Y333/apex support #274
Y333/apex support #274
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest | ||
| steps: | ||
| - name: Checkout C SDK Build Parameters Extractor | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: LedgerHQ/csdk_build_params_x | ||
| path: c_sdk_build_params_x | ||
| - name: Build C SDK Build Parameters Extractor | ||
| run: | | ||
| cd c_sdk_build_params_x | ||
| cargo build --release | ||
| - name: Upload C SDK Build Parameters Extractor | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: c_sdk_build_params_extractor | ||
| path: c_sdk_build_params_x/target/release/cbpx | ||
| check_csdk_build_parameters: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we will add a permissions block at the root level of the workflow file. This block will apply to all jobs in the workflow unless overridden by job-specific permissions blocks. Based on the workflow's operations, the minimal required permissions are likely contents: read, as the workflow primarily checks out repositories and downloads/upload artifacts. No write permissions are necessary.
| @@ -8,3 +8,6 @@ | ||
| - cron: '0 12 * * *' | ||
|
|
||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: |
| runs-on: ubuntu-latest | ||
| needs: build_csdk_build_parameters_extractor | ||
| container: | ||
| image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest | ||
| strategy: | ||
| matrix: | ||
| target: ["nanox", "nanosplus", "stax", "flex"] | ||
| steps: | ||
| - name: Checkout Rust SDK | ||
| uses: actions/checkout@v4 | ||
| - name: Checkout C BP | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: LedgerHQ/app-boilerplate | ||
| path: c_boilerplate | ||
| - name: Download C SDK Build Parameters Extractor | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: c_sdk_build_params_extractor | ||
| - name: Run C SDK Build Parameters Extractor | ||
| run: | | ||
| c_sdk_build_params_extractor --app-path c_boilerplate \ | ||
| --device ${{ matrix.target }} | ||
| # Compare output with matching file | ||
| diff c_sdk_build_${{ matrix.target }}.cflags ledger_secure_sdk_sys/c_sdk_build_${{ matrix.target }}.cflags | ||
| if [ $? -ne 0 ]; then | ||
| echo "C SDK build parameters CFLAGS do not match for target ${{ matrix.target }}" | ||
| exit 1 | ||
| fi | ||
| diff c_sdk_build_${{ matrix.target }}.defines ledger_secure_sdk_sys/c_sdk_build_${{ matrix.target }}.defines | ||
| if [ $? -ne 0 ]; then | ||
| echo "C SDK build parameters DEFINES do not match for target ${{ matrix.target }}" | ||
| exit 1 | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we will add a permissions block at the root of the workflow file. This block will define the minimal permissions required for the workflow to function correctly. Based on the actions used in the workflow (actions/checkout, actions/upload-artifact, and actions/download-artifact), the workflow likely requires contents: read and possibly contents: write for artifact upload. We will start with contents: read and adjust if necessary.
The permissions block will be added after the name field and before the on field in the workflow file.
| @@ -1,2 +1,4 @@ | ||
| name: Build C Boilerplate application and check if C SDK build parameters are still correct | ||
| permissions: | ||
| contents: read | ||
|
|
yogh333
force-pushed
the
y333/apex_support
branch
from
ec069bc to
e63ebc8
Compare
yogh333
force-pushed
the
y333/apex_support
branch
from
e63ebc8 to
ff5cdec
Compare
No description provided.