Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## API_LEVEL_25 #1430 +/- ##
=============================================
Coverage 82.52% 82.52%
=============================================
Files 46 46
Lines 5670 5670
Branches 774 774
=============================================
Hits 4679 4679
Misses 934 934
Partials 57 57
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| needs: [prepare-matrix] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| apps: ${{ fromJSON(needs.prepare-matrix.outputs.c_apps) }} | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Clone App | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: LedgerHQ/${{ matrix.apps.app-name }} | ||
| submodules: recursive | ||
| path: ${{ matrix.apps.app-name }} | ||
|
|
||
| - name: Pull official Docker image and start build container | ||
| run: | | ||
| docker pull ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:5.0.2 | ||
| docker run -d --name builder-official -v $GITHUB_WORKSPACE:/workspace ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:5.0.2 sleep infinity | ||
| docker exec builder-official pip install --break-system-packages ledgered | ||
|
|
||
| - name: Create artifacts directory | ||
| run: mkdir -p $GITHUB_WORKSPACE/artifacts-official | ||
|
|
||
| - name: Build App for Nano X | ||
| if: contains(matrix.apps.devices, 'nanox') | ||
| continue-on-error: true | ||
| run: | | ||
| docker exec builder-official bash -c " | ||
| cd /workspace/${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }} && | ||
| echo 'Building for Nano X' && | ||
| make clean && | ||
| make TARGET=nanox BOLOS_SDK=/opt/nanox-secure-sdk | ||
| " | ||
| - name: Collect Nano X binary | ||
| if: contains(matrix.apps.devices, 'nanox') | ||
| run: | | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/nanox/bin/app.elf \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-nanox.elf || true | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/nanox/bin/app.map \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-nanox.map || true | ||
| - name: Build App for Nano S+ | ||
| if: contains(matrix.apps.devices, 'nanos+') | ||
| continue-on-error: true | ||
| run: | | ||
| docker exec builder-official bash -c " | ||
| cd /workspace/${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }} && | ||
| echo 'Building for Nano S+' && | ||
| make clean && | ||
| make TARGET=nanos2 BOLOS_SDK=/opt/nanosplus-secure-sdk | ||
| " | ||
| - name: Collect Nano S+ binary | ||
| if: contains(matrix.apps.devices, 'nanos+') | ||
| run: | | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/nanos2/bin/app.elf \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-nanosp.elf || true | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/nanos2/bin/app.map \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-nanosp.map || true | ||
| - name: Build App for Stax | ||
| if: contains(matrix.apps.devices, 'stax') | ||
| continue-on-error: true | ||
| run: | | ||
| docker exec builder-official bash -c " | ||
| cd /workspace/${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }} && | ||
| echo 'Building for Stax' && | ||
| make clean && | ||
| make TARGET=stax BOLOS_SDK=/opt/stax-secure-sdk | ||
| " | ||
| - name: Collect Stax binary | ||
| if: contains(matrix.apps.devices, 'stax') | ||
| run: | | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/stax/bin/app.elf \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-stax.elf || true | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/stax/bin/app.map \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-stax.map || true | ||
| - name: Build App for Flex | ||
| if: contains(matrix.apps.devices, 'flex') | ||
| continue-on-error: true | ||
| run: | | ||
| docker exec builder-official bash -c " | ||
| cd /workspace/${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }} && | ||
| echo 'Building for Flex' && | ||
| make clean && | ||
| make TARGET=flex BOLOS_SDK=/opt/flex-secure-sdk | ||
| " | ||
| - name: Collect Flex binary | ||
| if: contains(matrix.apps.devices, 'flex') | ||
| run: | | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/flex/bin/app.elf \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-flex.elf || true | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/flex/bin/app.map \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-flex.map || true | ||
| - name: Build App for Apex+ | ||
| if: contains(matrix.apps.devices, 'apex_p') | ||
| continue-on-error: true | ||
| run: | | ||
| docker exec builder-official bash -c " | ||
| cd /workspace/${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }} && | ||
| echo 'Building for Apex+' && | ||
| make clean && | ||
| make TARGET=apex_p BOLOS_SDK=/opt/apex-secure-sdk | ||
| " | ||
| - name: Collect Apex+ binary | ||
| if: contains(matrix.apps.devices, 'apex_p') | ||
| run: | | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/apex_p/bin/app.elf \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-apex_p.elf || true | ||
| cp ${{ matrix.apps.app-name }}/${{ matrix.apps.build-directory }}/build/apex_p/bin/app.map \ | ||
| artifacts-official/${{ matrix.apps.app-name }}-apex_p.map || true | ||
|
|
||
| - name: Upload app binaries | ||
| if: always() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ${{ matrix.apps.app-name }}-binaries-official | ||
| path: artifacts-official/ | ||
| if-no-files-found: ignore | ||
| retention-days: 1 | ||
|
|
||
| - name: Cleanup | ||
| if: always() | ||
| run: docker rm -f builder-official || true | ||
|
|
||
| compare-builds: | ||
| name: Compare builds |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, the fix is to explicitly declare a minimal permissions block rather than relying on repository defaults. Since multiple jobs in this workflow use actions/checkout and artifact upload/download, but none modify repository state (no pushes or PR/issue writes), a conservative and correct choice is to set contents: read at the workflow root. This documents intent and prevents unexpected elevation if org defaults change.
