Merge branch 'master' into private/bengangy/sync-master-to-ssh

Author: BengangY

.codechecker.json

@@ -0,0 +1,6 @@
+{
+  "analyze": [
+    "--disable=misc-header-include-cycle",
+    "--disable=clang-diagnostic-unused-parameter"
+  ]
+}

.github/workflows/1.249-lcm.yml

@@ -1,5 +1,7 @@
 name: Build and test (1.249-lcm, scheduled)
 
+permissions: {}
+
 on:
   schedule:
     # run every Monday, this refreshes the cache
@@ -9,6 +11,8 @@ jobs:
   python-test:
     name: Python tests
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

.github/workflows/codechecker.yml

@@ -0,0 +1,79 @@
+name: Run CodeChecker static analyzer on XAPI's C stubs
+permissions: {}
+
+on:
+  push:
+  pull_request:
+    branches:
+      - master
+      - 'feature/**'
+      - '*-lcm'
+
+concurrency: # On new push, cancel old workflows from the same PR, branch or tag:
+  group: ${{ github.workflow }}-${{github.event_name}}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  staticanalyzer:
+    name: Static analyzer for OCaml C stubs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      XAPI_VERSION: "v0.0.0-${{ github.sha }}"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup XenAPI environment
+        uses: ./.github/workflows/setup-xapi-environment
+        with:
+          xapi_version: ${{ env.XAPI_VERSION }}
+
+      - name: Install dune-compiledb to generate compile_commands.json
+        run: |
+          opam pin add -y ezjsonm https://github.com/mirage/ezjsonm/releases/download/v1.3.0/ezjsonm-1.3.0.tbz
+          opam pin add -y dune-compiledb https://github.com/edwintorok/dune-compiledb/releases/download/0.6.0/dune-compiledb-0.6.0.tbz
+
+      - name: Trim dune cache
+        run: opam exec -- dune cache trim --size=2GiB         
+
+      - name: Generate compile_commands.json
+        run: opam exec -- make compile_commands.json
+
+      - name: Upload compile commands json
+        uses: actions/upload-artifact@v4
+        with:
+          path: ${{ github.workspace }}/compile_commands.json
+
+      - uses: whisperity/codechecker-analysis-action@v1
+        id: codechecker
+        with:
+          ctu: true
+          logfile: ${{ github.workspace }}/compile_commands.json
+          analyze-output: "codechecker_results"
+
+      - name: Upload CodeChecker report
+        uses: actions/upload-artifact@v4
+        with:
+          name: codechecker_results
+          path: "${{ steps.codechecker.outputs.result-html-dir }}"
+
+      # cppcheck even for other analyzers apparently, this is
+      # codechecker's output
+      - name: convert to SARIF
+        shell: bash
+        run: report-converter "codechecker_results" --type cppcheck --output codechecker.sarif --export sarif
+
+      - name: Upload CodeChecker SARIF report
+        uses: actions/upload-artifact@v4
+        with:
+          name: codechecker_sarif
+          path: codechecker.sarif
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+         sarif_file: codechecker.sarif

.github/workflows/docs.yml

@@ -1,5 +1,7 @@
 name: Generate and upload docs
 
+permissions: {}
+
 on:
   push:
     branches: master
@@ -8,6 +10,8 @@ jobs:
   ocaml:
     name: Docs
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     env:
       XAPI_VERSION: "v0.0.0-${{ github.sha }}"
       STORAGE_DOCDIR: .gh-pages-xapi-storage

.github/workflows/format.yml

@@ -1,5 +1,7 @@
 name: Check format
 
+permissions: {}
+
 on:
   pull_request:
     branches:
@@ -12,6 +14,8 @@ jobs:
   ocaml-format:
     name: Ocaml files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code

.github/workflows/generate-and-build-sdks.yml

@@ -1,5 +1,7 @@
 name: Generate and Build SDKs
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:
@@ -11,6 +13,9 @@ jobs:
   generate-sdk-sources:
     name: Generate SDK sources
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -25,7 +30,7 @@ jobs:
         run: opam exec -- make sdk
 
       # sdk-ci runs some Go unit tests.
-      # This setting ensures that SDK date time 
+      # This setting ensures that SDK date time
       # tests are run on a machine that
       # isn't using UTC
       - name: Set Timezone to Tokyo for datetime tests
@@ -77,6 +82,9 @@ jobs:
     name: Build C SDK
     runs-on: ubuntu-latest
     needs: generate-sdk-sources
+    permissions:
+      contents: read
+
     steps:
       - name: Install dependencies
         run: sudo apt-get install libxml2-dev
@@ -103,6 +111,9 @@ jobs:
     name: Build Java SDK
     runs-on: ubuntu-latest
     needs: generate-sdk-sources
+    permissions:
+      contents: read
+
     steps:
       - name: Install dependencies
         run: sudo apt-get install maven
@@ -120,9 +131,9 @@ jobs:
           distribution: 'temurin'
 
