RDKB-62995 : [GitHub Coverity] Enable Coverity Scan for hotspot using Native Build…

[bunnam988]

Reason for change: Enable coverity scan using native build.
Test Procedure: All the checks should pass in github
Risks: Low
Priority: P1
Signed-off-by: Balajichowday_unnam@comcast.com

In general, the fix is to explicitly declare minimal permissions for the workflow/job so that the auto-generated GITHUB_TOKEN is restricted, rather than inheriting possibly broad default permissions from the repository or organization. For a build job that only checks out code and runs local scripts, contents: read is typically sufficient.

For this specific workflow, we should add a permissions block to the build-hotspot-on-pr job (or at the root). Since we only see this single job and it just checks out the repository and runs shell scripts, we can safely restrict the token to read-only repository contents. We will therefore insert:

permissions:
  contents: read

under the build-hotspot-on-pr job (aligned with other job keys like name and runs-on). No other functionality needs to change, and no additional imports or steps are required. The custom secret secrets.RDKCM_RDKE is unaffected by this setting.

[Copilot]

Pull request overview

Enable Coverity scan support for the hotspot component by introducing a native-build configuration, dependency metadata, and a GitHub Actions workflow that builds inside the RDK CI container.

Changes:

• Added native-build dependency configuration (component_config.json) and autotools flags (configure_options.conf) for hotspot.
• Added documentation for the native build/Coverity setup under cov_docker_script/README.md.
• Introduced build_tools_workflows as a git submodule and added a GitHub Actions workflow to run the native build.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
cov_docker_script/configure_options.conf	Defines CPPFLAGS/CFLAGS/LDFLAGS used by the native autotools build for Coverity.
cov_docker_script/component_config.json	Declares external dependency repos and the native build steps for hotspot.
cov_docker_script/README.md	Documents how to use the native build/Coverity configuration.
build_tools_workflows	Adds the build tools repo as a pinned submodule commit.
.gitmodules	Registers build_tools_workflows as a submodule tracking develop.
.github/workflows/native-build.yml	Adds CI job to set up dependencies and build hotspot natively in a container.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Setting safe.directory to * disables Git's ownership safety checks for all paths inside the container. Restrict this to the workspace path only (e.g., $GITHUB_WORKSPACE or the repository directory) to avoid trusting unintended directories.

Suggested change

	git config --global --add safe.directory '*'
	git config --global --add safe.directory "$GITHUB_WORKSPACE"

[Copilot]

Using --remote makes CI pull the latest submodule branch tip instead of the commit pinned in the PR, which can break reproducibility and cause unrelated CI failures. Drop --remote so the workflow uses the submodule SHA committed in this repo (or pin to an explicit ref via checkout settings).

Suggested change

	git submodule update --init --recursive --remote
	git submodule update --init --recursive

[Copilot]

Using the latest container tag reduces build reproducibility because the environment can change without warning. Prefer pinning to a specific version tag or digest so Coverity/native builds remain consistent over time.

Suggested change

	image: ghcr.io/rdkcentral/docker-rdk-ci:latest
	image: ghcr.io/rdkcentral/docker-rdk-ci:1.0.0

[Copilot]

The README instructs users to add build_tools_workflows/ to .gitignore, but this PR adds build_tools_workflows as a tracked git submodule. Ignoring it will break submodule checkouts and CI parity; update this section to reflect that build_tools_workflows is a submodule (and should not be ignored).

Suggested change

	Add the following to your component's `.gitignore` to exclude temporary build artifacts:
	```gitignore
	# Build tools (downloaded by wrapper scripts)
	build_tools_workflows/
	The `build_tools_workflows` directory is provided as a tracked git submodule and **must not** be added to `.gitignore`. Only temporary build artifacts should be ignored.
	Add the following to your component's `.gitignore` to exclude temporary build artifacts:
	```gitignore

[Copilot]

Defining PATH_MAX manually can conflict with system headers and lead to inconsistent behavior across environments. Also, __686__ uses a reserved identifier form (double underscore) and is not a standard architecture macro; if this is intended to signal i686, consider using a non-reserved project macro name (or rely on compiler-provided arch macros) rather than defining a reserved token.

Suggested change

	-DPATH_MAX=1024
	-D__686__
	-DI686_ARCH

[Copilot]

These linker flags explicitly tolerate unresolved symbols, which can hide real link errors and produce binaries that fail at runtime. If the goal is only to get a Coverity capture/build to complete, consider scoping these flags to Coverity-only builds (or documenting why they're required) rather than applying them unconditionally.

Suggested change

	-Wl,--allow-shlib-undefined
	-Wl,--unresolved-symbols=ignore-all
	# NOTE: The following linker flags tolerate unresolved symbols and can hide
	# real link errors. They should NOT be used for normal builds. If absolutely
	# required for a Coverity-only capture/build, uncomment them locally and
	# ensure this configuration is not used for production binaries.
	# -Wl,--allow-shlib-undefined
	# -Wl,--unresolved-symbols=ignore-all

[Copilot]

JSON formatting/indentation is inconsistent at the top-level (\"dependencies\" is not aligned with the surrounding keys). Consider reformatting the file (e.g., consistent 2-space indentation) to improve readability and reduce diff noise in future changes.

Suggested change

	"dependencies": {
	"dependencies": {