The single best way to fix this without changing functionality is:
- Add a top-level
permissions:block near the top of.github/workflows/build_all_c_apps.yml(e.g., aftername:), settingcontents: read. This applies to all jobs (build-docker,build-docker-full,prepare-matrix,test-build-official, etc.) that don’t override permissions, including the one flagged by CodeQL. - No per-job overrides are needed based on the shown snippet: jobs only read repository contents and use artifacts and Docker, all of which work with
contents: readand the default implicit scopes for artifacts.
Concretely, edit .github/workflows/build_all_c_apps.yml:
- Insert:
permissions:
contents: readright after the name: Build all C apps on latest C SDK line (line 1). No imports or other definitions are required.
| @@ -1,5 +1,8 @@ | ||
| name: Build all C apps on latest C SDK | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
mbrousset-ledger
changed the title
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the problem, add an explicit permissions block that limits the GITHUB_TOKEN to the minimal required scope. This workflow only needs to read repository contents (for actions/checkout in other jobs, if present) and to allow built-in actions to function; it does not need to write to the repo, issues, or pull requests. The safest and clearest fix is to define a root-level permissions block (applies to all jobs) with contents: read. If in the broader file some jobs needed more, they could override it, but we are constrained to the shown snippet and should not widen permissions unnecessarily.
Concretely, in .github/workflows/build_all_c_apps.yml, add:
permissions:
contents: readnear the top of the workflow, after the on: block (line 10–11) and before jobs: (line 15). This documents and enforces least-privilege for all jobs, including compare, without changing any existing functionality, because all current steps rely only on artifact and local operations, which work with read-only contents permissions.
| @@ -9,6 +9,9 @@ | ||
| default: '' | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # NOTE : changes made to this file in the context of this PR will be reverted | ||
| # these are just for the sake of testing the PR | ||
|
|
| name: Build ledger-app-builder-lite | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_docker_deployment.yml@v1 | ||
| with: | ||
| app_repository: LedgerHQ/ledger-app-builder | ||
| app_ref: mbr/clang-21 | ||
| image_name: ledger-app-builder-lite | ||
| dockerfile_path: lite/Dockerfile | ||
| dry_run: true | ||
| outputs: "type=docker,dest=/tmp/ledger-app-builder-lite.tar" | ||
| secrets: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| build-docker-full: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, the fix is to add an explicit permissions block to the workflow (at the top level under name: / on:) or to each job, granting only the minimal GITHUB_TOKEN scopes required. Since the jobs here only read the repository (via actions/checkout) and use artifacts, and do not push commits, manage PRs, or alter releases, they can operate with contents: read. The reusable workflow that receives secrets.GITHUB_TOKEN also typically needs at most read access to the repo unless it’s designed to push or manage PRs.
The single best, minimally invasive change is to add a root-level permissions section that applies to all jobs, right after the on: block. This documents and enforces least privilege without changing the workflow’s functional behavior. A safe baseline is:
permissions:
contents: readThis aligns with GitHub’s recommended read-only default for most build/test workflows and is sufficient for actions/checkout and the artifact actions being used. No additional imports or dependencies are needed; this is purely a YAML configuration change in .github/workflows/build_all_c_apps.yml.
