From 2ff90df6da6ee059a0359e0423d4a9868b9acabe Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:22:06 -0500 Subject: [PATCH 01/19] ci: disable persist-credentials on checkout No reason to keep any credentials around from this step. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 4 ++++ .github/workflows/check-files.yml | 2 ++ .github/workflows/check_toc_txt.yml | 2 ++ .github/workflows/commit-check.yml | 1 + .github/workflows/deploy.yml | 2 ++ .github/workflows/docker.yml | 2 ++ .github/workflows/rstcheck.yml | 2 ++ .github/workflows/vale.yml | 2 ++ .github/workflows/yamllint.yml | 2 ++ 9 files changed, 19 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c637ad2fd..fcb125331 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create build matrix id: matrix @@ -48,6 +50,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index e98c34d7b..282edb75d 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index d8c9ecda6..3df95d84e 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index c4933e4fb..432406b77 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Check commit uses: commit-check/commit-check-action@v2 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bfd50c2c..afa66dc66 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 061a1d992..18f18976f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index 04a45c93d..cff2dede6 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 1c493f94f..07e75cfbd 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -24,6 +24,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 967316adc..377c2cc61 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: yamllint uses: reviewdog/action-yamllint@v1 From 8c9a44ac0f33e7ed2a893fb70278d2964a82bd03 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:23:45 -0500 Subject: [PATCH 02/19] ci(build): use ref name env variable Use the ref name environment variable instead of the ref name directly to prevent any unusual command injection. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcb125331..49b7df5a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: - name: Build ${{ matrix.device }} run: | make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${{ github.ref_name }} + VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 From a70dc3ef6c6553044dcc900db4419a5e31507720 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:26:07 -0500 Subject: [PATCH 03/19] ci: clamp permissions for each workflow Clamp the workflow permissions to the minimum values required. Individual jobs can request other permissions if they need them. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 7 +++---- .github/workflows/check-files.yml | 5 +++-- .github/workflows/check_toc_txt.yml | 5 +++-- .github/workflows/comment.yml | 5 +++-- .github/workflows/commit-check.yml | 9 +++++---- .github/workflows/deploy.yml | 5 +++-- .github/workflows/docker.yml | 7 ++++--- .github/workflows/rstcheck.yml | 5 +++-- .github/workflows/vale.yml | 5 +++-- .github/workflows/yamllint.yml | 3 +++ 10 files changed, 33 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49b7df5a3..067de398e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,14 +13,15 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: collect: runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read outputs: build-matrix: "${{ steps.matrix.outputs.matrix }}" steps: @@ -40,8 +41,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read needs: collect strategy: matrix: diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 282edb75d..2bd979cec 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -11,6 +11,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,8 +21,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 3df95d84e..62bc43044 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -12,6 +12,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -19,8 +22,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index c54a4cf03..13e6e739a 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -10,13 +10,14 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + pull-requests: write + jobs: comment: name: Comment runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} - permissions: - pull-requests: write steps: - name: Download artifact diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 432406b77..5d52fedc5 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -4,14 +4,15 @@ on: # yamllint disable-line rule:truthy pull_request: branches: ['master'] +permissions: + contents: read + issues: write + pull-requests: write + jobs: commit-check: name: Commit Check runs-on: ubuntu-latest - permissions: - contents: read - issues: write - pull-requests: write steps: - name: Checkout diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index