Initial commit

Author: AndrasZiegler

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# This is a # Default codeowners for the repository
+*

.github/CONTRIBUTING.md

@@ -0,0 +1,63 @@
+# Contributing Guideline - Internal Repository
+
+## Branch Naming Convention
+
+Refer to the Developer Services Branching Policy and Git User [Guide](https://confluence.silabs.com/pages/viewpage.action?pageId=315870645).
+
+Use lowercase letters and hyphens (`-`) as delimiters.  
+Google search treats a hyphen as a word separator, which helps improve the visibility of public repositories.  
+We should structure our internal repository as if it were a public one.
+
+Branch name should be short and clear. If possible it can be the JIRA ticket name.
+Also it is recommended to include the JIRA ticket number. 
+Example:
+```
+IOT_DS-123-update-sdk-version
+```
+
+## Commit Message Format
+
+We use [smart commits](https://support.atlassian.com/bitbucket-cloud/docs/use-smart-commits/) to sync GitHub commits with our JIRA server.  
+This requires the JIRA ticket number in the commit message.  
+The first line is the commit message, and the next lines provide the description.  
+The commit message should be short and clear, and it must contain the JIRA ticket number.  
+You can add more details in the description.
+
+**Command Line:**
+```
+git commit -m "IOT_DS-1234 initial version of SDK 4.4.3 is committed" -m "Not final version. Several compiler warnings need to be addressed."
+```
+
+**VS Code:**  
+The first line is the commit message, and the next lines are the commit description.
+
+## Pull Request Guideline
+
+Refer to the general pull request [guideline](https://opensource.guide/how-to-contribute/#opening-a-pull-request) from GitHub.
+
+### As a Developer
+
+What to consider when raising a Pull Request:
+
+1. **Pull Request Naming**  
+   By default, GitHub uses the branch name as the pull request title. If the branch naming guideline was followed, no changes are needed here.
+
+2. **Check the Reviewer List**  
+   GitHub assigns reviewers based on the [CODEOWNERS](CODEOWNERS) file.  
+   Add more reviewers if needed. Do not remove reviewers from the PR. Ask the repository owner for updates to the code owners.
+
+3. **Evaluate the Action Workflow Results**  
+   The following workflows are included in every repository:
+   - **[Coding Convention Check](workflows/00-Check-Code-Convention.yml)**: Analyzes the code formatting and fails if any rules are broken.
+   - **[Firmware Build](workflows/02-Build-Firmware.yml)**: Builds the firmware inside the [Dockerfile](../Dockerfile).  
+   - **[Secret Scanner](workflows/04-TruffleHog-Security-Scan.yml)**: Runs the TruffleHog security scanner to look for API keys and committed secrets.
+   - **[SonarQube Analysis](workflows/zz-sonarqube-analysis.yml)**: Runs SonarQube analysis on the project. Refer to the related [Confluence page](https://confluence.silabs.com/display/IoTApps/SQA+-+SonarQube+howTo).
+
+### As a Reviewer
+
+What to consider when reviewing a Pull Request:
+
+- All builds must pass successfully.
+- The code must follow the Silicon Labs [coding guidelines](https://github.com/SiliconLabsSoftware/agreements-and-guidelines/blob/main/coding_standard.md).
+- Write clear comments. Describe the issue and explain why you disagree (e.g., mistakes, errors, violations of conventions, performance risks, security issues, etc.).
+- If any comments must be addressed mandatorily, mark the pull request as “Draft.”

.github/coding-convention-tool

@@ -0,0 +1,34 @@
+sonar.host.url=http://sonarqube.silabs.net/
+# TODO
+# must be unique in a given SonarQube instance
+# update this value based on the project name
+#sonar.projectKey=devs_cs_automapping
+
+#TODO
+#update this value based on make target names
+#example:
+#sonar.cfamily.variants.names=ncp,tag
+
+sonar.cfamily.variants.dir = sonar-bw
+
+# we don't care which version, SQ is just too dumb to ignore python language when it sees (even if we try excluding it in sonar.exclusions)
+sonar.python.version=3.9
+
+# Path is relative to the sonar-project.properties file. Defaults to .
+sonar.sources= .
+
+# Branch name for the analysis
+sonar.branch.name=${branch_name}
+#Exclusion list shall be updated as per the project requirement
+
+#TODO create exclusion list
+#Example list:
+#sonar.exclusions= \
+#    docs/**/*, \
+#    cicd/**/*, \
+#    **/*simplicity*/**/*, \
+#    projects/*/config/**/*, \
+#    projects/*/autogen/**/*, \
+
+# sonar.cpd.exclusions =
+sonar.coverage.exclusions = **

