zephyrproject-rtos · step-security-bot · Mar 24, 2025 · Mar 24, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -23,3 +23,18 @@ updates:
       doc-deps:
         patterns:
           - "*"
+
+  - package-ecosystem: pip
+    directory: /scripts/dts/python-devicetree
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /scripts
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /tests/net/lib/lwm2m/interop
+    schedule:
+      interval: daily
diff --git a/.github/workflows/assigner.yml b/.github/workflows/assigner.yml
@@ -1,7 +1,7 @@
 name: Pull Request Assigner
 
 on:
-  pull_request_target:
+  pull_request:
     types:
     - opened
     - synchronize
@@ -28,30 +28,34 @@ jobs:
       issues: write        # to add assignees to issues
 
     steps:
-    - name: Install Python dependencies
-      run: |
-        pip install -U PyGithub>=1.55 west
-
-    - name: Check out source code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-    - name: Run assignment script
-      env:
-        GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
-      run: |
-        FLAGS="-v"
-        FLAGS+=" -o ${{ github.event.repository.owner.login }}"
-        FLAGS+=" -r ${{ github.event.repository.name }}"
-        FLAGS+=" -M MAINTAINERS.yml"
-        if [ "${{ github.event_name }}" = "pull_request_target" ]; then
-            FLAGS+=" -P ${{ github.event.pull_request.number }}"
-        elif [ "${{ github.event_name }}" = "issues" ]; then
-            FLAGS+=" -I ${{ github.event.issue.number }}"
-        elif [ "${{ github.event_name }}" = "schedule" ]; then
-            FLAGS+=" --modules"
-        else
-          echo "Unknown event: ${{ github.event_name }}"
-          exit 1
-        fi
-
-        python3 scripts/set_assignees.py $FLAGS
+
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Check out source code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip-linux
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
+      - name: Run assignment script
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          python --version
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -30,6 +30,11 @@ jobs:
         )
       )
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Backport
         uses: zephyrproject-rtos/action-backport@7e74f601d11eaca577742445e87775b5651a965f # v2.0.3-3
         with:

diff --git a/.github/workflows/backport_issue_check.yml b/.github/workflows/backport_issue_check.yml
@@ -25,19 +25,37 @@ jobs:
       issues: read # to check if associated issue exists for backport
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Check out source code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Install Python dependencies
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
         run: |
-          pip install -U pygithub
+          pip install -r scripts/requirements-actions.txt --require-hashes
 
       - name: Run backport issue checker
         env:
           GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
         run: |
           ./scripts/release/list_backports.py \
-            -o ${{ github.event.repository.owner.login }} \
-            -r ${{ github.event.repository.name }} \
-            -b ${{ github.event.pull_request.base.ref }} \
-            -p ${{ github.event.pull_request.number }}
+          -o ${{ github.event.repository.owner.login }} \
+          -r ${{ github.event.repository.name }} \
+          -b ${{ github.event.pull_request.base.ref }} \
+          -p ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/bsim-tests-publish.yaml b/.github/workflows/bsim-tests-publish.yaml
@@ -18,6 +18,11 @@ jobs:
       checks: write # to create the check run entry with test results
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Download artifacts
         uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
         with:

diff --git a/.github/workflows/bsim-tests.yaml b/.github/workflows/bsim-tests.yaml
@@ -52,6 +52,11 @@ jobs:
       checks: write # to create the check run entry with test results
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Apply container owner mismatch workaround
         run: |
           # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
@@ -178,7 +183,6 @@ jobs:
 
       - name: Merge Test Results
         run: |
-          pip install junitparser junit2html
           junitparser merge --glob "./bsim_*/*bsim_results.*.xml" "./twister-out/twister.xml" junit.xml
           junit2html junit.xml junit.html
 

diff --git a/.github/workflows/bug_snapshot.yaml b/.github/workflows/bug_snapshot.yaml
@@ -23,12 +23,31 @@ jobs:
     if: github.repository_owner == 'zephyrproject-rtos'
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      with:
+        egress-policy: audit
+
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Install Python dependencies
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+
+    - name: cache-pip
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      with:
+        path: ~/.cache/pip
+        key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+        restore-keys: |
+          ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+    - name: install-packages
       run: |
-        pip install -U pygithub
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
 
     - name: Snapshot bugs
       env:

diff --git a/.github/workflows/clang.yaml b/.github/workflows/clang.yaml
@@ -32,6 +32,11 @@ jobs:
       LLVM_TOOLCHAIN_PATH: /usr/lib/llvm-16
       BASE_REF: ${{ github.base_ref }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Apply container owner mismatch workaround
         run: |
           # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
@@ -135,13 +140,41 @@ jobs:
       checks: write # to create GitHub annotations
     if: (success() || failure())
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Download Artifacts
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           path: artifacts
+
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Merge Test Results
         run: |
-          pip install junitparser junit2html
           junitparser merge artifacts/*/twister.xml junit.xml
           junit2html junit.xml junit-clang.html
 

diff --git a/.github/workflows/codechecker.yml b/.github/workflows/codechecker.yml
@@ -30,6 +30,11 @@ jobs:
     permissions:
       security-events: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Apply container owner mismatch workaround
         run: |
           # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
@@ -95,7 +100,7 @@ jobs:
           export CODECHECKER_EXPORT=sarif
           export CODECHECKER_SKIP_FILE=$ZEPHYR_BASE/.github/codechecker/skipfile
 
-          pip install codechecker==v6.25.1 cppcheck sarif-tools jq
+          pip install codechecker==v6.25.1 cppcheck sarif-tools
           sudo apt-get update
           sudo apt-get install -y jq
           export PATH=/usr/lib/llvm-16/bin/:$PATH
@@ -117,6 +122,6 @@ jobs:
 
       - name: Upload Analysis Results
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 #v3
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
@@ -39,6 +39,11 @@ jobs:
       # `--specs` is ignored because ccache is unable to resovle the toolchain specs file path.
       CCACHE_IGNOREOPTIONS: '-specs=* --specs=*'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Apply container owner mismatch workaround
         run: |
           # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
@@ -104,7 +109,6 @@ jobs:
           export ZEPHYR_BASE=${PWD}
           export ZEPHYR_TOOLCHAIN_VARIANT=zephyr
           mkdir -p coverage/reports
-          pip install gcovr==6.0
           ./scripts/twister -E ${{matrix.normalized}}-testplan.json
           ls -la
           ./scripts/twister \
@@ -139,11 +143,33 @@ jobs:
     if: success() || failure()
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Download Artifacts
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
@@ -185,7 +211,6 @@ jobs:
       - name: Merge coverage files
         run: |
           pushd ./coverage/reports
-          pip install gcovr==6.0
           gcovr ${{ steps.get-coverage-files.outputs.mergefiles }}  --merge-mode-functions=separate --json merged.json
           gcovr ${{ steps.get-coverage-files.outputs.mergefiles }} --merge-mode-functions=separate --cobertura merged.xml
           popd
@@ -201,7 +226,6 @@ jobs:
       - name: Generate Coverage Report
         if: always()
         run: |
-          pip install xlsxwriter ijson
           python3 ./scripts/ci/coverage/coverage_analysis.py \
             -t native_sim-testplan.json \
             -m MAINTAINERS.yml \

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -35,6 +35,11 @@ jobs:
             build-mode: none
             config: ./.github/codeql/codeql-js-config.yml
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2