zephyrproject-rtos · nashif · Mar 12, 2025 · Nov 21, 2024 · Nov 23, 2024 · Mar 17, 2025
diff --git a/.codechecker.yml b/.codechecker.yml
@@ -17,5 +17,16 @@ analyzer:
   - --disable=clang-diagnostic-reserved-identifier
   - --disable=clang-diagnostic-reserved-macro-identifier
 
+  # userspace includes c files
+  - --disable=bugprone-suspicious-include
+
+  - --disable=clang-diagnostic-unused-parameter
+  - --disable=bugprone-narrowing-conversions
+
+  # LOG_ macros
+  - --disable=alpha.core.SizeofPtr
+  - --disable=bugprone-sizeof-expression
+  - --disable=performance-no-int-to-ptr
+
   # Cleanup
   - --clean
diff --git a/.github/codechecker/skipfile b/.github/codechecker/skipfile
@@ -0,0 +1 @@
+-lib/libc/picolibc/*
diff --git a/.github/workflows/clang.yaml b/.github/workflows/clang.yaml
@@ -16,7 +16,7 @@ jobs:
   clang-build:
     if: github.repository_owner == 'zephyrproject-rtos'
     runs-on:
-      group: zephyr-runner-v2-linux-x64-4xlarge
+      group: test-runner-v2-linux-x64-4xlarge
     container:
       image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.27.4.20241026
       options: '--entrypoint /bin/bash'

diff --git a/.github/workflows/codechecker.yml b/.github/workflows/codechecker.yml
@@ -0,0 +1,122 @@
+name: Codechecker
+on:
+  push:
+    branches:
+      - main
+      - v*-branch
+      - collab-*
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  Codechecker:
+    if: github.repository_owner == 'zephyrproject-rtos'
+    runs-on:
+      group: zephyr-runner-v2-linux-x64-4xlarge
+    container:
+      image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.27.4.20241026
+      options: '--entrypoint /bin/bash'
+    env:
+      CCACHE_DIR: /node-cache/ccache-zephyr
+      CCACHE_REMOTE_STORAGE: "redis://cache-*.keydb-cache.svc.cluster.local|shards=1,2,3"
+      CCACHE_REMOTE_ONLY: "true"
+      CCACHE_IGNOREOPTIONS: '-specs=* --specs=*'
+      LLVM_TOOLCHAIN_PATH: /usr/lib/llvm-16
+      BASE_REF: ${{ github.base_ref }}
+    permissions:
+      security-events: write
+    steps:
+      - name: Apply container owner mismatch workaround
+        run: |
+          # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
+          #        match the container user UID because of the way GitHub
+          #        Actions runner is implemented. Remove this workaround when
+          #        GitHub comes up with a fundamental fix for this problem.
+          git config --global --add safe.directory ${GITHUB_WORKSPACE}
+
+      - name: Print cloud service information
+        run: |
+          echo "ZEPHYR_RUNNER_CLOUD_PROVIDER = ${ZEPHYR_RUNNER_CLOUD_PROVIDER}"
+          echo "ZEPHYR_RUNNER_CLOUD_NODE = ${ZEPHYR_RUNNER_CLOUD_NODE}"
+          echo "ZEPHYR_RUNNER_CLOUD_POD = ${ZEPHYR_RUNNER_CLOUD_POD}"
+
+      - name: Clone cached Zephyr repository
+        continue-on-error: true
+        run: |
+          git clone --shared /repo-cache/zephyrproject/zephyr .
+          git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Environment Setup
+        run: |
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+          git config --global user.email "[email protected]"
+          git config --global user.name "Zephyr Bot"
+          rm -fr ".git/rebase-apply"
+          rm -fr ".git/rebase-merge"
+          git clean -f -d
+          git log  --pretty=oneline | head -n 10
+          west init -l . || true
+          west config --global update.narrow true
+          west config manifest.group-filter -- +ci,-optional
+          # In some cases modules are left in a state where they can't be
+          # updated (i.e. when we cancel a job and the builder is killed),
+          # So first retry to update, if that does not work, remove all modules
+          # and start over. (Workaround until we implement more robust module
+          # west caching).
+          west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.log || west update --path-cache /repo-cache/zephyrproject 2>&1 1> west2.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /repo-cache/zephyrproject)
+
+          echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
+
+      - name: Check Environment
+        run: |
+          cmake --version
+          ${LLVM_TOOLCHAIN_PATH}/bin/clang --version
+          gcc --version
+          ls -la
+
+      - name: Run Tests with Twister
+        id: twister
+        run: |
+          export ZEPHYR_BASE=${PWD}
+          export ZEPHYR_TOOLCHAIN_VARIANT=zephyr
+          export ZEPHYR_SCA_VARIANT=codechecker
+          export CODECHECKER_CONFIG_FILE=$ZEPHYR_BASE/.codechecker.yml
+          export CODECHECKER_CLEANUP=y
+          export CODECHECKER_EXPORT=sarif
+          export CODECHECKER_SKIP_FILE=$ZEPHYR_BASE/.github/codechecker/skipfile
+
+          pip install codechecker==v6.25.1 cppcheck sarif-tools jq
+          sudo apt-get update
+          sudo apt-get install -y jq
+          export PATH=/usr/lib/llvm-16/bin/:$PATH
+
+          ./scripts/twister -i --force-color -N -v --build-only --timeout-multiplier 2 -p qemu_x86 -T tests/kernel/threads  -T tests/lib/heap
+
+          #sarif copy --output results.sarif $(find twister-out -name "codechecker.sarif")
+          jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }'  $(find twister-out -name "codechecker.sarif")  > results.sarif
+
+      - name: Upload SARIF as artifact
+        if: always()
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: sarif
+          if-no-files-found: ignore
+          path: |
+            build/sca/codechecker/codechecker.sarif
+            results.sarif
+
+      - name: Upload Analysis Results
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,9 +2,18 @@ name: "CodeQL"
 