.github/sonar-project.properties

@@ -0,0 +1,89 @@
+name: 00-Check-Code-Convention
+on:
+  push:
+    branches-ignore:
+      - main
+      - "tests/**"
+  pull_request:
+    branches:
+      - main
+      - develop
+      - "release/**"
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to test'
+        type: string
+        default: 'dev'
+
+jobs:
+  job1:
+    name: Check coding convention
+    runs-on: ubuntu-22.04 #uncrustify 0.64 can not be compiled on ubuntu-24.04
+    steps:
+    - name: Trigger
+      run: echo "Triggered by ${{github.event_name}} event"
+    - name: Check Branch Input
+      run: |
+            if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+              if [ -z "${{ github.event.inputs.branch }}" ]; then
+                echo "Branch input is required for manual trigger."
+                exit 1
+              fi
+            fi
+    - name: Checkout
+      uses: actions/[email protected]
+      with:
+        ref: "${{ github.event_name == 'workflow_dispatch' && github.event.inputs.branch || github.ref }}"
+        submodules: true
+        fetch-depth: 0
+        ## an internal repo as a submodule is present therefore PAT is needed
+        token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+
+    - name: Log Current Branch and Commit
+      run: |
+          echo "Current branch: $(git rev-parse --abbrev-ref HEAD)"
+          echo "Current commit: $(git rev-parse HEAD)"
+    - name: Install commit check tools
+      run: |
+          echo "Installing pre-commit ..."
+          python3 -m pip install pre-commit
+          echo "Installing uncrustify 0.64 from source code  ..."
+          sudo apt-get install --no-install-recommends -y\
+            binutils ca-certificates git cmake make \
+            gcc g++ binutils libc6-dev
+          echo "Cloning Uncrustify repository..."
+          git clone -b uncrustify-0.64 --single-branch https://github.com/uncrustify/uncrustify.git
+          echo "Building and installing Uncrustify..."
+          mkdir ./uncrustify/build && cd ./uncrustify/build
+          cmake -D CMAKE_INSTALL_PREFIX=/usr/local -D CMAKE_BUILD_TYPE=RelWithDebInfo ../
+          sudo make -j "$(nproc)"
+          sudo make install
+          echo "Uncrustify has been installed successfully!"
+          cd ../../
+          sudo cp ./.github/coding-convention-tool/tools/uncrustify.cfg ./uncrustify/uncrustify.cfg
+          echo "Install clang-tidy and cppcheck ..."
+          sudo apt-get install clang-tidy cppcheck
+    - name: Run test
+      run: |
+        pre-commit install
+        pre-commit run --all-files 2>&1 | tee CodingConventionTool.txt
+
+    - name: Upload Result
+      if: always()
+      uses: actions/[email protected]
+      with:
+        name: CodingConventionResult
+        path: CodingConventionTool.txt
+        retention-days: 90
+    - name: Check log file to set status of the job
+      run: |
+        keywords=("Failed")
+        for keyword in "${keywords[@]}"; do
+          if grep -q "$keyword" CodingConventionTool.txt; then
+            echo "Keyword '$keyword' found in the file."
+            exit 1
+          else
+            echo "Keyword '$keyword' not found in the file."
+          fi
+        done

.github/workflows/00-Check-Code-Convention.yml

@@ -0,0 +1,41 @@
+name: 01-CLA-Assistant
+## This workflow is used only for public repositories
+## uncomment the other trigger conditions for public repositories
+
+on:
+  workflow_dispatch:
+# issue_comment:
+#   types: [created]
+# pull_request_target:
+#   types: [opened,closed,synchronize,reopened]
+
+# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
+permissions:
+  actions: write
+  contents: read # this can be 'read' if the signatures are in remote repository
+  pull-requests: write
+  statuses: write
+
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "CLA Assistant"
+        if: ${{ contains(github.event.comment.body, 'I have read the CLA Document and I hereby sign the CLA') }} || github.event_name == 'pull_request_target'
+        uses: SiliconLabsWorkflows/cla-assistant@silabs_flavour_v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # the below token should have repo scope and must be manually added by you in the repository's secret
+          # This token is required only if you have configured to store the signatures in a remote repository/organization
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+        with:
+          path-to-signatures: "cla_signatures_db.json"
+          path-to-document: "https://github.com/SiliconLabsSoftware/bluetooth-AoA-example/blob/main/cla.md"
+          # branch should not be protected
+          branch: 'cla-database'
+          allowlist: silabs-*,bot*
+          # the following are the optional inputs - If the optional inputs are not given, then default values will be taken
+          remote-organization-name: "SiliconLabsInternal"
+          remote-repository-name: "contributor-license-agreements"
+          create-file-commit-message: "Created the CLA database file. CLA Assistant Lite bot created this file."
+          signed-commit-message: "$contributorName has signed the CLA in $owner/$repo#$pullRequestNo"

.github/workflows/01-CLA-Assistant.yml

@@ -0,0 +1,39 @@
+name: 02-Build-Firmware
+## By default this workflow runs on Github hosted runners. This is not free for internal and private repositories
+## It is recommended to run this job on a self-hosted runner for non public repository
+## Uncomment the needed runs-on command.
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branches to run the workflow on'
+        required: true
+        default: 'main'
+
+jobs:
+  FW_build:
+    # Choose a runner type here by commenting out the not needed one.
+    runs-on: ubuntu-24.04
+    #runs-on: devs-self-hosted-runner
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+      
+      - name: Build Docker Image
+        run: docker build -t ${{ github.repository }}-build-env:latest Dockerfile
+      
+      - name: Run Docker Container
+        run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ github.repository }}-build-env:latest /bin/bash -c "cd /workspace && make all"
+      
+      - name: Remove Docker image
+        run: docker image
+      
+      - name: Remove Docker Image
+        if: always()
+        run: docker rmi ${{ github.repository }}-build-env:latest

.github/workflows/02-Build-Firmware.yml

@@ -0,0 +1,19 @@
+name: 04-TruffleHog-Security-Scan
+on:
+    pull_request:
+        branches:
+            - main
+            - develop
+    workflow_dispatch:
+jobs:
+  trufflehog_scan:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Secret Scanning
+      uses: trufflesecurity/[email protected]
+      with:
+        extra_args: --only-verified

.github/workflows/04-TruffleHog-Security-Scan.yml

@@ -0,0 +1,44 @@
+name: SonarQube-Analysis
+
+on:
+  #It is an internal tool, it can only ran a self hosted runner. Currently it can be triggered only manually.
+  workflow_dispatch:
+    inputs:
+        branch:
+            description: 'Branches to run the workflow on'
+            required: true
+            default: 'main'
+jobs:
+  sonarqube:
+    ##TODO create a selfhosted runner by this name.
+    runs-on: devs-self-hosted-runner
+    env:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+      - name: Build Docker Image
+        run: docker build -t  ${{ github.repository }}-build-env:latest Dockerfile
+      - name: Run SonarQube analysis
+        run: |
+          docker run -u root --rm -v $(pwd):/home/${{ github.repository }}/ -w /home/${{ github.repository }}/ ${{ github.repository }}-build-env:latest /bin/sh -c "
+            make all &&
+            rm -rf sonar-bw &&
+            rm -rf .scannerwork &&
+            rm -rf locator_ncp/build &&
+            rm -rf locator_host/build
+            mkdir sonar-bw &&
+            /opt/build-wrapper-linux-x86/build-wrapper-linux-x86-64 --out-dir sonar-bw/ make all &&
+            sonar-scanner -Dsonar.token=$SONAR_TOKEN -Dsonar.host.url=$SONAR_HOST_URL"
+      - name: Cleanup leftover files
+        if: always()
+        run: |
+          docker run -u root --rm -v $(pwd):/home/${{ github.repository }}/ -w /home/${{ github.repository }}/ ${{ github.repository }}-build-env:latest /bin/sh -c "
+          rm -rf sonar-bw && \
+          rm -rf .scannerwork && \
+          rm -rf locator_ncp/build && \
+          rm -rf locator_host/build "

.github/workflows/zz-sonarqube-analysis.yml

@@ -0,0 +1,38 @@
+# General part of the gitignore
+*.launch
+*.orig
+*.bak
+.vscode/
+**/build/
+**/GNU ARM v*
+**/.projectlinkstore
+**/.settings
+**/.makefile
+**/.trash
+**/.uceditor
+**/autogen/*.crc
+**/__pycache__
+**/GNU ARM v*
+**/IAR ARM*
+**/sonar-bw/
+
+##Enable these if you are not tracking Simplicity studio project
+# **/.cproject
+# **/.project
+# **/.pdm
+
+## Documentation related ignores.
+## Modify them if it is necessary
+*.docx
+*.doc
+*.ppt
+*.pdf
+*.xlsx
+*.xls
+*.html
+
+
+
+#code convention tool gitignore
+code-convention-tool/
+**/venv/