feat: GHA updates

jerzyjamroz · web-flow · commit 9098e1919877 · 2025-08-26T10:16:24.000+02:00
* Merge pull request epics-modules#23 from jerzyjamroz/gha * added permissions to .yml files * codeql for the module and kmod * check-editorconfig.yml
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,25 @@
+# Documentation for this file: https://EditorConfig.org
+
+root = true
+
+# Unix-style newlines ending every file,
+# as some compilers complain about files not ending in newline
+[*]
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+end_of_line = lf
+
+# Ignore for OPI-s
+[*.{opi,bob,def}]
+insert_final_newline = unset
+end_of_line = unset
+
+[*Makefile*]
+trim_trailing_whitespace = false
+tab_width = 4
+indent_style = tab
+
+[{*.{md,lyx},Doxyfile,LICENSE,copyright}]
+charset = unset
+trim_trailing_whitespace = false
diff --git a/.github/codeql/config.yml b/.github/codeql/config.yml
@@ -0,0 +1,22 @@
+name: "CodeQL Config"
+
+# Queries and the suites they belong to are documented at
+#    https://codeql.github.com/codeql-query-help/cpp/
+
+queries:
+  - uses: security-and-quality
+  # Choose the above from 3 query suites:
+  #   default
+  #      The default set of queries
+  #   security-extended
+  #      `default` suite plus lower severity and precision queries
+  #   security-and-quality
+  #      `security-extended`, plus maintainability and reliability queries
+
+query-filters:
+-
+  exclude:
+    id: cpp/use-of-goto
+-
+  exclude:
+    problem.severity: recommendation
diff --git a/.github/workflows/check-editorconfig.yml b/.github/workflows/check-editorconfig.yml
@@ -0,0 +1,16 @@
+name: Check EditorConfig
+
+on:
+  push: {}
+  pull_request: {}
+
+permissions:
+  contents: read
+
+jobs:
+  editorconfig:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: EditorConfig compliance check
+        uses: editorconfig-checker/action-editorconfig-checker@v2
diff --git a/.github/workflows/kmod-codeql.yml b/.github/workflows/kmod-codeql.yml
@@ -0,0 +1,54 @@
+name: CodeQL Linux kernel module
+
+on:
+  push:
+    paths:
+      - ".github/workflows/kmod-codeql.yml"
+      - "linux/**"
+  pull_request:
+    paths:
+      - ".github/workflows/kmod-codeql.yml"
+      - "linux/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: CodeQL (C/C++)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Info
+        run: |
+          uname -a
+          gcc --version
+
+      - name: Deps
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install linux-headers-$(uname -r) kmod libelf-dev make
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: cpp
+          # Optional stronger rules:
+          # queries: security-and-quality
+          # Optional smaller SARIF:
+          # add-snippets: false
+
+      - name: Build (extraction only)
+        run: |
+          make -C linux
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:cpp"
diff --git a/.github/workflows/module-build.yml b/.github/workflows/module-build.yml
@@ -5,20 +5,38 @@
 
 # Set the 'name:' properties to values that work for you (pvxs)
 
-name: devlib2
+name: Module Build and Test
 
 # Trigger on pushes and PRs to any branch
 on:
   push:
-    paths-ignore:
-      - "documentation/**"
-      - "**/*.md"
+    paths:
+      - ".github/workflows/module-build.yml"
+      - "configure/**"
+      - "common/**"
+      - "exploreApp/**"
+      - "pciApp/**"
+      - "vmeApp/**"
+      - "testApp/**"
+      - "Makefile"
   pull_request:
-    paths-ignore:
-      - "documentation/**"
-      - "**/*.md"
+    paths:
+      - ".github/workflows/module-build.yml"
+      - "configure/**"
+      - "common/**"
+      - "exploreApp/**"
+      - "pciApp/**"
+      - "vmeApp/**"
+      - "testApp/**"
+      - "Makefile"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+  statuses: write
+
 env:
   SETUP_PATH: .ci-local:.ci
   EPICS_TEST_IMPRECISE_TIMING: YES
diff --git a/.github/workflows/module-codeql.yml b/.github/workflows/module-codeql.yml
@@ -0,0 +1,65 @@
+name: CodeQL Module
+
+on:
+  push:
+    branches: [master, gha]
+    paths:
+      - ".github/workflows/module-codeql.yml"
+      - "common/**"
+      - "exploreApp/**"
+      - "pciApp/**"
+      - "vmeApp/**"
+  pull_request:
+    branches: [master]
+    paths:
+      - ".github/workflows/module-codeql.yml"
+      - "common/**"
+      - "exploreApp/**"
+      - "pciApp/**"
+      - "vmeApp/**"
+
+permissions:
+  contents: read
+  security-events: write
+
+env:
+  SETUP_PATH: .ci-local:.ci
+  BASE: "7.0"
+  CMP: gcc
+  BCFG: default
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+          fetch-depth: 0
+
+      - name: Deps
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install qemu-system-x86 gdb
+
+      - name: Prepare deps (ci-scripts)
+        run: python3 .ci/cue.py prepare
+
+      - name: Initialize CodeQL (manual build)
+        uses: github/codeql-action/init@v3
+        with:
+          languages: cpp
+          build-mode: manual
+          config-file: ./.github/codeql/config.yml
+
+      - name: Build (ci-scripts)
+        run: |
+          python3 .ci/cue.py build
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:cpp"
diff --git a/linux/pci_generic_msi.c b/linux/pci_generic_msi.c
@@ -67,7 +67,14 @@ int mmap_generic_msi(struct uio_info *info, struct vm_area_struct *vma)
         return -EINVAL;
     }
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 3, 0)
+    vm_flags_set(vma, VM_IO | VM_RESERVED);
+#elif defined(RHEL_RELEASE_CODE) && (RHEL_RELEASE_CODE >= 0x905)
+    vm_flags_set(vma, VM_IO | VM_RESERVED);
+#else
     vma->vm_flags |= VM_IO | VM_RESERVED;
+#endif
+
     vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
 
     return remap_pfn_range(vma,
@@ -163,9 +170,15 @@ static int probe_generic_msi(struct pci_dev *pdev,
     }
 
     {
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
         struct msi_desc *desc = irq_get_msi_desc(pdev->irq);
         priv->maskable = desc ? desc->msi_attrib.maskbit : 0;
         dev_info(&pdev->dev, "MSI is %smaskable\n", priv->maskable ? "" : "not ");
+#else
+        // Newer kernels: msi_desc not active
+        priv->maskable = 0;
+        dev_info(&pdev->dev, "MSI enabled (mask-bit introspection not available).\n");
+#endif
     }
 
     err = uio_register_device(&pdev->dev, &priv->uio);
