANIFEST_DIR} ${TARGET}"
+                COMMAND="${dirName}/check_makefile.sh ${APP_DIR} ${REPO_NAME} ${MANIFEST_DIR} ${WORKFLOWS_DIR} ${IS_RUST} ${TARGET}"
                 ;;
             "readme")
                 COMMAND="${dirName}/check_readme.sh ${APP_DIR} ${REPO_NAME}"
@@ Expand Down @@

scripts/check_makefile.sh

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,7 +10,9 @@ main() ( @@
         repo="$1"
         repo_name="$2"
         manifests_dir="$3"
-        target="$4"
+        workflows_dir="$4"
+        is_rust="$5"
+        target="$6"
         declare -A variants_array
         declare -A appnames_array
@@ Expand Down Expand Up / @@ -92,6 +94,67 @@ main() ( @@
             error=1
         fi
+        # check if there are no forbidden compilation flags (e.g. debug flags)
+        forbidden_flags_file="${workflows_dir}/config/forbidden-flags.json"
+        if [[ ${is_rust} == true ]]; then
+            echo "$RUSTFLAGS" > env_rustflags.txt
+            echo "$CARGO_ENCODED_RUSTFLAGS" > env_cargo_encoded_rustflags.txt
+            forbidden_flags=$(jq -r '.forbidden.rust[]' "$forbidden_flags_file")
+            while IFS= read -r forbidden_flag; do
+                echo "Checking flag $forbidden_flag"
+                if grep -Pq "$forbidden_flag" Cargo.toml .cargo/config.toml env_rustflags.txt env_cargo_encoded_rustflags.txt; then
+                    log_error_no_header "Detected forbidden flag $forbidden_flag in build output."
+                    error=1
+                else
+                    log_info "Did not find forbidden flag $forbidden_flag in build output."
+                fi
+            done <<< "$forbidden_flags"
+        else
+            forbidden_flags=$(jq -r '.forbidden.c[]' "$forbidden_flags_file")
+            entrypoint_filepath=$(grep -rP \
+                --exclude-dir='deps' \
+                --exclude-dir='tests' \
+                --exclude-dir='vendor' \
+                --include='*.c' \
+                '\b(app_)?main\s*\([^)]*\)' . | cut -d':' -f1 | head -n1)
+            entrypoint_filepath=${entrypoint_filepath#./}
+            entrypoint_filepath=${entrypoint_filepath%.c}.o
+            build_dir=$(ledger-manifest -ob ledger_app.toml)
+            if [ -n "${build_dir}" ]; then
+                for cur_manifest in $manifests_list; do
+                    for variant in "${!variants_array[@]}"; do
+                        build_target=$(jq -r ".VARIANTS.${variant}.TARGET" "${cur_manifest}")
+                        eval "BOLOS_SDK=\$$(echo "${build_target/s2/sp}" | tr '[:lower:]' '[:upper:]')_SDK"
+                        log_info "Trying to make --dry-run for rule build/${build_target}/obj/app/${entrypoint_filepath}. Using $BOLOS_SDK"
+                        make -C "${build_dir}"  \
+                            BOLOS_SDK="${BOLOS_SDK}" \
+                            --dry-run build/"${build_target}"/obj/app/"${entrypoint_filepath}" 2>&1 | tee build_dry_run_output.txt
+                        for forbidden_flag in $forbidden_flags; do
+                            log_info "Checking for forbidden flag $forbidden_flag"
+                            if grep -q "$forbidden_flag" build_dry_run_output.txt; then
+                                log_error_no_header "Detected forbidden flag $forbidden_flag in build output."
+                                error=1
+                            else
+                                log_info "Did not find forbidden flag $forbidden_flag in build output."
+                            fi
+                        done
+                    done
+                done
+            else
+                log_error_no_header "build directory not found in ledger_app.toml!" >&2
+                error=1
+            fi
+        fi
         if [[ error -eq 0 ]]; then
             log_success "The Makefile is compliant"
         else
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

check rust flags in check_makefile.sh #179

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!