Skip to content

VPLAY-11240: Add Coverity Test build workflow for AAMP#538

Open
Vinish100 wants to merge 1 commit intodev_sprint_25_2from
feature/VPLAY-11240
Open

VPLAY-11240: Add Coverity Test build workflow for AAMP#538
Vinish100 wants to merge 1 commit intodev_sprint_25_2from
feature/VPLAY-11240

Conversation

@Vinish100
Copy link
Copy Markdown
Contributor

@Vinish100 Vinish100 commented Sep 29, 2025

Reason for change: Add a workflow to build AAMP in Linux environment with the same docker image used for coverity scans. Test Procedure: Ensure the workflow is running as expected
Risks: Low
Priority: P1

@Vinish100
VPLAY-11240: Add Coverity Test build workflow for AAMP
888abc4 
Reason for change: Add a workflow to build AAMP in Linux
environment with the same docker image used for coverity scans.
Test Procedure: Ensure the workflow is running as expected
Risks: Low
Priority: P1

Signed-off-by: Vinish100 <vinish.balan@gmail.com>
@Vinish100 Vinish100 requested review from a team September 29, 2025 19:51
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 29, 2025
View reviewed changes
.github/workflows/Linux-build.yml
Comment on lines +10 to +30
name: Build AAMP in Linux environment
runs-on: ubuntu-latest
# The docker image is used for coverity scans as well.
container:
image: ghcr.io/rdkcentral/docker-rdk-ci:latest

steps:
# Checkout the aamp repository
- name: Checkout aamp code
uses: actions/checkout@v3

# Install AAMP
# Option D builds dependencies only.
# Option A builds AAMP only (assuming dependencies are already installed).
# Option K skips Kotlin build.
# 'yes' is used to auto-confirm any prompts during installation
- name: Install AAMP
run: |
chmod +x ./install-aamp.sh
yes | ./install-aamp.sh -D
yes | ./install-aamp.sh -Ak

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the problem, add an explicit permissions block, ideally at the workflow root for broad effect, but it can also be added at the job level if specific jobs have different requirements. In this workflow, neither the root nor job has permissions, so the best practice is to add at least contents: read globally, unless more granular write permissions are needed for particular tasks (which does not appear to be the case here).

Edit .github/workflows/Linux-build.yml and insert the following after the name: line and before on::

permissions:
  contents: read

This ensures that the GITHUB_TOKEN issued to steps in the workflow has only read-access to repository contents, reducing risk from default write privileges. No other lines or blocks need changes.

Suggested changeset 1
.github/workflows/Linux-build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/Linux-build.yml b/.github/workflows/Linux-build.yml
--- a/.github/workflows/Linux-build.yml
+++ b/.github/workflows/Linux-build.yml
@@ -1,4 +1,6 @@
 name: Build AAMP in Linux Environment
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Build AAMP in Linux Environment
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Vinish100