TexasInstruments · StaticRocket · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
@@ -0,0 +1,31 @@
+---
+name: "comment"
+description: "Comment on a given pull request or issue"
+inputs:
+  token:
+    description: "A token with pull request or issue write permission"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Update pr with info from other runners
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ inputs.token }}
+        script: |
+          var fs = require('fs');
+          var issue_number = Number(fs.readFileSync('./results/id'));
+          var problem_count = Number(fs.readFileSync(
+            './results/problem-count'
+          ));
+          var summary = String(fs.readFileSync('./results/summary'));
+
+          if (problem_count > 0) {
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              issue_number: issue_number,
+              repo: context.repo.repo,
+              body: summary
+            });
+          }
@@ -13,19 +13,23 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   collect:
+    name: Collect DEVFAMILY and OS combinations
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
     outputs:
       build-matrix: "${{ steps.matrix.outputs.matrix }}"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Create build matrix
         id: matrix
@@ -38,8 +42,6 @@ jobs:
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
     needs: collect
     strategy:
       matrix:
@@ -48,15 +50,19 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Add directory to safe dir overrides
         run: |
           git config --global --add safe.directory "$PWD"
 
       - name: Build ${{ matrix.device }}
+        env:
+          DEVFAMILY: ${{ matrix.device }}
+          OS: ${{ matrix.os }}
         run: |
-          make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \
-          VERSION=${{ github.ref_name }}
+          make VERSION=${GITHUB_REF_NAME}
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4

@@ -7,23 +7,33 @@ on:  # yamllint disable-line rule:truthy
     paths:
       - 'source/**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
+
     permissions:
-      contents: read
+      pull-requests: write  # Required to comment on pull requests
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Update refs and settings
         run: |
@@ -33,6 +43,9 @@ jobs:
           git switch master
 
       - name: Run check_files.py
+        id: check
+        env:
+          EVENT_NUMBER: ${{ github.event.number }}
         run: |
           # Disable color output
           export NO_COLOR=true
@@ -53,17 +66,15 @@ jobs:
 
           # Prepare the artifacts
           mkdir -p ./results
-          echo "${{ github.event.number }}" > ./results/id
+          echo "$EVENT_NUMBER" > ./results/id
           cp "$GITHUB_STEP_SUMMARY" ./results/summary
           echo "$(wc -l < _new-warn.log)" > ./results/problem-count
 
           # Exit with error if there are new warnings
           [ "$WARNING_COUNT" -eq "0" ]
 
-      - name: Save results
-        uses: actions/upload-artifact@v4
+      - name: Comment
+        uses: ./.github/actions/comment
         if: always()
         with:
-          name: results
-          path: results/
-          retention-days: 1
+          token: ${{ secrets.GITHUB_TOKEN }}
@@ -8,23 +8,33 @@ on:  # yamllint disable-line rule:truthy
       - 'source/**'
       - 'configs/*/*_toc.txt'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
+
     permissions:
-      contents: read
+      pull-requests: write  # Required to comment on pull requests
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Update refs and settings
         run: |
@@ -34,6 +44,8 @@ jobs:
           git switch master
 
       - name: Run rstcheck
+        env:
+          EVENT_NUMBER: ${{ github.event.number }}
         run: |
           # Disable color output
           export NO_COLOR=true
@@ -54,17 +66,15 @@ jobs:
 
           # Prepare the artifacts
           mkdir -p ./results
-          echo "${{ github.event.number }}" > ./results/id
+          echo "$EVENT_NUMBER" > ./results/id
           cp "$GITHUB_STEP_SUMMARY" ./results/summary
           echo "$(wc -l < _new-warn.log)" > ./results/problem-count
 
           # Exit with error if there are new warnings
           [ "$WARNING_COUNT" -eq "0" ]
 
-      - name: Save results
-        uses: actions/upload-artifact@v4
+      - name: Comment
+        uses: ./.github/actions/comment
         if: always()
         with:
-          name: results
-          path: results/
-          retention-days: 1
+          token: ${{ secrets.GITHUB_TOKEN }}
@@ -1,23 +1,25 @@
 ---
 name: Commit Check
-on:  # yamllint disable-line rule:truthy
-  pull_request:
-    branches: ['master']
+on: [pull_request]  # yamllint disable-line rule:truthy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
   commit-check:
     name: Commit Check
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check commit
         uses: commit-check/commit-check-action@v2

@@ -1,26 +1,27 @@
 ---
 name: "component-owners"
 
-on:  # yamllint disable-line rule:truthy
-  # It's insecure to use pull_request_target if you intend to check out code
-  # from that PR. This just reads the config file in the pull request base, and
-  # is not an issue currently. We will need to use this to comment on PRs coming
-  # from forked repositories.
-  pull_request_target:
-    branches: [master]
+# It's insecure to use pull_request_target if you intend to check out code
+# from that PR. This just reads the config file in the pull request base, and
+# is not an issue currently. We will need to use this to comment on PRs coming
+# from forked repositories.
+on: [pull_request_target]  # yamllint disable-line rule:truthy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
 
 permissions:
-  # Clamp permissions since pull_request_target workflows granted full
-  # read/write repository permission by default
   contents: read
-  issues: write
-  pull-requests: write
 
 jobs:
   component-owners:
     name: Assign component owners
     runs-on: ubuntu-latest
 
+    permissions:
+      pull-requests: write  # Required to set reviewers
+
     steps:
       - name: Assign component owners
         uses: dyladan/component-owners@main

@@ -8,6 +8,13 @@ on:  # yamllint disable-line rule:truthy
     types:
       - completed
 
+concurrency:
+  group: pages
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   agregate:
     name: Agregate build artifacts
@@ -16,12 +23,12 @@ jobs:
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Add directory to safe dir overrides
         run: |
@@ -51,8 +58,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: agregate
     permissions:
-      pages: write
-      id-token: write
+      pages: write  # Required for deployment to GitHub Pages
+      id-token: write  # Required for deployment to GitHub Pages
 
     steps:
       - name: Update github page deployment