Skip to content

clippy: integrated clippy using rules_lint#74

Merged
PandaeDo merged 2 commits intomainfrom
dcalavrezo_clippy_lint
Feb 5, 2026
Merged

clippy: integrated clippy using rules_lint#74
PandaeDo merged 2 commits intomainfrom
dcalavrezo_clippy_lint

Conversation

@dcalavrezo-qorix
Copy link
Contributor

@dcalavrezo-qorix dcalavrezo-qorix commented Feb 4, 2026

added new workflow, integrated clippy using rules_lint

Notes for Reviewer

Pre-Review Checklist for the PR Author

  • PR title is short, expressive and meaningful
  • Commits are properly organized
  • Relevant issues are linked in the References section
  • Tests are conducted
  • Unit tests are added

Checklist for the PR Reviewer

  • Commits are properly organized and messages are according to the guideline
  • Unit tests have been written for new behavior
  • Public API is documented
  • PR title describes the changes

Post-review Checklist for the PR Author

  • All open points are addressed and tracked via issues

References

Closes #

@dcalavrezo-qorix
clippy: integrated clippy using rules_lint
e40b6ed 
added new workflow, integrated clippy using rules_lint

Signed-off-by: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 4, 2026
View reviewed changes
.github/workflows/clippy.yml
Comment on lines +25 to +28
uses: eclipse-score/cicd-workflows/.github/workflows/static-analysis.yml@main
with:
bazel-targets: "//src/..."
bazel-config: "lint"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 13 days ago

To fix the problem, the workflow must declare an explicit permissions block, either at the workflow root (recommended here) or on the bazel-clippy job. Since this workflow only triggers static analysis through a reusable workflow and does not appear to need any write operations, we can set the GITHUB_TOKEN to read-only for repository contents. A minimal safe baseline is permissions: contents: read, which aligns with GitHub’s recommended least-privilege configuration for read-only workflows.

The best fix without changing functionality is to add a top-level permissions block right after the on: section (or directly after name:), applying to all jobs that do not override it. This will limit GITHUB_TOKEN to read-only on repository contents while still allowing the reusable workflow to run its analysis. No additional imports or methods are needed; only the YAML in .github/workflows/clippy.yml is changed.

Concretely: in .github/workflows/clippy.yml, insert a new top-level block:

permissions:
  contents: read

between the on: section (lines 15–22) and the jobs: section (line 24). This is sufficient to address the CodeQL finding.

Suggested changeset 1
.github/workflows/clippy.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml
--- a/.github/workflows/clippy.yml
+++ b/.github/workflows/clippy.yml
@@ -21,6 +21,9 @@
   merge_group:
     types: [checks_requested]
 
+permissions:
+  contents: read
+
 jobs:
   bazel-clippy:
     uses: eclipse-score/cicd-workflows/.github/workflows/static-analysis.yml@main
EOF
@@ -21,6 +21,9 @@
merge_group:
types: [checks_requested]

permissions:
contents: read

jobs:
bazel-clippy:
uses: eclipse-score/cicd-workflows/.github/workflows/static-analysis.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions
Copy link

github-actions bot commented Feb 4, 2026
edited
Loading

License Check Results

🚀 The license check job ran with the Bazel command:

bazel run //:license-check

Status: ⚠️ Needs Review

Click to expand output 
[License Check Output]
Extracting Bazel installation...
Starting local Bazel server (8.3.0) and connecting to it...
INFO: Invocation ID: c07132e5-7c8c-463e-9c84-5fdaff073f2f
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
DEBUG: Rule 'rust_qnx8_toolchain+' indicated that a canonical reproducible form can be obtained by modifying arguments integrity = "sha256-eQOopREOYCL5vtTb6c1cwZrql4GVrJ1FqgxarQRe1xs="
DEBUG: Repository rust_qnx8_toolchain+ instantiated at:
  <builtin>: in <toplevel>
Repository rule http_archive defined at:
  /home/runner/.bazel/external/bazel_tools/tools/build_defs/repo/http.bzl:394:31: in <toplevel>
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
WARNING: For repository 'bazel_skylib', the root module requires module version bazel_skylib@1.7.1, but got bazel_skylib@1.8.2 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_rust', the root module requires module version rules_rust@0.61.0, but got rules_rust@0.67.0 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_cc', the root module requires module version rules_cc@0.1.1, but got rules_cc@0.2.14 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'buildifier_prebuilt', the root module requires module version buildifier_prebuilt@7.3.1, but got buildifier_prebuilt@8.2.0.2 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'googletest', the root module requires module version googletest@1.14.0, but got googletest@1.14.0.bcr.1 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'score_crates', the root module requires module version score_crates@0.0.5, but got score_crates@0.0.6 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
Loading: 
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Analyzing: target //:license-check (1 packages loaded)
Analyzing: target //:license-check (1 packages loaded, 0 targets configured)
Analyzing: target //:license-check (1 packages loaded, 0 targets configured)

Analyzing: target //:license-check (16 packages loaded, 10 targets configured)

Analyzing: target //:license-check (72 packages loaded, 10 targets configured)

Analyzing: target //:license-check (84 packages loaded, 10 targets configured)

Analyzing: target //:license-check (141 packages loaded, 1060 targets configured)

Analyzing: target //:license-check (156 packages loaded, 2105 targets configured)

Analyzing: target //:license-check (156 packages loaded, 2105 targets configured)

Analyzing: target //:license-check (156 packages loaded, 2105 targets configured)

Analyzing: target //:license-check (161 packages loaded, 4444 targets configured)

Analyzing: target //:license-check (163 packages loaded, 7452 targets configured)

Analyzing: target //:license-check (164 packages loaded, 9281 targets configured)

Analyzing: target //:license-check (164 packages loaded, 9281 targets configured)

Analyzing: target //:license-check (164 packages loaded, 9281 targets configured)

Analyzing: target //:license-check (184 packages loaded, 9474 targets configured)
[10 / 14] JavaToolchainCompileClasses external/rules_java+/toolchains/platformclasspath_classes; 0s disk-cache, processwrapper-sandbox ... (2 actions, 1 running)
Analyzing: target //:license-check (188 packages loaded, 9481 targets configured)
[10 / 14] JavaToolchainCompileClasses external/rules_java+/toolchains/platformclasspath_classes; 1s disk-cache, processwrapper-sandbox ... (2 actions running)
INFO: From Generating Dash formatted dependency file ...:
INFO: Successfully converted 141 packages from Cargo.lock to bazel-out/k8-fastbuild/bin/formatted.txt
Analyzing: target //:license-check (190 packages loaded, 9489 targets configured)
[12 / 14] JavaToolchainCompileBootClasspath external/rules_java+/toolchains/platformclasspath.jar; 0s disk-cache, processwrapper-sandbox
Analyzing: target //:license-check (190 packages loaded, 9489 targets configured)
[13 / 14] Building license.check.license_check.jar (); 0s disk-cache, multiplex-worker
Analyzing: target //:license-check (190 packages loaded, 9489 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
Analyzing: target //:license-check (191 packages loaded, 13823 targets configured)
[14 / 14] no actions running
INFO: Analyzed target //:license-check (194 packages loaded, 13928 targets configured).
INFO: Found 1 target...
Target //:license.check.license_check up-to-date:
  bazel-bin/license.check.license_check
  bazel-bin/license.check.license_check.jar
INFO: Elapsed time: 54.995s, Critical Path: 4.51s
INFO: 14 processes: 9 internal, 4 processwrapper-sandbox, 1 worker.
INFO: Build completed successfully, 14 total actions
INFO: Running command line: bazel-bin/license.check.license_check ./formatted.txt <args omitted>
usage: org.eclipse.dash.licenses.cli.Main [-batch <int>] [-cd <url>]
       [-confidence <int>] [-ef <url>] [-excludeSources <sources>] [-help] [-lic
       <url>] [-project <shortname>] [-repo <url>] [-review] [-summary <file>]
       [-timeout <seconds>] [-token <token>]

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

The created documentation from the pull request is available at: docu-html

@dcalavrezo-qorix
cr: fix cr header
80a21c8 
fixed cr issue

Signed-off-by: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com>
PandaeDo
PandaeDo approved these changes Feb 5, 2026
View reviewed changes
Copy link
Contributor

@PandaeDo PandaeDo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@PandaeDo PandaeDo merged commit 5eab4e5 into main Feb 5, 2026
18 checks passed
@PandaeDo PandaeDo deleted the dcalavrezo_clippy_lint branch February 5, 2026 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PandaeDo PandaeDo PandaeDo approved these changes

@qor-lb qor-lb Awaiting requested review from qor-lb qor-lb is a code owner

@vinodreddy-g vinodreddy-g Awaiting requested review from vinodreddy-g vinodreddy-g is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcalavrezo-qorix @PandaeDo