Skip to content

Regain control over the SDK libraries #1036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

Regain control over the SDK libraries #1036

wants to merge 9 commits into from

Conversation

iartemov-ledger
Copy link
Contributor

@iartemov-ledger iartemov-ledger commented Jul 8, 2025
edited
Loading

⚠️ Current goal is to get first feedback, the discussions and the tests are still on-going

Based on @apaillier-ledger's work here: #924.

Corresponds to https://ledgerhq.atlassian.net/browse/B2CA-1995.
See https://github.com/LedgerHQ/ledger-secure-sdk/blob/feat/regain_control_over_libs/arch/libraries.md as documentation.
Also internal documentation:

Description

Please provide a detailed description of what was done in this PR.
(And mention any links to an issue docs)

Changes include

  • Bugfix (non-breaking change that solves an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (change that is not backwards-compatible and/or changes current functionality)
  • Tests
  • Documentation
  • Other (for changes that might not fit in any category)

Breaking changes

Please complete this section if any breaking changes have been made, otherwise delete it.

Additional comments

Please post additional comments in this section if you have them, otherwise delete it.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 8, 2025
View reviewed changes
.github/workflows/build_clangrt_builtins.yml
Comment on lines +25 to +53
runs-on: ubuntu-latest
container:
image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest
strategy:
fail-fast: false
matrix:
target:
- core: cortex-m3
se: st33
- core: cortex-m35p+nodsp
se: st33k1

steps:
- uses: actions/checkout@v4
with:
# TODO: remove this next line before merging!
ref: feat/regain_control_over_libs
sparse-checkout: |
tools/build_clangrt_builtins.sh
sparse-checkout-cone-mode: false

- run: ./tools/build_clangrt_builtins.sh -t ${{ matrix.target.core }} -o artifact/arch/${{ matrix.target.se }}/lib

- uses: actions/upload-artifact@v4
with:
name: arch-${{ matrix.target.se }}
path: artifact/

merge:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 15 days ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for each job. For example:

  • The build job only needs contents: read to check out the repository.
  • The merge job may need contents: read and actions: write for artifact handling.
  • The pr_create job requires contents: read and pull-requests: write to create pull requests.

The permissions block can be added at the root level of the workflow to apply to all jobs or individually for each job. In this case, we will add permissions for each job to ensure granular control.

Suggested changeset 1
.github/workflows/build_clangrt_builtins.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_clangrt_builtins.yml b/.github/workflows/build_clangrt_builtins.yml
--- a/.github/workflows/build_clangrt_builtins.yml
+++ b/.github/workflows/build_clangrt_builtins.yml
@@ -25,2 +25,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     container:
@@ -55,2 +57,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
@@ -65,2 +70,5 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     if: ${{ success() && inputs.create_pr }}
EOF
@@ -25,2 +25,4 @@
runs-on: ubuntu-latest
permissions:
contents: read
container:
@@ -55,2 +57,5 @@
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
steps:
@@ -65,2 +70,5 @@
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
if: ${{ success() && inputs.create_pr }}
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/build_clangrt_builtins.yml
Comment on lines +54 to +63
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/upload-artifact/merge@v4
with:
name: arch
pattern: arch-*
delete-merged: true

pr_create:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 15 days ago

To fix the issue, we will add a permissions block at the workflow level to define the minimal permissions required for the workflow. This block will apply to all jobs unless overridden at the job level. Based on the workflow's operations, the following permissions are required:

  • contents: read for accessing the repository's contents.
  • pull-requests: write for creating pull requests in the pr_create job.

We will add the permissions block at the top of the workflow file, just below the name field.

