From f1398f258acc5fd69694dcaa8cb03125c75d4877 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:22:06 -0500 Subject: [PATCH 01/11] ci: disable persist-credentials on checkout No reason to keep any credentials around from this step. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 4 ++++ .github/workflows/check-files.yml | 2 ++ .github/workflows/check_toc_txt.yml | 2 ++ .github/workflows/commit-check.yml | 1 + .github/workflows/deploy.yml | 2 ++ .github/workflows/docker.yml | 2 ++ .github/workflows/rstcheck.yml | 2 ++ .github/workflows/vale.yml | 2 ++ .github/workflows/yamllint.yml | 2 ++ 9 files changed, 19 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c637ad2fd..fcb125331 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create build matrix id: matrix @@ -48,6 +50,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index e98c34d7b..282edb75d 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index d8c9ecda6..3df95d84e 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index c4933e4fb..432406b77 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Check commit uses: commit-check/commit-check-action@v2 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bfd50c2c..afa66dc66 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 061a1d992..18f18976f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index 04a45c93d..cff2dede6 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 1c493f94f..07e75cfbd 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -24,6 +24,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 967316adc..377c2cc61 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: yamllint uses: reviewdog/action-yamllint@v1 From 9bb2c2ec2c649ad9298d237c03bf23c941f5e79b Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:23:45 -0500 Subject: [PATCH 02/11] ci(build): use ref name env variable Use the ref name environment variable instead of the ref name directly to prevent any unusual command injection. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcb125331..49b7df5a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: - name: Build ${{ matrix.device }} run: | make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${{ github.ref_name }} + VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 From 7aba63fbd2b680e072af6bae9e7e12e27970b9f0 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:26:07 -0500 Subject: [PATCH 03/11] ci: clamp permissions for each workflow Clamp the workflow permissions to the minimum values required. Individual jobs can request other permissions if they need them. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 7 +++---- .github/workflows/check-files.yml | 5 +++-- .github/workflows/check_toc_txt.yml | 5 +++-- .github/workflows/comment.yml | 5 +++-- .github/workflows/commit-check.yml | 9 +++++---- .github/workflows/deploy.yml | 5 +++-- .github/workflows/docker.yml | 7 ++++--- .github/workflows/rstcheck.yml | 5 +++-- .github/workflows/vale.yml | 5 +++-- .github/workflows/yamllint.yml | 3 +++ 10 files changed, 33 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49b7df5a3..067de398e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,14 +13,15 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: collect: runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read outputs: build-matrix: "${{ steps.matrix.outputs.matrix }}" steps: @@ -40,8 +41,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read needs: collect strategy: matrix: diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 282edb75d..2bd979cec 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -11,6 +11,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,8 +21,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 3df95d84e..62bc43044 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -12,6 +12,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -19,8 +22,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index c54a4cf03..13e6e739a 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -10,13 +10,14 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + pull-requests: write + jobs: comment: name: Comment runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} - permissions: - pull-requests: write steps: - name: Download artifact diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 432406b77..5d52fedc5 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -4,14 +4,15 @@ on: # yamllint disable-line rule:truthy pull_request: branches: ['master'] +permissions: + contents: read + issues: write + pull-requests: write + jobs: commit-check: name: Commit Check runs-on: ubuntu-latest - permissions: - contents: read - issues: write - pull-requests: write steps: - name: Checkout diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index afa66dc66..7b378d8ee 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + contents: read + jobs: agregate: name: Agregate build artifacts @@ -16,8 +19,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 18f18976f..ef0269aef 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,13 +11,14 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + packages: write + jobs: build: name: Build runs-on: ubuntu-latest - permissions: - contents: read - packages: write steps: - name: Checkout diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index cff2dede6..aab3f7e62 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -11,6 +11,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,8 +21,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 07e75cfbd..48380f19f 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -7,6 +7,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: vale: name: vale @@ -14,8 +17,6 @@ jobs: container: image: ghcr.io/staticrocket/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Prepare GitHub workdir diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 377c2cc61..25850df5e 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +permissions: + contents: read + jobs: yamllint: name: yamllint From 00da1f2a3dd94c1e24d249845b261635cb14b805 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:52:25 -0500 Subject: [PATCH 04/11] ci: use env vars instead of template values Use env vars to pass values into scripts to prevent possible template injection issues. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 6 ++++-- .github/workflows/check-files.yml | 4 +++- .github/workflows/check_toc_txt.yml | 4 +++- .github/workflows/rstcheck.yml | 4 +++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 067de398e..6ad39ce6b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,9 +57,11 @@ jobs: git config --global --add safe.directory "$PWD" - name: Build ${{ matrix.device }} + env: + DEVFAMILY: ${{ matrix.device }} + OS: ${{ matrix.os }} run: | - make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${GITHUB_REF_NAME} + make VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 2bd979cec..c76d43ba2 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -36,6 +36,8 @@ jobs: git switch master - name: Run check_files.py + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -56,7 +58,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 62bc43044..701d75b1c 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -37,6 +37,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -57,7 +59,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index aab3f7e62..fbed08dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -36,6 +36,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -56,7 +58,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count From 5cbabf6d2dd3e654b00cb5eacd89aa40406116a6 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:18:04 -0500 Subject: [PATCH 05/11] ci: trim and document unusual permissions Remove any permissions not explicitly needed at the moment. Add inline comments to explain the use of any remaining unusual workflow permissions. Signed-off-by: Randolph Sapp --- .github/workflows/comment.yml | 2 +- .github/workflows/commit-check.yml | 2 -- .github/workflows/component-owners.yml | 7 +++---- .github/workflows/deploy.yml | 4 ++-- .github/workflows/docker.yml | 4 +++- 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index 13e6e739a..88bf508c4 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -11,7 +11,7 @@ on: # yamllint disable-line rule:truthy - completed permissions: - pull-requests: write + pull-requests: write # Required to leave a comment on a review jobs: comment: diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 5d52fedc5..67a82c82e 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -6,8 +6,6 @@ on: # yamllint disable-line rule:truthy permissions: contents: read - issues: write - pull-requests: write jobs: commit-check: diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 59f35f80a..db045db77 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -10,17 +10,16 @@ on: # yamllint disable-line rule:truthy branches: [master] permissions: - # Clamp permissions since pull_request_target workflows granted full - # read/write repository permission by default contents: read - issues: write - pull-requests: write jobs: component-owners: name: Assign component owners runs-on: ubuntu-latest + permissions: + pull-requests: write # Required to set reviewers + steps: - name: Assign component owners uses: dyladan/component-owners@main diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7b378d8ee..a2e4de582 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -54,8 +54,8 @@ jobs: runs-on: ubuntu-latest needs: agregate permissions: - pages: write - id-token: write + pages: write # Required for deployment to GitHub Pages + id-token: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index ef0269aef..a52b28162 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,13 +13,15 @@ env: permissions: contents: read - packages: write jobs: build: name: Build runs-on: ubuntu-latest + permissions: + packages: write # Required to push image to ghcr.io + steps: - name: Checkout uses: actions/checkout@v4 From 3524770b6918e3e97506082d6b024b8c63a9746a Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:21:16 -0500 Subject: [PATCH 06/11] ci(build): add a name for the collect job Add a description/name for the collect job in the build workflow. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6ad39ce6b..ad5bef3e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,7 @@ permissions: jobs: collect: + name: Collect DEVFAMILY and OS combinations runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest From e0160996b83fabea77c81eadc7555c5d7f92cacf Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:25:23 -0500 Subject: [PATCH 07/11] ci(deploy): add a pages concurrency group There can only be one deployment at any one time and it has to be a full snapshot. No piecemeal updates. Might as well use a concurrency limit to kill any other jobs that get in our way. Not that there ever should be any, considering the way this job is launched currently. Signed-off-by: Randolph Sapp --- .github/workflows/deploy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a2e4de582..a4468f363 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy types: - completed +concurrency: + group: pages + cancel-in-progress: true + permissions: contents: read From 0fe1229e815e778771d73826c505927b6cab08ea Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:55:06 -0500 Subject: [PATCH 08/11] ci(docker): add concurrency group for docker Interactions with tags and publishing container images should be purely sequential. Limit job concurrency to prevent any issues with multiple rapid updates to docker components. Signed-off-by: Randolph Sapp --- .github/workflows/docker.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a52b28162..bc6922319 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy - 'docker/**' - requirements.txt +concurrency: + group: docker + cancel-in-progress: true + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} From 6419c3605fcaf7b969d872ed5f26402a50073f83 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 16:23:28 -0500 Subject: [PATCH 09/11] ci: assign workflow concurrency groups for prs Assign concurrency groups for PR based workflows to prevent issues with users submitting multiple pushes in a short time. Signed-off-by: Randolph Sapp --- .github/workflows/check-files.yml | 4 ++++ .github/workflows/check_toc_txt.yml | 4 ++++ .github/workflows/commit-check.yml | 4 ++++ .github/workflows/component-owners.yml | 4 ++++ .github/workflows/rstcheck.yml | 4 ++++ .github/workflows/vale.yml | 4 ++++ .github/workflows/yamllint.yml | 4 ++++ 7 files changed, 28 insertions(+) diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index c76d43ba2..25094d377 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 701d75b1c..7a6f17442 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy - 'source/**' - 'configs/*/*_toc.txt' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 67a82c82e..8fc3858a1 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -4,6 +4,10 @@ on: # yamllint disable-line rule:truthy pull_request: branches: ['master'] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index db045db77..091a3cb26 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -9,6 +9,10 @@ on: # yamllint disable-line rule:truthy pull_request_target: branches: [master] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index fbed08dd3..bbb834dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 