 on:
   push:
-    branches: ["main"]
+    branches:
+      - main
+      - v*-branch
+      - collab-*
   schedule:
     - cron: '34 16 * * 3'
+  pull_request:
+    branches:
+      - main
+      - v*-branch
+      - collab-*
+
 permissions:
   contents: read
 jobs:

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
@@ -1,18 +1,23 @@
 name: Compliance Checks
 
 on:
-  pull_request:
-    types:
-    - edited
-    - opened
-    - reopened
-    - synchronize
+  workflow_call:
 
 permissions:
   contents: read
 
 jobs:
+  check_compliance_push:
+    if: github.event_name == 'push'
+    runs-on: ubuntu-22.04
+    name: Run compliance checks on patch series (PR)
+    steps:
+    - name: Do nothing
+      run: |
+        echo "Doing nothing"
+
   check_compliance:
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-22.04
     name: Run compliance checks on patch series (PR)
     steps:
@@ -65,14 +70,6 @@ jobs:
         west config manifest.group-filter -- +ci,-optional
         west update -o=--depth=1 -n 2>&1 1> west.update.log || west update -o=--depth=1 -n 2>&1 1> west.update2.log
 
-    - name: Check for PR description
-      if: ${{ github.event.pull_request.body == '' }}
-      continue-on-error: true
-      id: pr_description
-      run: |
-        echo "Pull request description cannot be empty."
-        exit 1
-
     - name: Run Compliance Tests
       continue-on-error: true
       id: compliance
@@ -96,6 +93,8 @@ jobs:
         path: compliance.xml
 
     - name: check-warns
+      id: check-warns
+      continue-on-error: true
       run: |
         if [[ ! -s "compliance.xml" ]]; then
           exit 1;
@@ -124,10 +123,12 @@ jobs:
         if [ "${exit}" == "1" ]; then
           echo "Compliance error, check for error messages in the \"Run Compliance Tests\" step"
           echo "You can run this step locally with the ./scripts/ci/check_compliance.py script."
+          echo "exit_code=${exit}" >> $GITHUB_OUTPUT
           exit 1;
         fi
-
-        if [ "${{ steps.pr_description.outcome }}" == "failure" ]; then
-          echo "PR description cannot be empty"
-          exit 1;
-        fi
+    - name: resolve
+      if: |
+        steps.check-warns.outputs.exit_code != 0 &&
+        ! contains(github.event.pull_request.labels.*.name, 'Compliance: False Positive')
+      run: |
+        exit ${{ steps.check-warns.outputs.exit_code }}
diff --git a/.github/workflows/compliance_compat.yml b/.github/workflows/compliance_compat.yml
@@ -0,0 +1,19 @@
+name: Compliance Checks (Compatibility mode)
+
+on:
+  pull_request:
+    types:
+    - edited
+    - opened
+    - reopened
+    - synchronize
+
+jobs:
+  check_compliance:
+    runs-on: ubuntu-22.04
+    name: Run compliance checks on patch series (PR)
+    steps:
+    - name: do nothing
+      run: |
+        echo "do nothing"
+        exit 0
diff --git a/.github/workflows/do_not_merge.yml → .github/workflows/pr_metadata_check.yml b/.github/workflows/do_not_merge.yml → .github/workflows/pr_metadata_check.yml
@@ -1,8 +1,14 @@
-name: Do Not Merge
+name: PR Metadata Check
 