Suggested changeset 1
.github/workflows/build_clangrt_builtins.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_clangrt_builtins.yml b/.github/workflows/build_clangrt_builtins.yml
--- a/.github/workflows/build_clangrt_builtins.yml
+++ b/.github/workflows/build_clangrt_builtins.yml
@@ -1,2 +1,5 @@
 name: Build clang runtime builtins
+permissions:
+  contents: read
+  pull-requests: write
 
EOF
@@ -1,2 +1,5 @@
name: Build clang runtime builtins
permissions:
contents: read
pull-requests: write

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/build_clangrt_builtins.yml
Comment on lines +64 to +92
needs: merge
runs-on: ubuntu-latest
if: ${{ success() && inputs.create_pr }}
continue-on-error: true
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
# by default the action uses fetch-depth = 1, which creates
# shallow repositories from which we can't push
fetch-depth: 0
ref: ${{ inputs.target_sdk_branch }}

- name: Download Binaries artifact
uses: actions/download-artifact@v4
with:
name: arch

- name: PR creation
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.email ${{ env.GIT_USER_EMAIL }}
git config --global user.name ${{ env.GIT_USER_NAME }}
git switch --create ${{ env.UPDATE_BRANCH }}
git add -A .
git commit -m 'Updating static SDK libraries'
git push -u origin ${{ env.UPDATE_BRANCH }}
gh pr create -B ${{ inputs.target_sdk_branch }} --title '[SDK_LIBS_UPDATE] Updating static SDK libraries' --body 'Created by Github workflow "${{ github.workflow }}", job "${{ github.job }}", run "${{ github.run_id }}".'

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 15 days ago

To fix the issue, we will add a permissions block to the pr_create job to explicitly define the minimal permissions required for its tasks. Specifically, the pr_create job needs contents: write to push changes to a branch and pull-requests: write to create a pull request. This change ensures that the GITHUB_TOKEN has only the necessary permissions, reducing the risk of unintended actions.

The permissions block will be added under the pr_create job definition in the .github/workflows/build_clangrt_builtins.yml file.

Suggested changeset 1
.github/workflows/build_clangrt_builtins.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_clangrt_builtins.yml b/.github/workflows/build_clangrt_builtins.yml
--- a/.github/workflows/build_clangrt_builtins.yml
+++ b/.github/workflows/build_clangrt_builtins.yml
@@ -66,2 +66,5 @@
     if: ${{ success() && inputs.create_pr }}
+    permissions:
+      contents: write
+      pull-requests: write
     continue-on-error: true
EOF
@@ -66,2 +66,5 @@
if: ${{ success() && inputs.create_pr }}
permissions:
contents: write
pull-requests: write
continue-on-error: true
Copilot is powered by AI and may make mistakes. Always verify output.
@codecov-commenter
Copy link

codecov-commenter commented Jul 8, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.08%. Comparing base (2b59d08) to head (0dd9032).
Report is 3 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1036   +/-   ##
=======================================
  Coverage   62.08%   62.08%           
=======================================
  Files          13       13           
  Lines        1817     1817           
=======================================
  Hits         1128     1128           
  Misses        689      689
Flag Coverage Δ
unittests 62.08% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@iartemov-ledger iartemov-ledger force-pushed the feat/regain_control_over_libs branch from cb002e9 to bea58f1 Compare July 10, 2025 09:56
@iartemov-ledger iartemov-ledger changed the title Feat/regain control over libs Regain control over the SDK libraries Jul 10, 2025
@iartemov-ledger iartemov-ledger force-pushed the feat/regain_control_over_libs branch from bea58f1 to 0dd9032 Compare July 10, 2025 13:19
@iartemov-ledger iartemov-ledger mentioned this pull request Jul 10, 2025
Draft
4 tasks
@bboilot-ledger bboilot-ledger requested a review from 0pendev July 10, 2025 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apaillier-ledger apaillier-ledger Awaiting requested review from apaillier-ledger

@tdejoigny-ledger tdejoigny-ledger Awaiting requested review from tdejoigny-ledger

@bboilot-ledger bboilot-ledger Awaiting requested review from bboilot-ledger

@0pendev 0pendev Awaiting requested review from 0pendev

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iartemov-ledger @codecov-commenter @apaillier-ledger