48380f19f..4b8b8bb8e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -3,6 +3,10 @@ name: "vale" on: [pull_request] # yamllint disable-line rule:truthy +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 25850df5e..56a8ed1d8 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read From 827ae0183ad945c4574e4141b683ea2c4d110ea3 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 16:33:35 -0500 Subject: [PATCH 10/11] ci: remove branch check for ready workflows The commit-check and component-owners workflows are currently ready to run on all branches. Remove the restraints for these two workflows. Other workflows will need to be adjusted before they can be released. Signed-off-by: Randolph Sapp --- .github/workflows/commit-check.yml | 4 +--- .github/workflows/component-owners.yml | 12 +++++------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 8fc3858a1..9750a3b18 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -1,8 +1,6 @@ --- name: Commit Check -on: # yamllint disable-line rule:truthy - pull_request: - branches: ['master'] +on: [pull_request] # yamllint disable-line rule:truthy concurrency: group: ${{ github.workflow }}-${{ github.event.number }} diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 091a3cb26..e93aecdfe 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -1,13 +1,11 @@ --- name: "component-owners" -on: # yamllint disable-line rule:truthy - # It's insecure to use pull_request_target if you intend to check out code - # from that PR. This just reads the config file in the pull request base, and - # is not an issue currently. We will need to use this to comment on PRs coming - # from forked repositories. - pull_request_target: - branches: [master] +# It's insecure to use pull_request_target if you intend to check out code +# from that PR. This just reads the config file in the pull request base, and +# is not an issue currently. We will need to use this to comment on PRs coming +# from forked repositories. +on: [pull_request_target] # yamllint disable-line rule:truthy concurrency: group: ${{ github.workflow }}-${{ github.event.number }} From 0606982c2f5d6b47cdf358f0aa93014810272b90 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Thu, 7 May 2026 17:28:38 -0500 Subject: [PATCH 11/11] ci(comment): convert workflow to action No need to keep this level of isolation between these tasks. Signed-off-by: Randolph Sapp --- .github/actions/comment/action.yml | 31 ++++++++++++++++++ .github/workflows/check-files.yml | 12 ++++--- .github/workflows/check_toc_txt.yml | 11 ++++--- .github/workflows/comment.yml | 50 ----------------------------- .github/workflows/rstcheck.yml | 11 ++++--- 5 files changed, 50 insertions(+), 65 deletions(-) create mode 100644 .github/actions/comment/action.yml delete mode 100644 .github/workflows/comment.yml diff --git a/.github/actions/comment/action.yml b/.github/actions/comment/action.yml new file mode 100644 index 000000000..5d4660188 --- /dev/null +++ b/.github/actions/comment/action.yml @@ -0,0 +1,31 @@ +--- +name: "comment" +description: "Comment on a given pull request or issue" +inputs: + token: + description: "A token with pull request or issue write permission" + required: true + +runs: + using: "composite" + steps: + - name: Update pr with info from other runners + uses: actions/github-script@v7 + with: + github-token: ${{ inputs.token }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./results/id')); + var problem_count = Number(fs.readFileSync( + './results/problem-count' + )); + var summary = String(fs.readFileSync('./results/summary')); + + if (problem_count > 0) { + github.rest.issues.createComment({ + owner: context.repo.owner, + issue_number: issue_number, + repo: context.repo.repo, + body: summary + }); + } diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 25094d377..654a2eedd 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -26,6 +26,9 @@ jobs: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: + pull-requests: write # Required to comment on pull requests + steps: - name: Checkout repository uses: actions/checkout@v4 @@ -40,6 +43,7 @@ jobs: git switch master - name: Run check_files.py + id: check env: EVENT_NUMBER: ${{ github.event.number }} run: | @@ -69,10 +73,8 @@ jobs: # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/actions/comment if: always() with: - name: results - path: results/ - retention-days: 1 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 7a6f17442..2923130ed 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -27,6 +27,9 @@ jobs: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: + pull-requests: write # Required to comment on pull requests + steps: - name: Checkout repository uses: actions/checkout@v4 @@ -70,10 +73,8 @@ jobs: # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/actions/comment if: always() with: - name: results - path: results/ - retention-days: 1 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml deleted file mode 100644 index 88bf508c4..000000000 --- a/.github/workflows/comment.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -name: "comment" - -on: # yamllint disable-line rule:truthy - workflow_run: - workflows: - - rstcheck - - check_toc_txt - - check-files - types: - - completed - -permissions: - pull-requests: write # Required to leave a comment on a review - -jobs: - comment: - name: Comment - runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.event == 'pull_request' }} - - steps: - - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: results - run-id: ${{ github.event.workflow_run.id }} - github-token: ${{ secrets.GITHUB_TOKEN }} - path: results - - - name: Update pr with info from other runners - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - var fs = require('fs'); - var issue_number = Number(fs.readFileSync('./results/id')); - var problem_count = Number(fs.readFileSync( - './results/problem-count' - )); - var summary = String(fs.readFileSync('./results/summary')); - - if (problem_count > 0) { - github.rest.issues.createComment({ - owner: context.repo.owner, - issue_number: issue_number, - repo: context.repo.repo, - body: summary - }); - } diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index bbb834dd3..e6794c92e 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -26,6 +26,9 @@ jobs: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: + pull-requests: write # Required to comment on pull requests + steps: - name: Checkout repository uses: actions/checkout@v4 @@ -69,10 +72,8 @@ jobs: # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/actions/comment if: always() with: - name: results - path: results/ - retention-days: 1 + token: ${{ secrets.GITHUB_TOKEN }}