afa66dc66..7b378d8ee 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + contents: read + jobs: agregate: name: Agregate build artifacts @@ -16,8 +19,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 18f18976f..ef0269aef 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,13 +11,14 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + packages: write + jobs: build: name: Build runs-on: ubuntu-latest - permissions: - contents: read - packages: write steps: - name: Checkout diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index cff2dede6..aab3f7e62 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -11,6 +11,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,8 +21,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 07e75cfbd..48380f19f 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -7,6 +7,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: vale: name: vale @@ -14,8 +17,6 @@ jobs: container: image: ghcr.io/staticrocket/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Prepare GitHub workdir diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 377c2cc61..25850df5e 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +permissions: + contents: read + jobs: yamllint: name: yamllint From 4a3abb4070e0ce997973aa0d485d2bb6d7c0be7f Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:52:25 -0500 Subject: [PATCH 04/19] ci: use env vars instead of template values Use env vars to pass values into scripts to prevent possible template injection issues. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 6 ++++-- .github/workflows/check-files.yml | 4 +++- .github/workflows/check_toc_txt.yml | 4 +++- .github/workflows/rstcheck.yml | 4 +++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 067de398e..6ad39ce6b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,9 +57,11 @@ jobs: git config --global --add safe.directory "$PWD" - name: Build ${{ matrix.device }} + env: + DEVFAMILY: ${{ matrix.device }} + OS: ${{ matrix.os }} run: | - make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${GITHUB_REF_NAME} + make VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 2bd979cec..c76d43ba2 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -36,6 +36,8 @@ jobs: git switch master - name: Run check_files.py + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -56,7 +58,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 62bc43044..701d75b1c 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -37,6 +37,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -57,7 +59,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index aab3f7e62..fbed08dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -36,6 +36,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -56,7 +58,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count From 555812c0c7e247581d0cc298799586521657d433 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:18:04 -0500 Subject: [PATCH 05/19] ci: trim and document unusual permissions Remove any permissions not explicitly needed at the moment. Add inline comments to explain the use of any remaining unusual workflow permissions. Signed-off-by: Randolph Sapp --- .github/workflows/comment.yml | 2 +- .github/workflows/commit-check.yml | 2 -- .github/workflows/component-owners.yml | 5 +---- .github/workflows/deploy.yml | 3 +-- .github/workflows/docker.yml | 2 +- 5 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index 13e6e739a..88bf508c4 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -11,7 +11,7 @@ on: # yamllint disable-line rule:truthy - completed permissions: - pull-requests: write + pull-requests: write # Required to leave a comment on a review jobs: comment: diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 5d52fedc5..67a82c82e 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -6,8 +6,6 @@ on: # yamllint disable-line rule:truthy permissions: contents: read - issues: write - pull-requests: write jobs: commit-check: diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 59f35f80a..24cef2ff1 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -10,11 +10,8 @@ on: # yamllint disable-line rule:truthy branches: [master] permissions: - # Clamp permissions since pull_request_target workflows granted full - # read/write repository permission by default contents: read - issues: write - pull-requests: write + pull-requests: write # Required to set reviewers jobs: component-owners: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7b378d8ee..135432d9d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -54,8 +54,7 @@ jobs: runs-on: ubuntu-latest needs: agregate permissions: - pages: write - id-token: write + pages: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index ef0269aef..26af53199 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,7 +13,7 @@ env: permissions: contents: read - packages: write + packages: write # Required to push image to ghcr.io jobs: build: From e5d67a74a4adba628cafa0958fa6f2f3163f4f88 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:21:16 -0500 Subject: [PATCH 06/19] ci(build): add a name for the collect job Add a description/name for the collect job in the build workflow. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6ad39ce6b..ad5bef3e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,7 @@ permissions: jobs: collect: + name: Collect DEVFAMILY and OS combinations runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest From 359270867b46b5fb4dcf32c99fa343bf3a834a7c Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:25:23 -0500 Subject: [PATCH 07/19] ci(deploy): add a pages concurrency group There can only be one deployment at any one time and it has to be a full snapshot. No piecemeal updates. Might as well use a concurrency limit to kill any other jobs that get in our way. Not that there ever should be any, considering the way this job is launched currently. Signed-off-by: Randolph Sapp --- .github/workflows/deploy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 135432d9d..87bd3e0ee 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy types: - completed +concurrency: + group: pages + cancel-in-progress: true + permissions: contents: read From 149474e241d139d6f97293082c26426b43e6d63e Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:55:06 -0500 Subject: [PATCH 08/19] ci(docker): add concurrency group for docker Interactions with tags and publishing container images should be purely sequential. Limit job concurrency to prevent any issues with multiple rapid updates to docker components. Signed-off-by: Randolph Sapp --- .github/workflows/docker.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 26af53199..eb9100110 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy - 'docker/**' - requirements.txt +concurrency: + group: docker + cancel-in-progress: true + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} From 9725d8f29421838cd5430357e696befe2c6e1cd8 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 16:23:28 -0500 Subject: [PATCH 09/19] ci: assign workflow concurrency groups for prs Assign concurrency groups for PR based workflows to prevent issues with users submitting multiple pushes in a short time. Signed-off-by: Randolph Sapp --- .github/workflows/check-files.yml | 4 ++++ .github/workflows/check_toc_txt.yml | 4 ++++ .github/workflows/commit-check.yml | 4 ++++ .github/workflows/component-owners.yml | 4 ++++ .github/workflows/rstcheck.yml | 4 ++++ .github/workflows/vale.yml | 4 ++++ .github/workflows/yamllint.yml | 4 ++++ 7 files changed, 28 insertions(+) diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index c76d43ba2..25094d377 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 701d75b1c..7a6f17442 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy - 'source/**' - 'configs/*/*_toc.txt' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 67a82c82e..8fc3858a1 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -4,6 +4,10 @@ on: # yamllint disable-line rule:truthy pull_request: branches: ['master'] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 24cef2ff1..c583311f0 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -9,6 +9,10 @@ on: # yamllint disable-line rule:truthy pull_request_target: branches: [master] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read pull-requests: write # Required to set reviewers diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index fbed08dd3..bbb834dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 48380f19f..4b8b8bb8e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -3,6 +3,10 @@ name: "vale" on: [pull_request] # yamllint disable-line rule:truthy +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 25850df5e..56a8ed1d8 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read From 43f4bf94398c2e4017b33716d1b1080956e8da80 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 16:33:35 -0500 Subject: [PATCH 10/19] ci: remove branch check for ready workflows The commit-check and component-owners workflows are currently ready to run on all branches. Remove the restraints for these two workflows. Other workflows will need to be adjusted before they can be released. Signed-off-by: Randolph Sapp --- .github/workflows/commit-check.yml | 4 +--- .github/workflows/component-owners.yml | 12 +++++------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 8fc3858a1..9750a3b18 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -1,8 +1,6 @@ --- name: Commit Check -on: # yamllint disable-line rule:truthy - pull_request: - branches: ['master'] +on: [pull_request] # yamllint