Merge pull request #4 from samyarsadat/stage-1-workflow-experiments

Stage 1 Workflow Experiments

.github/workflows/README.md

@@ -0,0 +1,17 @@
+## CodeQL Analysis for MicroROS & Pico Source Code
+
+At the moment, CodeQL needs to be run in the same environment as the build steps. This means that it cannot analyze code that
+is built inside of a Docker container, unless CodeQL itself also runs inside of that container. This becomes a problem when you
+try to use the Pico Build Action and the MicroROS Build Action with CodeQL, as both Pico and MicroROS Build are Docker container
+actions. Until the developers of the CodeQL action add a way to analyze build that run in a Docker container or until I (maybe)
+somehow implement CodeQL into the Pico Build and MicroROS Build actions, I've come up with a temporary workaround.<br>
+<br>
+I've put modified versions of the build scripts from the build actions into the `codeql-pico-scripts` directory. I've also added
+two new re-usable actions (the reason I've decided to use resusable actions isn't because I use them in more than one place, but
+because I want them to be separated from everything else) for building and analyzing micro-ROS and the Pico source code using the
+aforementioned scripts. You may have also noticed that these re-usable actions use the same Docker images as the actual Pico Build
+Action and MicroROS Build Action.<br>
+<br>
+I have still left the original `pico-build.yml` workflow, as I want it to serve as a usage example for Pico Build Action and MicroROS
+Build Action, and also because `pico-codeql.yml` doesn't produce binaries for the Pico (well, it does internally, but they're not 
+uploaded as artifacts, so they can't be accessed).

.github/workflows/analyze-pico.yml

@@ -15,20 +15,8 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <https: www.gnu.org/licenses/>.
 
-name: "Pico CodeQL Analysis"
-on: 
-    workflow_call:
-        inputs:
-            microros_artifact_name:
-                description: "The name of the artifact containing the micro-ROS library."
-                required: false
-                default: uros_library_artifacts
-                type: string
-            pico_ws_path:
-                description: "The path to the Pico workspace directory."
-                required: false
-                default: "Source Code/pico_ws"
-                type: string
+name: Pico CodeQL Analysis
+on: workflow_call
 
 jobs:
     analyze_pico:
@@ -49,26 +37,27 @@ jobs:
             - name: Download MicroROS Library Artifacts
               uses: actions/download-artifact@v4
               with:
-                  name: ${{inputs.microros_artifact_name}}
-                  path: "${{inputs.pico_ws_path}}/libmicroros/firmware/build"
+                  name: uros_library_artifacts
+                  path: "Source Code/pico_ws/libmicroros/firmware/build"
 
             - name: Copy FreeRTOS Kernel Import File
               shell: bash
               run: |
-                  cp "${{inputs.pico_ws_path}}/libfreertos/FreeRTOS-Kernel/portable/ThirdParty/GCC/RP2040/FreeRTOS_Kernel_import.cmake" \
-                  "${{inputs.pico_ws_path}}/FreeRTOS_Kernel_import.cmake"
+                  cp "Source Code/pico_ws/libfreertos/FreeRTOS-Kernel/portable/ThirdParty/GCC/RP2040/FreeRTOS_Kernel_import.cmake" \
+                  "Source Code/pico_ws/FreeRTOS_Kernel_import.cmake"
 
             - name: Initialize CodeQL
               uses: github/codeql-action/init@v3
               with:
                   languages: c-cpp
                   build-mode: manual
+                  queries: security-and-quality
 
             - name: Build Pico Source Code
               id: build
               shell: bash
               run: |
-                  bash ".github/workflows/codeql-pico/pico-build.sh" "${{inputs.pico_ws_path}}"
+                  bash ".github/workflows/codeql-pico-scripts/pico-build.sh" "Source Code/pico_ws"
 
             - name: Perform CodeQL Analysis
               uses: github/codeql-action/analyze@v3

.github/workflows/analyze-uros.yml

@@ -0,0 +1,79 @@
+#  The ROS robot project - MicroROS CodeQL analysis workflow.
+#  Copyright 2024 Samyar Sadat Akhavi
+#  Written by Samyar Sadat Akhavi, 2024.
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <https: www.gnu.org/licenses/>.
+
+name: MicroROS CodeQL Analysis
+on: workflow_call
+
+jobs:
+    analyze_uros:
+        name: Analyze MicroROS library
+        runs-on: ubuntu-latest
+        container: samyarsadat/service_images:microros-build-action-latest
+
+        permissions:
+            security-events: write
+            contents: read
+
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+              with:
+                  submodules: recursive
+
+            - name: Copy FreeRTOS Kernel Import File
+              shell: bash
+              run: |
+                  cp "Source Code/pico_ws/libfreertos/FreeRTOS-Kernel/portable/ThirdParty/GCC/RP2040/FreeRTOS_Kernel_import.cmake" \
+                  "Source Code/pico_ws/FreeRTOS_Kernel_import.cmake"
+
+            - name: Generate Pico SDK Headers
+              uses: samyarsadat/Pico-Build-Action@v1
+              with:
+                  source_dir: "Source Code/pico_ws"
+                  output_dir: "build"
+                  cmake_config_only: "true"
+
+            # This step is required because of a bug in micro_ros_setup's firmware workspace creation script.
+            # This bug causes the script to fail if the path to the script's working directory contains spaces.
+            - name: Rename Source Code Directory
+              run: |
+                  mv "Source Code/" "source_code/"
+
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v3
+              with:
+                  languages: c-cpp
+                  build-mode: manual
+                  queries: security-and-quality
+
+            - name: Build MicroROS Library
+              id: build
+              shell: bash
+              run: |
+                  bash ".github/workflows/codeql-pico-scripts/uros-build.sh" "source_code/pico_ws/libmicroros"
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v3
+              with:
+                  category: "/language:c-cpp"
+
+            - name: Upload MicroROS Library Artifacts
+              uses: actions/upload-artifact@v4
+              with:
+                  name: uros_library_artifacts
+                  path: ${{steps.build.outputs.library_build_dir}}
+                  if-no-files-found: error

.github/workflows/codeql-pico-scripts/pico-build.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+#  The ROS Robot Project - Raspberry Pi Pico build script for CodeQL analysis.
+#  This is a modified version of the script from the Pico Build Action.
+#  This workaround is necessary because CodeQL needs run in the same environment as the build script.
+#
+#  Copyright 2024 Samyar Sadat Akhavi
+#  Written by Samyar Sadat Akhavi, 2024.
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <https: www.gnu.org/licenses/>.
+
+set -e
+
+# Get arguments
+SOURCE_DIR=$1
+OUTPUT_DIR="build"
+BOARD_NAME="pico"
+CMAKE_ARGS=""
+MAKEFILES_GENERATOR="Unix Makefiles"
+
+# Validate arguments
+if [ -z "$SOURCE_DIR" ]; then
+    echo "ERROR: Source directory not provided."
+    exit 1
+fi
+
+if [ -z "$OUTPUT_DIR" ]; then
+    echo "ERROR: Output directory not provided."
+    exit 1
+fi
+
+if [ -z "$BOARD_NAME" ]; then
+    BOARD_NAME="pico"
+fi
+
+if [ -z "$MAKEFILES_GENERATOR" ]; then
+    MAKEFILES_GENERATOR="Ninja"
+fi
+
+# Check if the source directory exists
+if [ ! -d "$SOURCE_DIR" ]; then
+    echo "ERROR: Source directory does not exist."
+    exit 1
+fi
+
+# Make paths absolute
+OUTPUT_DIR_RELATIVE="$SOURCE_DIR/$OUTPUT_DIR"
+SOURCE_DIR="$GITHUB_WORKSPACE/$SOURCE_DIR"
+OUTPUT_DIR="$SOURCE_DIR/$OUTPUT_DIR"
+
+# Echo arguments
+echo "Configuration:"
+echo "SOURCE_DIR=$SOURCE_DIR"
+echo "OUTPUT_DIR=$OUTPUT_DIR"
+echo "BOARD_NAME=$BOARD_NAME"
+echo "CMAKE_ARGS=$CMAKE_ARGS"
+echo "MAKEFILES_GENERATOR=$MAKEFILES_GENERATOR"
+
+# Build the project
+echo "Generating build files..."
+mkdir "$OUTPUT_DIR" && cd "$OUTPUT_DIR"
+cmake -DPICO_BOARD="$BOARD_NAME" -S "$SOURCE_DIR" -B "$OUTPUT_DIR" -G "$MAKEFILES_GENERATOR" $CMAKE_ARGS
+
+echo "Building project..."
+cd "$OUTPUT_DIR" && make -j$(nproc)