Merge develop into master (B2CA-2351)#20
Conversation
Fix Pin Validation on Sign Nonce
Add mandatory GitHub actions from Ledger app boilerplate. Add clang-format from Ledger app boilerplate and apply its rules. Improve README. Ignore IDE and build artifacts from source tracking. Remove unsupported BAGL properties from Nano S implementation. Update variable names for clarity. Fix GitHub links.
Update crypto function calls. Update memory syscalls. Fix pointer references. Remove variables conflicting with SDK.
Use returned values where required. Remove unused parameters where possible. Flag unused parameters if required by function signature. Use macro to check crypto return values. Define function signature for block caching in header instead of implementation. Remove useless increments. Set sentinel boolean to indicate when hash value is set in indeterminate macro context. Remove deprecated API level check. Indicate intentional switch case fallthrough to compiler. Use helper void function to properly quit app in Nano S device. Fix discarded const qualifier in type struct.
Bump app version. Implement mandatory boilerplate values. Add flag to continue Nano S interface support now that Ledger dropped device support Refactor app flags to avoid reusing the same variables for completely different use cases. Remove conflicting buffer size override which should be resolved by past SDK fixes. Remove values already set by standard app Makefile.
Move icons into their own directory. Rename icons to specify sizes instead of target devices. Align icon config in makefile with boilerplate. Update glyphs to use currency symbol instead of Nano Foundation logo.
Strip shared library functionality and permissions per request from Ledger devs. Remove implementation of deprecated U2F transport protocol. Fix typo in APDU variable naming and remove unused input buffer size definition. Remove exported values from makefile already present in standard app. Compiler config is now handled by Makefile.defines which is included by Makefile.standard_app. Now that the nano app is aligning with standard app boilerplate, the custom compiler config is no longer necessary. Fix coin macro to work by type using switch cases instead of make variables.
Use built-in APDU buffer size instead of custom value. Replace ifndef preprocessor directives with pragma as in boilerplate. Refactor coin config and remove variables covered by standard app. Reorganize includes.
…s (B2CA-2351) Fix confirmation UI never displaying
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build application using the reusable workflow | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1 | ||
| with: | ||
| upload_app_binaries_artifact: "app_boilerplate_binaries" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the issue, add an explicit permissions block to the workflow. The most robust practice is to set permissions at the workflow root so they apply to all jobs unless a specific job needs an override. The required permissions are typically minimal—contents: read is safe for builds that simply need access to the repository source, and if artifact uploads or pull requests are handled, additional permissions might be needed (e.g., pull-requests: write). For this workflow, which builds applications and uploads binaries but does not appear to create PRs directly, contents: read should suffice for a starting point. Add the following block after the workflow name (above on:):
permissions:
contents: readIf later steps require additional permissions, these can be added.
Change to make:
In .github/workflows/build_and_functional_tests.yml, insert the above block after line 1 (following the workflow name and before the on: block).
| @@ -1,4 +1,6 @@ | ||
| name: Build and run functional tests using ragger through reusable workflow | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # This workflow will build the app and then run functional tests using the Ragger framework upon Speculos emulation. | ||
| # It calls a reusable workflow developed by Ledger's internal developer team to build the application and upload the |
| name: Check linting using the reusable workflow | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_lint.yml@v1 | ||
| with: | ||
| source: "./src" | ||
| extensions: "h,c" | ||
| version: 18 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To address this issue, add a permissions block to limit the privileges granted to the GITHUB_TOKEN within the workflow. The code should set the permissions block at the job level (check_linting:), as the only job present is invoking a reusable workflow and may not require any special permissions; using permissions: {} is the minimal restrictive configuration. If the workflow requires specific permissions, these can be set as required, but the secure default is to assign no permissions. Insert the block above the uses: key as per GitHub Actions syntax.
| @@ -18,6 +18,7 @@ | ||
| jobs: | ||
| check_linting: | ||
| name: Check linting using the reusable workflow | ||
| permissions: {} | ||
| uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_lint.yml@v1 | ||
| with: | ||
| source: "./src" |
4 participants
No description provided.