disable-line rule:truthy concurrency: group: ${{ github.workflow }}-${{ github.event.number }} diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index c583311f0..cca01ef87 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -1,13 +1,11 @@ --- name: "component-owners" -on: # yamllint disable-line rule:truthy - # It's insecure to use pull_request_target if you intend to check out code - # from that PR. This just reads the config file in the pull request base, and - # is not an issue currently. We will need to use this to comment on PRs coming - # from forked repositories. - pull_request_target: - branches: [master] +# It's insecure to use pull_request_target if you intend to check out code +# from that PR. This just reads the config file in the pull request base, and +# is not an issue currently. We will need to use this to comment on PRs coming +# from forked repositories. +on: [pull_request_target] # yamllint disable-line rule:truthy concurrency: group: ${{ github.workflow }}-${{ github.event.number }} From aaa654832b717c67b9688fc5c4ff643efc1fa7b6 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 16:39:09 -0500 Subject: [PATCH 11/19] fixup! ci: trim and document unusual permissions --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 87bd3e0ee..a4468f363 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -59,6 +59,7 @@ jobs: needs: agregate permissions: pages: write # Required for deployment to GitHub Pages + id-token: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment From 0edc98d92bede5ade8ebfc7014c66e32f1d12cb2 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 17:28:38 -0500 Subject: [PATCH 12/19] ci(comment): make workflow reusable Signed-off-by: Randolph Sapp --- .github/workflows/check-files.yml | 21 ++++++++------- .github/workflows/comment.yml | 44 ++++++++++++++++--------------- 2 files changed, 34 insertions(+), 31 deletions(-) diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 25094d377..c4fa9b13c 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -40,6 +40,7 @@ jobs: git switch master - name: Run check_files.py + id: check env: EVENT_NUMBER: ${{ github.event.number }} run: | @@ -60,19 +61,19 @@ jobs: echo "No new unreachable files found with check_files.py" fi >> "$GITHUB_STEP_SUMMARY" - # Prepare the artifacts - mkdir -p ./results - echo "$EVENT_NUMBER" > ./results/id - cp "$GITHUB_STEP_SUMMARY" ./results/summary - echo "$(wc -l < _new-warn.log)" > ./results/problem-count + # Prepare the output + SUMMARY=$(< "$GITHUB_STEP_SUMMARY") + echo "issue_number=$EVENT_NUMBER" >> "$GITHUB_OUTPUT" + echo "problem_count=$WARNING_COUNT" >> "$GITHUB_OUTPUT" + echo "summary=$SUMMARY" >> "$GITHUB_OUTPUT" # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/workflows/comment.yml if: always() with: - name: results - path: results/ - retention-days: 1 + issue_number: ${{ steps.check.outputs.issue_number }} + problem_count: ${{ steps.check.outputs.problem_count }} + summary: ${{ steps.check.outputs.summary }} diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index 88bf508c4..17382e651 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -2,13 +2,20 @@ name: "comment" on: # yamllint disable-line rule:truthy - workflow_run: - workflows: - - rstcheck - - check_toc_txt - - check-files - types: - - completed + workflow_call: + inputs: + issue_number: + description: "PR / Issue number to comment on" + required: true + type: number + problem_count: + description: "Number of problems detected" + required: true + type: number + summary: + description: "Text summary that will be posted" + required: true + type: string permissions: pull-requests: write # Required to leave a comment on a review @@ -20,25 +27,20 @@ jobs: if: ${{ github.event.workflow_run.event == 'pull_request' }} steps: - - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: results - run-id: ${{ github.event.workflow_run.id }} - github-token: ${{ secrets.GITHUB_TOKEN }} - path: results - - name: Update pr with info from other runners uses: actions/github-script@v7 + env: + ISSUE_NUMBER: ${{ inputs.issue_number }} + PROBLEM_COUNT: ${{ inputs.problem_count }} + SUMMARY: ${{ inputs.summary }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - var fs = require('fs'); - var issue_number = Number(fs.readFileSync('./results/id')); - var problem_count = Number(fs.readFileSync( - './results/problem-count' - )); - var summary = String(fs.readFileSync('./results/summary')); + const { env } = require('node:process'); + + var issue_number = Number(env.ISSUE_NUMBER); + var problem_count = Number(env.PROBLEM_COUNT); + var summary = String(env.SUMMARY); if (problem_count > 0) { github.rest.issues.createComment({ From c4902cc81c76260bb1050eac86a2c7af96ecedbe Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 