 on:
   pull_request:
-    types: [synchronize, opened, reopened, labeled, unlabeled]
+    types:
+      - synchronize
+      - opened
+      - reopened
+      - labeled
+      - unlabeled
+      - edited
 
 permissions:
   contents: read
@@ -22,3 +28,13 @@ jobs:
           echo "Pull request is labeled as 'DNM', 'TSC', 'Architecture Review' or 'dev-review'."
           echo "This workflow fails so that the pull request cannot be merged."
           exit 1
+
+  empty_pr_description:
+    if: ${{ github.event.pull_request.body == '' }}
+    name: PR Description
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check for PR description
+        run: |
+          echo "Pull request description cannot be empty."
+          exit 1
diff --git a/.github/workflows/twister-prep.yaml b/.github/workflows/twister-prep.yaml
@@ -18,9 +18,9 @@ permissions:
 
 jobs:
   prep_pr:
-    if: github.repository_owner == 'zephyrproject-rtos' && github.event_name == 'pull_request_target'
+    if: github.repository_owner == 'zephyrproject-rtos' && github.event_name == 'pull_request'
     runs-on:
-      group: zephyr-runner-v2-linux-x64-4xlarge
+      group: test-runner-v2-linux-x64-4xlarge
     container:
       image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.27.4.20241026
       options: '--entrypoint /bin/bash'

diff --git a/.github/workflows/twister-publish.yaml b/.github/workflows/twister-publish.yaml
@@ -15,7 +15,7 @@ jobs:
   upload-to-elasticsearch:
     if: |
       github.repository == 'zephyrproject-rtos/zephyr' &&
-      github.event.workflow_run.event != 'pull_request_target'
+      github.event.workflow_run.event != 'pull_request'
     env:
       ELASTICSEARCH_KEY: ${{ secrets.ELASTICSEARCH_KEY }}
       ELASTICSEARCH_SERVER: "https://elasticsearch.zephyrproject.io:443"

diff --git a/.github/workflows/twister.yaml b/.github/workflows/twister.yaml
@@ -6,7 +6,7 @@ on:
       - main
       - v*-branch
       - collab-*
-  pull_request_target:
+  pull_request:
     branches:
       - main
       - v*-branch
@@ -23,12 +23,16 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  compliance-check:
+    uses: ./.github/workflows/compliance.yml
+
   twister-build-prep:
+    needs: compliance-check
     uses: ./.github/workflows/twister-prep.yaml
 
   twister-build:
     runs-on:
-      group: zephyr-runner-v2-linux-x64-4xlarge
+      group: test-runner-v2-linux-x64-4xlarge
     needs: twister-build-prep
     if: needs.twister-build-prep.outputs.size != 0
     container:
@@ -84,7 +88,7 @@ jobs:
 
       - name: Environment Setup
         run: |
-          if [ "${{github.event_name}}" = "pull_request_target" ]; then
+          if [ "${{github.event_name}}" = "pull_request" ]; then
             git config --global user.email "[email protected]"
             git config --global user.name "Zephyr Builder"
             rm -fr ".git/rebase-apply"
@@ -146,7 +150,7 @@ jobs:
             fi
           fi
 
-      - if: github.event_name == 'pull_request_target'
+      - if: github.event_name == 'pull_request'
         name: Run Tests with Twister (Pull Request)
         id: run_twister_pr
         run: |
@@ -219,7 +223,7 @@ jobs:
     permissions:
       checks: write # to create the check run entry with Twister test results
     # the build-and-test job might be skipped, we don't need to run this job then
-    if: success() || failure()
+    if: (success() || failure()) &&  needs.twister-build.result != 'skipped'
 
     steps:
       - name: Check out source code
@@ -236,6 +240,7 @@ jobs:
           path: artifacts
 
       - name: Merge Test Results
+        if: needs.twister-build.result != 'skipped'
         run: |
           pip install junitparser junit2html
           junitparser merge artifacts/*/*/twister.xml junit.xml
@@ -280,6 +285,7 @@ jobs:
     if: always()
     name: "Check Twister Status"
     needs:
+      - compliance-check
       - twister-build-prep
       - twister-build
     uses: ./.github/workflows/ready-to-merge.yml