From 579062385d59e4443b43df951ad6225739a340df Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Thu, 11 Dec 2025 01:46:23 +0100 Subject: [PATCH 1/4] feat: add scan provider agents ci --- .github/workflows/scan-provider-agents.yaml | 49 +++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/scan-provider-agents.yaml diff --git a/.github/workflows/scan-provider-agents.yaml b/.github/workflows/scan-provider-agents.yaml new file mode 100644 index 0000000..2b3c938 --- /dev/null +++ b/.github/workflows/scan-provider-agents.yaml @@ -0,0 +1,49 @@ +name: scan-provider-agents + +on: + pull_request: + paths: + - 'cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c' + - 'cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c' + workflow_dispatch: {} + +jobs: + scan-provider-agents: + + name: Scan ${{ matrix.provider-agent.file }} + + runs-on: ubuntu-latest + + strategy: + matrix: + provider-agent: + - dir: cvmassistants/secretprovider/secret-provider-agent/src + file: secret_provider_agent.c + - dir: cvmassistants/keyprovider/key-provider-agent/src + file: key_provider_agent.c + + steps: + - uses: actions/checkout@v4 + + - name: Install tools directly + run: | + sudo apt-get update + sudo apt-get install -y clang-format cppcheck + + - name: Check if file changed + id: changed + uses: tj-actions/changed-files@v47 + with: + files: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }} + + - name: clang-format scan ${{ matrix.provider-agent.file }} + if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' + working-directory: ${{ matrix.provider-agent.dir }} + run: | + clang-format --dry-run -style=llvm --Werror ${{ matrix.provider-agent.file }} + + - name: cppcheck scan ${{ matrix.provider-agent.file }} + if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' + working-directory: ${{ matrix.provider-agent.dir }} + run: | # enable all checks and suppress missing include system since RATS-TLS dependencies are not included in the repo + cppcheck --enable=all --suppress=missingIncludeSystem --error-exitcode=1 ${{ matrix.provider-agent.file }} From 2d620755cc8ca0a85d5685f2eeb192114d24e22c Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Thu, 11 Dec 2025 13:29:52 +0100 Subject: [PATCH 2/4] ci: improve ci --- .github/workflows/scan-provider-agents.yaml | 45 +++++++++++++++++---- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan-provider-agents.yaml b/.github/workflows/scan-provider-agents.yaml index 2b3c938..cceec34 100644 --- a/.github/workflows/scan-provider-agents.yaml +++ b/.github/workflows/scan-provider-agents.yaml @@ -22,13 +22,20 @@ jobs: - dir: cvmassistants/keyprovider/key-provider-agent/src file: key_provider_agent.c + permissions: + security-events: write + contents: write + actions: read + steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: Install tools directly + - name: Install cppcheck run: | sudo apt-get update - sudo apt-get install -y clang-format cppcheck + sudo apt-get install -y cppcheck - name: Check if file changed id: changed @@ -37,13 +44,37 @@ jobs: files: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }} - name: clang-format scan ${{ matrix.provider-agent.file }} + if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' + uses: DoozyX/clang-format-lint-action@v0.18.2 + with: + source: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }} + style: llvm + inplace: True + + - uses: EndBug/add-and-commit@v9 + with: + author_name: Clang Robot + author_email: robot@example.com + message: 'fix: action - committing clang-format changes' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: cppcheck scan ${{ matrix.provider-agent.file }} if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' working-directory: ${{ matrix.provider-agent.dir }} run: | - clang-format --dry-run -style=llvm --Werror ${{ matrix.provider-agent.file }} + cppcheck --enable=all --suppress=missingIncludeSystem --xml --output-file=report.xml ${{ matrix.provider-agent.file }} - - name: cppcheck scan ${{ matrix.provider-agent.file }} + - name: Convert cppcheck XML → SARIF if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' - working-directory: ${{ matrix.provider-agent.dir }} - run: | # enable all checks and suppress missing include system since RATS-TLS dependencies are not included in the repo - cppcheck --enable=all --suppress=missingIncludeSystem --error-exitcode=1 ${{ matrix.provider-agent.file }} + uses: Flast/cppcheck-sarif@v2 + with: + input: ${{ matrix.provider-agent.dir }}/report.xml + output: ${{ matrix.provider-agent.dir }}/report.sarif + + - name: Upload SARIF to GitHub Code Scanning + if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: ${{ matrix.provider-agent.dir }}/report.sarif + category: cppcheck From eb39bcbaf3a08983ab7af801a31771f877d0ef5b Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Thu, 11 Dec 2025 13:51:56 +0100 Subject: [PATCH 3/4] fix: remove unused field --- .github/workflows/scan-provider-agents.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/scan-provider-agents.yaml b/.github/workflows/scan-provider-agents.yaml index cceec34..f6e8307 100644 --- a/.github/workflows/scan-provider-agents.yaml +++ b/.github/workflows/scan-provider-agents.yaml @@ -53,8 +53,6 @@ jobs: - uses: EndBug/add-and-commit@v9 with: - author_name: Clang Robot - author_email: robot@example.com message: 'fix: action - committing clang-format changes' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 75ddcba660927d3c124c003c4ae16366c6bffcb0 Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Fri, 12 Dec 2025 14:52:36 +0100 Subject: [PATCH 4/4] ci: remove auto-correct for formatting --- .github/workflows/scan-provider-agents.yaml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/scan-provider-agents.yaml b/.github/workflows/scan-provider-agents.yaml index f6e8307..5197e2b 100644 --- a/.github/workflows/scan-provider-agents.yaml +++ b/.github/workflows/scan-provider-agents.yaml @@ -24,7 +24,7 @@ jobs: permissions: security-events: write - contents: write + contents: read actions: read steps: @@ -42,20 +42,15 @@ jobs: uses: tj-actions/changed-files@v47 with: files: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }} - + + # correct using: clang-format -style=llvm -i ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }} - name: clang-format scan ${{ matrix.provider-agent.file }} if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch' uses: DoozyX/clang-format-lint-action@v0.18.2 with: source: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }} style: llvm - inplace: True - - - uses: EndBug/add-and-commit@v9 - with: - message: 'fix: action - committing clang-format changes' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + inplace: False - name: cppcheck scan ${{ matrix.provider-agent.file }} if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'