From 0a187183fbc4f1dd08aa9b4f290fb324cd13ad55 Mon Sep 17 00:00:00 2001 From: Stephen DeRosa Date: Thu, 9 Apr 2026 12:47:53 -0600 Subject: [PATCH 1/7] GHA: license check and action pinning --- .github/workflows/builds.yml | 16 +++++++++--- .github/workflows/license_check.yml | 38 +++++++++++++++++++++++++++++ .github/workflows/pin_check.yml | 32 ++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/license_check.yml create mode 100644 .github/workflows/pin_check.yml diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 905f18a..3524f93 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -11,6 +11,14 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} jobs: + license-check: + name: License Check + uses: ./.github/workflows/license_check.yml + + pin-check: + name: Pin Check + uses: ./.github/workflows/pin_check.yml + build: strategy: fail-fast: false @@ -25,10 +33,12 @@ jobs: name: Build (${{ matrix.name }}) runs-on: ${{ matrix.os }} + permissions: + contents: read steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # ---------- deps ---------- - name: Install deps (Ubuntu) @@ -68,7 +78,7 @@ jobs: - name: Setup MSVC (Windows) if: runner.os == 'Windows' - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: x64 @@ -159,7 +169,7 @@ jobs: # ---------- upload build output ---------- - name: Upload binary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: basic_room-${{ matrix.name }} path: | diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml new file mode 100644 index 0000000..714472f --- /dev/null +++ b/.github/workflows/license_check.yml @@ -0,0 +1,38 @@ +# Copyright 2026 LiveKit, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: License Check +on: + workflow_call: {} + workflow_dispatch: {} + +jobs: + license-check: + name: License Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Check License Headers + shell: bash + run: | + shopt -s globstar + # ghcr.io/google/addlicense v1.2.0 + docker run --rm -v ${PWD}:/src -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \ + -check \ + -l apache \ + -c "LiveKit, Inc." \ + **/*.{cpp,h,hpp} diff --git a/.github/workflows/pin_check.yml b/.github/workflows/pin_check.yml new file mode 100644 index 0000000..77e28bd --- /dev/null +++ b/.github/workflows/pin_check.yml @@ -0,0 +1,32 @@ +# Copyright 2026 LiveKit, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Pin Check +on: + workflow_call: {} + workflow_dispatch: + +jobs: + pin-check: + name: Pin Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Pin Check + uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 + with: + skip_push: true From fd0baada65de2c1e670275fdb017a66badd286c0 Mon Sep 17 00:00:00 2001 From: stavied <40528896+stephen-derosa@users.noreply.github.com> Date: Thu, 9 Apr 2026 12:55:43 -0600 Subject: [PATCH 2/7] Update .github/workflows/license_check.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/license_check.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 714472f..f037793 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -34,5 +34,4 @@ jobs: docker run --rm -v ${PWD}:/src -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \ -check \ -l apache \ - -c "LiveKit, Inc." \ **/*.{cpp,h,hpp} From 264d58a5d14864379fa2bbdc37a89de79bf3669f Mon Sep 17 00:00:00 2001 From: stavied <40528896+stephen-derosa@users.noreply.github.com> Date: Thu, 9 Apr 2026 12:55:50 -0600 Subject: [PATCH 3/7] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/builds.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 3524f93..ba96a55 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -7,6 +7,9 @@ on: branches: ["main"] workflow_dispatch: +permissions: + contents: read + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 14bf7f621fb940a2bd4d0bfe376ab437c6a13d14 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 9 Apr 2026 18:57:09 +0000 Subject: [PATCH 4/7] GHA: add explicit permissions to license-check and pin-check jobs Agent-Logs-Url: https://github.com/livekit-examples/cpp-example-collection/sessions/bf6c5bcf-16e7-41e2-8c68-51a4ddddf58b Co-authored-by: stephen-derosa <40528896+stephen-derosa@users.noreply.github.com> --- .github/workflows/builds.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index ba96a55..1967ef5 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -17,10 +17,14 @@ jobs: license-check: name: License Check uses: ./.github/workflows/license_check.yml + permissions: + contents: read pin-check: name: Pin Check uses: ./.github/workflows/pin_check.yml + permissions: + contents: read build: strategy: From b8057a2298356f54b8c7dd236fd6fc72f658f2b0 Mon Sep 17 00:00:00 2001 From: Stephen DeRosa Date: Thu, 9 Apr 2026 13:18:07 -0600 Subject: [PATCH 5/7] license dep and copyright --- .github/workflows/license_check.yml | 2 +- simple_data_stream/main.cpp | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index f037793..0353b6d 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -29,7 +29,7 @@ jobs: - name: Check License Headers shell: bash run: | - shopt -s globstar + shopt -s globstar nullglob # ghcr.io/google/addlicense v1.2.0 docker run --rm -v ${PWD}:/src -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \ -check \ diff --git a/simple_data_stream/main.cpp b/simple_data_stream/main.cpp index f8144b7..917f0ac 100644 --- a/simple_data_stream/main.cpp +++ b/simple_data_stream/main.cpp @@ -1,3 +1,19 @@ +/* + * Copyright 2026 LiveKit, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + #include #include #include From 9d8f1f14504441d47ef0be58e46b27e15ce76571 Mon Sep 17 00:00:00 2001 From: stavied <40528896+stephen-derosa@users.noreply.github.com> Date: Thu, 9 Apr 2026 13:36:39 -0600 Subject: [PATCH 6/7] Update .github/workflows/builds.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/builds.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 1967ef5..300b774 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -27,6 +27,9 @@ jobs: contents: read build: + needs: + - license-check + - pin-check strategy: fail-fast: false matrix: From 77b67f23a6460cc129123dcfedeaa2bc8b00d00e Mon Sep 17 00:00:00 2001 From: stavied <40528896+stephen-derosa@users.noreply.github.com> Date: Thu, 9 Apr 2026 13:37:00 -0600 Subject: [PATCH 7/7] Update .github/workflows/license_check.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/license_check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 0353b6d..65f53ba 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -31,7 +31,7 @@ jobs: run: | shopt -s globstar nullglob # ghcr.io/google/addlicense v1.2.0 - docker run --rm -v ${PWD}:/src -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \ + docker run --rm -v "${PWD}:/src" -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \ -check \ -l apache \ **/*.{cpp,h,hpp}