17:58:28 -0500 Subject: [PATCH 13/19] fixup! ci(comment): make workflow reusable --- .github/workflows/check-files.yml | 14 +++++--------- .github/workflows/comment.yml | 28 ++++++---------------------- 2 files changed, 11 insertions(+), 31 deletions(-) diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index c4fa9b13c..5589d2eb4 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -61,11 +61,11 @@ jobs: echo "No new unreachable files found with check_files.py" fi >> "$GITHUB_STEP_SUMMARY" - # Prepare the output - SUMMARY=$(< "$GITHUB_STEP_SUMMARY") - echo "issue_number=$EVENT_NUMBER" >> "$GITHUB_OUTPUT" - echo "problem_count=$WARNING_COUNT" >> "$GITHUB_OUTPUT" - echo "summary=$SUMMARY" >> "$GITHUB_OUTPUT" + # Prepare the artifacts + mkdir -p ./results + echo "$EVENT_NUMBER" > ./results/id + cp "$GITHUB_STEP_SUMMARY" ./results/summary + echo "$(wc -l < _new-warn.log)" > ./results/problem-count # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] @@ -73,7 +73,3 @@ jobs: - name: Comment uses: ./.github/workflows/comment.yml if: always() - with: - issue_number: ${{ steps.check.outputs.issue_number }} - problem_count: ${{ steps.check.outputs.problem_count }} - summary: ${{ steps.check.outputs.summary }} diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index 17382e651..ea7c13046 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -3,19 +3,6 @@ name: "comment" on: # yamllint disable-line rule:truthy workflow_call: - inputs: - issue_number: - description: "PR / Issue number to comment on" - required: true - type: number - problem_count: - description: "Number of problems detected" - required: true - type: number - summary: - description: "Text summary that will be posted" - required: true - type: string permissions: pull-requests: write # Required to leave a comment on a review @@ -29,18 +16,15 @@ jobs: steps: - name: Update pr with info from other runners uses: actions/github-script@v7 - env: - ISSUE_NUMBER: ${{ inputs.issue_number }} - PROBLEM_COUNT: ${{ inputs.problem_count }} - SUMMARY: ${{ inputs.summary }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { env } = require('node:process'); - - var issue_number = Number(env.ISSUE_NUMBER); - var problem_count = Number(env.PROBLEM_COUNT); - var summary = String(env.SUMMARY); + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./results/id')); + var problem_count = Number(fs.readFileSync( + './results/problem-count' + )); + var summary = String(fs.readFileSync('./results/summary')); if (problem_count > 0) { github.rest.issues.createComment({ From 749bb84fcf18aea16b64f322d1d23baa69177ec5 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 18:21:09 -0500 Subject: [PATCH 14/19] fixup! fixup! ci(comment): make workflow reusable --- .github/actions/comment/action.yml | 28 +++++++++++++++++++++++ .github/workflows/check-files.yml | 2 +- .github/workflows/comment.yml | 36 ------------------------------ 3 files changed, 29 insertions(+), 37 deletions(-) create mode 100644 .github/actions/comment/action.yml delete mode 100644 .github/workflows/comment.yml diff --git a/.github/actions/comment/action.yml b/.github/actions/comment/action.yml new file mode 100644 index 000000000..9d7946b5c --- /dev/null +++ b/.github/actions/comment/action.yml @@ -0,0 +1,28 @@ +--- +name: "comment" +description: "Comment on a given pull request or issue" + +runs: + using: "composite" + steps: + - name: Update pr with info from other runners + uses: actions/github-script@v7 + if: ${{ github.event.workflow_run.event == 'pull_request' }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./results/id')); + var problem_count = Number(fs.readFileSync( + './results/problem-count' + )); + var summary = String(fs.readFileSync('./results/summary')); + + if (problem_count > 0) { + github.rest.issues.createComment({ + owner: context.repo.owner, + issue_number: issue_number, + repo: context.repo.repo, + body: summary + }); + } diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 5589d2eb4..1641fe6fd 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -71,5 +71,5 @@ jobs: [ "$WARNING_COUNT" -eq "0" ] - name: Comment - uses: ./.github/workflows/comment.yml + uses: ./.github/actions/comment if: always() diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml deleted file mode 100644 index ea7c13046..000000000 --- a/.github/workflows/comment.