Merge branch 'main' into main

Author: hanan619

.github/ISSUE_TEMPLATE/007_ext-source.md

@@ -49,6 +49,15 @@ required to maintain ...)
 Why is this the right component to solve it (e.g., SQLite is small,
 easy to use, and has a very liberal license.)
 
+## Security
+
+Does this component include any cryptographic functionality?
+If so, please describe the cryptographic algorithms and protocols used.
+
+How does this component handle security vulnerabilities and updates?
+Are there any known vulnerabilities in this component? If so, please
+provide details and references to any CVEs or security advisories.
+
 ## Dependencies
 
 What other components does this package depend on?

.github/SECURITY.md

@@ -11,9 +11,9 @@ updates:
 At this time, with the latest release of v4.0, the supported
 versions are:
 
-  - v4.0: Current release
-  - v3.7: Prior release and Current LTS
-  - v2.7: Prior LTS
+  - v4.1: Current release
+  - v4.0: Prior release
+  - v3.7: Current LTS
 
 ## Reporting process
 

.github/codeql/codeql-actions-config.yml

@@ -0,0 +1,2 @@
+paths:
+  - .github

.github/codeql/codeql-js-config.yml

@@ -0,0 +1,2 @@
+paths:
+  - doc

.github/dependabot.yml

@@ -11,3 +11,15 @@ updates:
       actions-deps:
         patterns:
           - "*"
+
+  - package-ecosystem: "pip"
+    directory: "/doc"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci: doc: "
+    labels: []
+    groups:
+      doc-deps:
+        patterns:
+          - "*"

.github/workflows/assigner.yml

@@ -15,23 +15,29 @@ on:
     types:
     - labeled
 
+permissions:
+  contents: read
+
 jobs:
   assignment:
     name: Pull Request Assignment
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write # to add assignees to pull requests
+      issues: write        # to add assignees to issues
 
     steps:
     - name: Install Python dependencies
       run: |
         pip install -U PyGithub>=1.55 west
 
     - name: Check out source code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Run assignment script
       env:
-        GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         FLAGS="-v"
         FLAGS+=" -o ${{ github.event.repository.owner.login }}"

.github/workflows/backport.yml

@@ -7,10 +7,17 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     name: Backport
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write       # to create/push backport branches
+      pull-requests: write  # to create backport PRs
+      issues: write         # to add labels to issue created if backport fails
     # Only react to merged PRs for security reasons.
     # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
     if: >
@@ -24,8 +31,8 @@ jobs:
       )
     steps:
       - name: Backport
-        uses: zephyrproject-rtos/action-backport@v2.0.3-3
+        uses: zephyrproject-rtos/action-backport@7e74f601d11eaca577742445e87775b5651a965f # v2.0.3-3
         with:
-          github_token: ${{ secrets.ZB_GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           issue_labels: Backport
           labels_template: '["Backport"]'

.github/workflows/backport_issue_check.yml

@@ -10,6 +10,9 @@ on:
     branches:
       - v*-branch
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     name: Backport Issue Check
@@ -18,18 +21,20 @@ jobs:
       cancel-in-progress: true
     runs-on: ubuntu-22.04
     if: github.repository == 'zephyrproject-rtos/zephyr'
+    permissions:
+      issues: read # to check if associated issue exists for backport
 
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Python dependencies
         run: |
           pip install -U pygithub
 
       - name: Run backport issue checker
         env:
-          GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ./scripts/release/list_backports.py \
             -o ${{ github.event.repository.owner.login }} \

.github/workflows/bsim-tests-publish.yaml

@@ -5,20 +5,26 @@ on:
     workflows: ["BabbleSim Tests"]
     types:
       - completed
+
+permissions:
+  contents: read
+
 jobs:
   bsim-test-results:
     name: "Publish BabbleSim Test Results"
     runs-on: ubuntu-22.04
     if: github.event.workflow_run.conclusion != 'skipped'
+    permissions:
+      checks: write # to create the check run entry with test results
 
     steps:
       - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v8
+        uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
         with:
           run_id: ${{ github.event.workflow_run.id }}
 
       - name: Publish BabbleSim Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
         with:
           check_name: BabbleSim Test Results
           comment_mode: off

.github/workflows/bsim-tests.yaml

@@ -28,6 +28,9 @@ on:
       - "drivers/serial/*nrfx*"
       - "tests/drivers/uart/**"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
@@ -45,6 +48,9 @@ jobs:
       BSIM_OUT_PATH: /opt/bsim/
       BSIM_COMPONENTS_PATH: /opt/bsim/components
       EDTT_PATH: ../tools/edtt
+    permissions:
+      checks: write # to create the check run entry with test results
+
     steps:
       - name: Apply container owner mismatch workaround
         run: |
@@ -67,7 +73,7 @@ jobs:
           git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -91,7 +97,7 @@ jobs:
           echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
 
       - name: Check common triggering files
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
         id: check-common-files
         with:
           files: |
@@ -110,7 +116,7 @@ jobs:
             modules/hal_nordic/**
 
       - name: Check if Bluethooth files changed
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
         id: check-bluetooth-files
         with:
           files: |
@@ -119,7 +125,7 @@ jobs:
             subsys/bluetooth/
 
       - name: Check if Networking files changed
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
         id: check-networking-files
         with:
           files: |
@@ -132,7 +138,7 @@ jobs:
             include/zephyr/net/ieee802154*
 
       - name: Check if UART files changed
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
         id: check-uart-files
         with:
           files: |
@@ -178,23 +184,23 @@ jobs:
 
       - name: Upload Unit Test Results in HTML
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: HTML Unit Test Results
           if-no-files-found: ignore
           path: |
             junit.html
 
       - name: Publish Unit Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
         with:
           check_name: Bsim Test Results
           files: "junit.xml"
           comment_mode: off
 
       - name: Upload Event Details
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: event
           path: |