       # Java Tests are run at compile time.
-      # This setting ensures that SDK date time 
+      # This setting ensures that SDK date time
       # tests are run on a machine that
-      # isn't using UTC 
+      # isn't using UTC
       - name: Set Timezone to Tokyo for datetime tests
         run: |
           sudo timedatectl set-timezone Asia/Tokyo
@@ -144,6 +155,9 @@ jobs:
     name: Build C# SDK
     runs-on: windows-2022
     needs: generate-sdk-sources
+    permissions:
+      contents: read
+
     steps:
       - name: Strip 'v' prefix from xapi version
         shell: pwsh
@@ -158,7 +172,7 @@ jobs:
         # All tests builds and pipelines should
         # work on other timezones. This setting ensures that
         # SDK date time tests are run on a machine that
-        # isn't using UTC 
+        # isn't using UTC
       - name: Set Timezone to Tokyo for datetime tests
         shell: pwsh
         run: Set-TimeZone -Id "Tokyo Standard Time"
@@ -192,6 +206,9 @@ jobs:
     # PowerShell SDK for PowerShell 5.x needs to run on windows-2019 because
     # windows-2022 doesn't contain .NET Framework 4.x dev tools
     runs-on: windows-2019
+    permissions:
+      contents: read
+
     steps:
       - name: Strip 'v' prefix from xapi version
         shell: pwsh
@@ -265,6 +282,8 @@ jobs:
         dotnet: ["6", "8"]
     needs: build-csharp-sdk
     runs-on: windows-2022
+    permissions:
+      contents: read
 
     steps:
       - name: Strip 'v' prefix from xapi version

.github/workflows/hugo.yml

@@ -1,5 +1,7 @@
 name: Generate and upload Hugo docs
 
+permissions: {}
+
 on:
   push:
     branches: master
@@ -8,6 +10,9 @@ jobs:
   ocaml:
     name: Docs
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+
 
     steps:
       - name: Checkout code

.github/workflows/main.yml

@@ -1,5 +1,7 @@
 name: Build and test
 
+permissions: {}
+
 on:
   # When only Hugo docs change, this workflow is not required:
   push:
@@ -20,6 +22,8 @@ jobs:
   ocaml-tests:
     name: Run OCaml tests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     env:
       # Ensure you also update test-sdk-builds
       # when changing this value, to keep builds

.github/workflows/other.yml

@@ -1,5 +1,7 @@
 name: Build and test (other)
 
+permissions: {}
+
 on:
   # When only Hugo docs change, this workflow is not required:
   push:
@@ -20,6 +22,10 @@ jobs:
   python-test:
     name: Python tests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write # allow commenting on the PR
+
     strategy:
       fail-fast: false
       matrix:
@@ -29,7 +35,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # To check which files changed: origin/master..HEAD
-      - uses: LizardByte/setup-python-action@master
+      - uses: actions/setup-python@v5
         with:
           python-version: ${{matrix.python-version}}
 
@@ -56,6 +62,7 @@ jobs:
           files: .git/coverage${{matrix.python-version}}.xml
           flag-name: python${{matrix.python-version}}
           parallel: true
+          fail-on-error: false
 
       - uses: dciborow/[email protected]
         with:
@@ -89,12 +96,14 @@ jobs:
       - name: Finish the parallel coverage upload to Coveralls
         uses: coverallsapp/github-action@v2
         with:
+          fail-on-error: false
           parallel-finished: true
-        continue-on-error: true  # Do not fail CI if this step fails
 
   deprecation-test:
     name: Deprecation tests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
@@ -109,6 +118,8 @@ jobs:
   test-sdk-builds:
     name: Test SDK builds
     uses: ./.github/workflows/generate-and-build-sdks.yml
+    permissions:
+      contents: read
     with:
       # Ensure you also update ocaml-tests
       # when changing this value, to keep builds

.github/workflows/release.yml

@@ -1,5 +1,7 @@
 name: Create release from tag
 
+permissions: {}
+
 on:
   push:
     tags:
@@ -9,6 +11,8 @@ jobs:
   build-python:
     name: Build and upload Python artifacts
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
@@ -36,10 +40,15 @@ jobs:
   build-sdks:
     name: Build and upload SDK artifacts
     uses: ./.github/workflows/generate-and-build-sdks.yml
+    permissions:
+      contents: read
     with:
       xapi_version: ${{ github.ref_name }}
 
   release:
+    permissions:
+      contents: write # allow creating a release
+
     name: "Create and package release"
     runs-on: ubuntu-latest
     needs: [build-python, build-sdks]
@@ -124,6 +133,7 @@ jobs:
     needs: release
     environment: pypi
     permissions:
+      contents: read
       id-token: write
     steps:
       - name: Retrieve python distribution artifacts