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -name: "comment" - -on: # yamllint disable-line rule:truthy - workflow_call: - -permissions: - pull-requests: write # Required to leave a comment on a review - -jobs: - comment: - name: Comment - runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.event == 'pull_request' }} - - steps: - - name: Update pr with info from other runners - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - var fs = require('fs'); - var issue_number = Number(fs.readFileSync('./results/id')); - var problem_count = Number(fs.readFileSync( - './results/problem-count' - )); - var summary = String(fs.readFileSync('./results/summary')); - - if (problem_count > 0) { - github.rest.issues.createComment({ - owner: context.repo.owner, - issue_number: issue_number, - repo: context.repo.repo, - body: summary - }); - } From 049676b591cd4528e4dd2c7f087cbaebff95de4a Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 18:30:10 -0500 Subject: [PATCH 15/19] fixup! fixup! fixup! ci(comment): make workflow reusable --- .github/actions/comment/action.yml | 6 +++++- .github/workflows/check-files.yml | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/actions/comment/action.yml b/.github/actions/comment/action.yml index 9d7946b5c..2b9ecdeb3 100644 --- a/.github/actions/comment/action.yml +++ b/.github/actions/comment/action.yml @@ -1,6 +1,10 @@ --- name: "comment" description: "Comment on a given pull request or issue" +inputs: + token: + description: "A token with pull request or issue write permission" + required: true runs: using: "composite" @@ -9,7 +13,7 @@ runs: uses: actions/github-script@v7 if: ${{ github.event.workflow_run.event == 'pull_request' }} with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ inputs.token }} script: | var fs = require('fs'); var issue_number = Number(fs.readFileSync('./results/id')); diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 1641fe6fd..5a89da422 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -73,3 +73,5 @@ jobs: - name: Comment uses: ./.github/actions/comment if: always() + with: + token: ${{ secrets.GITHUB_TOKEN }} From 9b24313ffd8dd525c63437d280a2475b083c3f9d Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 18:35:11 -0500 Subject: [PATCH 16/19] fixup! fixup! fixup! fixup! ci(comment): make workflow reusable --- .github/workflows/check-files.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 5a89da422..db5f54a80 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -26,6 +26,9 @@ jobs: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: + pull-requests: write + steps: - name: Checkout repository uses: actions/checkout@v4 From c28d0c7e0fb87feb9ee2a9d6cab5d912ace7086b Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 18:46:27 -0500 Subject: [PATCH 17/19] fixup! fixup! fixup! fixup! fixup! ci(comment): make workflow reusable --- .github/actions/comment/action.yml | 2 +- .github/workflows/check-files.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/actions/comment/action.yml b/.github/actions/comment/action.yml index 2b9ecdeb3..aba4be48d 100644 --- a/.github/actions/comment/action.yml +++ b/.github/actions/comment/action.yml @@ -11,9 +11,9 @@ runs: steps: - name: Update pr with info from other runners uses: actions/github-script@v7 - if: ${{ github.event.workflow_run.event == 'pull_request' }} with: github-token: ${{ inputs.token }} + if: always() script: | var fs = require('fs'); var issue_number = Number(fs.readFileSync('./results/id')); diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index db5f54a80..aef47c777 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -75,6 +75,5 @@ jobs: - name: Comment uses: ./.github/actions/comment - if: always() with: token: ${{ secrets.GITHUB_TOKEN }} From 1bd4c0d5f15dd3c310222fabfb7fe68eb2981a6c Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 18:48:27 -0500 Subject: [PATCH 18/19] fixup! fixup! fixup! fixup! fixup! fixup! ci(comment): make workflow reusable --- .github/actions/comment/action.yml | 1 - .github/workflows/check-files.yml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/comment/action.yml b/.github/actions/comment/action.yml index aba4be48d..5d4660188 100644 --- a/.github/actions/comment/action.yml +++ b/.github/actions/comment/action.yml @@ -13,7 +13,6 @@ runs: uses: actions/github-script@v7 with: github-token: ${{ inputs.token }} - if: always() script: | var fs = require('fs'); var issue_number = Number(fs.readFileSync('./results/id')); diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index aef47c777..db5f54a80 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -75,5 +75,6 @@ jobs: - name: Comment uses: ./.github/actions/comment + if: always() with: token: ${{ secrets.GITHUB_TOKEN }} From c80639bf5fe7c76ee190eea539bcab935cc8dddc Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Fri, 20 Jun 2025 18:19:32 -0500 Subject: [PATCH 19/19] bad: add an unreachable file Signed-off-by: Randolph Sapp --- source/test-file-tag.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/test-file-tag.txt diff --git a/source/test-file-tag.txt b/source/test-file-tag.txt new file mode 100644 index 000000000..e69de29bb