Specifically:
- Edit
.github/workflows/build_all_c_apps.yml. - Insert a
permissions:block after theon:section (after line 10, before the# NOTEcomment). - Set
contents: readas the minimal required permission.
| @@ -9,6 +9,9 @@ | ||
| default: '' | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # NOTE : changes made to this file in the context of this PR will be reverted | ||
| # these are just for the sake of testing the PR | ||
|
|
| name: Build ledger-app-builder | ||
| needs: [build-docker] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout ledger-app-builder | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: LedgerHQ/ledger-app-builder | ||
| ref: mbr/clang-21 | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Download ledger-app-builder-lite image artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: ledger-app-builder-lite | ||
| path: /tmp | ||
|
|
||
| - name: Load ledger-app-builder-lite image | ||
| run: docker load -i /tmp/ledger-app-builder-lite.tar | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| with: | ||
| driver: docker | ||
|
|
||
| - name: Build ledger-app-builder image | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| file: full/Dockerfile | ||
| push: false | ||
| tags: ledger-app-builder:latest | ||
|
|
||
| - name: Export ledger-app-builder image to tar | ||
| run: docker save ledger-app-builder:latest -o /tmp/ledger-app-builder.tar | ||
|
|
||
| - name: Upload ledger-app-builder image artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ledger-app-builder | ||
| path: /tmp/ledger-app-builder.tar | ||
| retention-days: 1 | ||
|
|
||
| check-clang-version-custom: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix this, define explicit, least-privilege permissions for the workflow so that all jobs (including the highlighted build-docker-full job) do not rely on repo/org defaults. This is best done at the workflow root so that all jobs inherit the same minimal permissions, and only expanded if some job later needs more.
In this workflow, the token is only needed for standard operations like actions/checkout and accessing the repository; no job writes to repository contents or issues. Therefore, contents: read is sufficient and aligns with the minimal starting point suggested by CodeQL. We can add:
permissions:
contents: readnear the top of .github/workflows/build_all_c_apps.yml, at the same indentation level as on: and jobs:. No other code changes, imports, or dependencies are required, and existing functionality (checking out code, using artifacts, building Docker images) remains unchanged because read access to contents is all that is needed.
| @@ -9,6 +9,9 @@ | ||
| default: '' | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # NOTE : changes made to this file in the context of this PR will be reverted | ||
| # these are just for the sake of testing the PR | ||
|
|
| name: Check clang version (custom image) | ||
| needs: [build-docker-full] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Download ledger-app-builder image artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: ledger-app-builder | ||
| path: /tmp | ||
|
|
||
| - name: Check clang version | ||
| run: | | ||
| LOADED_IMAGE=$(docker load -i /tmp/ledger-app-builder.tar | grep "Loaded image" | head -1 | awk '{print $NF}') | ||
| CLANG_VERSION=$(docker run --rm "$LOADED_IMAGE" clang --version) | ||
| echo "$CLANG_VERSION" | ||
| echo "## clang version (custom image)" >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
| echo "$CLANG_VERSION" >> $GITHUB_STEP_SUMMARY | ||
| echo '```' >> $GITHUB_STEP_SUMMARY | ||
|
|
||
| check-clang-version-official: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, the fix is to explicitly declare a permissions block that grants only the minimal scopes required for this workflow. Since none of the jobs push commits, manage issues, or otherwise modify repository state, they can safely run with contents: read (and no additional write permissions). This both documents intent and ensures the workflow does not accidentally gain more privileges if repo/org defaults change.
The best minimal fix without altering behavior is to add a top-level permissions block near the top of .github/workflows/build_all_c_apps.yml, applying to all jobs, e.g.:
permissions:
contents: readThis satisfies CodeQL’s requirement and provides least-privilege defaults. None of the shown jobs require more than read access: they build Docker images, download/upload artifacts, run Docker containers, check out code, and call a Python script; these all work with contents: read. No job appears to need write access to PRs, issues, or repository contents. Concretely, insert the permissions block after the on: trigger section (after line 11), before the jobs: key. No imports or additional definitions are required.
| @@ -9,6 +9,9 @@ | ||
| default: '' | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # NOTE : changes made to this file in the context of this PR will be reverted | ||
| # these are just for the sake of testing the PR | ||
|
|
…inated-string-initialization being addded to -Wextra in clang 21 Adding build flags for migration to clang-21
…elf and stacks with minimal changes)
mbrousset-ledger
force-pushed
the
mbr/clang-21
branch
from
a3a2cf3 to
4211d91
Compare
2 participants
…inated-string-initialization being addded to -Wextra in clang 21
Adding build flags for migration to clang-21
Description
Please provide a detailed description of what was done in this PR.
(And mention any links to an issue docs)
Changes include
Breaking changes
Please complete this section if any breaking changes have been made, otherwise delete it.
Additional comments
Please post additional comments in this section if you have them, otherwise delete it.
Auto cherry-pick in API_LEVEL
If requested to port the commits from this PR on a dedicated API_LEVEL branch,
select the targeted one(s), or add new references if not listed:
[ ] TARGET_API_LEVEL: API_LEVEL_25
This will only create the PR with cherry-picks, ready to be reviewed and merged.
Remember: