Yocto layer compliance: SECURITY, compliance doc, CI yocto-check-layer#270
Yocto layer compliance: SECURITY, compliance doc, CI yocto-check-layer#270
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| pull_request: | ||
| branches: | ||
| - master | ||
| - feature/yocto-layer-compliance |
There was a problem hiding this comment.
PR branch filter breaks CI for release branches
High Severity
Adding a branches filter to the pull_request trigger restricts CI to only PRs targeting master and feature/yocto-layer-compliance. Previously, with no branches filter, PRs targeting any branch would trigger CI. The README documents active branches (walnascar, styhead, scarthgap, kirkstone) that will no longer receive CI on pull requests. The branches key was likely meant only for push, not pull_request.
| if: github.ref == 'refs/heads/feature/yocto-layer-compliance' || github.head_ref == 'feature/yocto-layer-compliance' | ||
| run: | | ||
| . ./${BRANCH}/poky/oe-init-build-env ${BRANCH}/build | ||
| yocto-check-layer --dependency $GITHUB_WORKSPACE/${BRANCH}/poky/meta --dependency $GITHUB_WORKSPACE/${BRANCH}/meta-openembedded/meta-oe -- $GITHUB_WORKSPACE/${BRANCH}/meta-mono |
There was a problem hiding this comment.
Compliance check failure blocks all subsequent CI steps
Medium Severity
The yocto-check-layer step lacks continue-on-error: true, so when it fails — which is expected given the compliance doc's many unchecked items — all subsequent steps (build, CVE check, testing, artifact upload) are skipped due to GitHub Actions' default if: success() behavior. This defeats the iterative workflow described in the PR, where CI is meant to report failures while still building and testing.
| echo "BB_NUMBER_THREADS ?= \"\${@oe.utils.cpu_count()}\"" >> conf/local.conf | ||
| echo "PARALLEL_MAKE ?= \"-j \${@oe.utils.cpu_count()} -l \${@oe.utils.cpu_count()*2}\"" >> conf/local.conf | ||
| - name: Yocto layer compliance check | ||
| if: github.ref == 'refs/heads/feature/yocto-layer-compliance' || github.head_ref == 'feature/yocto-layer-compliance' |
There was a problem hiding this comment.
Compliance check skipped for PRs targeting feature branch
Low Severity
The pull_request.branches filter explicitly includes feature/yocto-layer-compliance to trigger CI for PRs targeting that branch. However, the if condition on the compliance check step only tests github.ref (push events) and github.head_ref (PR source branch). For a PR from another branch to the feature branch, github.head_ref is the contributor's branch — not the feature branch — so the condition is false and the yocto-check-layer step is silently skipped. Adding a check for github.base_ref == 'feature/yocto-layer-compliance' would close this gap.
Additional Locations (1)
| break | ||
| fi | ||
| done | ||
| fi |
There was a problem hiding this comment.
Missing libhostfxr.so symlink silently succeeds at build time
Medium Severity
The fallback logic for the libhostfxr.so symlink silently succeeds if no fxr directory contains the library. Previously, the unconditional ln -rs command would fail the do_install task immediately when the source file was missing (BitBake shell tasks use set -e). Now, if DOTNET_RUNTIME_VERSION doesn't match AND the for loop finds no libhostfxr.so in any fxr directory, the if/for/done block exits with status 0 and the task completes without creating the symlink — resulting in a broken package that only fails at runtime.
.github/workflows/CI_github.yml
Outdated
| - name: Clean stale dotnet sstate | ||
| run: | | ||
| . ./${BRANCH}/poky/oe-init-build-env ${BRANCH}/build | ||
| bitbake -c cleansstate dotnet dotnet-native |
There was a problem hiding this comment.
Unconditional cleansstate forces full dotnet rebuild every CI run
Medium Severity
The Clean stale dotnet sstate step runs on every CI build with no if: condition, unlike the yocto-check-layer step which is gated to the feature branch. Once merged to master, every CI run across all matrix combinations will unconditionally wipe and fully rebuild dotnet and dotnet-native from scratch, adding potentially hours of build time per run on the self-hosted runner. The TODO to remove it has no automated guard.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
.github/workflows/CI_github.yml
Outdated
| - name: Clean stale sstate | ||
| run: | | ||
| . ./${BRANCH}/poky/oe-init-build-env ${BRANCH}/build | ||
| bitbake -c cleansstate dotnet dotnet-native python3-clr-loader python3-clr-loader-native dotnet-helloworld |
There was a problem hiding this comment.
Stale-sstate cleanup step runs unconditionally on all builds
Medium Severity
The "Clean stale sstate" step runs bitbake -c cleansstate on five recipes for every CI build across all branches and matrix combinations, with no if: guard. Unlike the yocto-check-layer step (which correctly uses an if: conditional), this temporary workaround will cause every future build—including on master after merge—to discard cached state and rebuild these recipes from scratch, wasting significant CI time on a runner with a 960-minute timeout.
- SECURITY.md: security vulnerability reporting policy (YP Compatible registration item 4) - docs/YOCTO_LAYER_COMPLIANCE.md: working checklist tracking all YP Compatible registration requirements, yocto-check-layer test status, and full INSANE_SKIP/QA inventory - .markdownlint.yaml + .pre-commit-config.yaml: optional local linting via pre-commit (not enforced in CI) - README.md: clarify that only OE-Core (meta) is a mandated dependency, meta-oe is optional; note branch matching; add pre-commit install hint Co-authored-by: Cursor <cursoragent@cursor.com>
Three related fixes for dotnet recipe builds in CI environments: 1. dotnet.inc: install ALL host/fxr versions from the SDK tarball instead of only DOTNET_RUNTIME_VERSION. Microsoft ships updated muxer binaries in serviced SDK releases (e.g. SDK 6.0.428 bundles a 10.0.0 muxer) so only copying one version breaks the muxer's fxr lookup. The libhostfxr.so symlink now falls back to any available version if DOTNET_RUNTIME_VERSION is not present. 2. dotnet.inc: for native builds, replace the dotnet symlink with a wrapper script that ensures HOME is always writable. .NET SDK 6 NuGet MigrationRunner.Run() unconditionally writes to $HOME/.local/share/NuGet/Migrations before checking DOTNET_SKIP_FIRST_TIME_EXPERIENCE. The wrapper redirects HOME to a temp directory, fixing all consumer recipes automatically. 3. python3-clr-loader.bb, dotnet-helloworld_1.0.bb: add per-recipe HOME/DOTNET_CLI_HOME/NuGet exports as defence-in-depth alongside the wrapper. Co-authored-by: Cursor <cursoragent@cursor.com>
- Exclude styhead + arm matrix entry (ARM32 GCC build broken, see README and discussions/234) - Add yocto-check-layer compliance check step (runs on feature/yocto-layer-compliance branch) - Add temporary cleansstate step to flush stale dotnet sstate and recipe-sysroot-native from prior broken builds; remove once all matrix jobs have rebuilt successfully - Add feature/yocto-layer-compliance to push/PR branch triggers Co-authored-by: Cursor <cursoragent@cursor.com>
ajlennon
force-pushed
the
feature/yocto-layer-compliance
branch
from
6c382c5 to
f49a4ec
Compare
1 participant
Summary
Work towards Yocto Project Compatible layer status.
Changes
yocto-check-layertests.yocto-check-layerwhen building onfeature/yocto-layer-compliance(push and PRs). CI is triggered for this branch and for PRs targeting it.Next steps (from compliance doc)
Upstream-Status:where missing/wrong case.yocto-check-layerfailures reported by CI.Made with Cursor
Note
Medium Risk
Touches CI and core
.NETpackaging/bootstrapping behavior (hostfxrinstall + nativedotnetwrapper), which can break downstream recipes if paths or environment assumptions change, though changes are narrowly scoped to build reliability/compliance.Overview
Improves Yocto Project compatibility/compliance by adding
SECURITY.md, a detaileddocs/YOCTO_LAYER_COMPLIANCE.mdchecklist, and tightening README dependency guidance (OE-Core required; meta-oe optional) plus optional localpre-commitMarkdown/YAML linting config.Updates GitHub Actions CI to run on the
feature/yocto-layer-compliancebranch, skipstyhead/ARM32, add a conditionalyocto-check-layerrun, and temporarily cleans stalesstatefordotnetand its consumers.Hardens
.NETbuilds in Yocto by installing allhost/fxrversions from the SDK tarball (with a fallbacklibhostfxr.sosymlink strategy) and by forcing a writableHOME/NuGet cache fordotnet-invoking recipes (via exports indotnet-helloworldandpython3-clr-loader, plus adotnetnative wrapper indotnet.inc).Written by Cursor Bugbot for commit f49a4ec. This will update automatically on new commits. Configure here.