Skip to content

Third-party component upload #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 11, 2025
Merged

Third-party component upload #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c133c8d
Prepare third-party deps for registry
ladvoc Sep 11, 2025
e22a240
Create component upload workflow
ladvoc Sep 11, 2025
d17b0a9
Update existing workflows
ladvoc Sep 11, 2025
a2ab853
Use registry for nanopb and khash
ladvoc Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,8 @@
uses: ./.github/workflows/build_examples.yml
license-check:
name: License Check
uses: ./.github/workflows/license_check.yml
uses: ./.github/workflows/license_check.yml
registry-check:
name: Registry Check
uses: ./.github/workflows/esp_registry.yml
with: { dry_run: true }
Comment on lines +21 to +23

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 25 days ago

To make the workflow more secure and comply with best practices, add a permissions block to the workflow. Since the ci.yml file mainly calls reusable workflows (via uses:), it's best to set minimal permissions at the workflow level unless specific jobs require more. For CI tasks that do not push or modify repository content, permissions: contents: read is typically sufficient. Place the block near the top of the workflow file (commonly below the name: declaration), and before the on: key. This fix does not change existing functionality and only enhances security posture.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 on:
   schedule:
     - cron: 0 0 * * 1
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read
on:
schedule:
- cron: 0 0 * * 1
Copilot is powered by AI and may make mistakes. Always verify output.
16 changes: 9 additions & 7 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
name: Build Documentation
on:
workflow_dispatch:
push:
branches: [main]
concurrency:
group: "docs"
cancel-in-progress: true
workflow_call:
inputs:
deploy:
type: boolean
description: Deploy to GitHub Pages
default: false
jobs:
build-docs:
name: Build Documentation
Expand All @@ -21,11 +21,13 @@ jobs:
- name: Configure Pages
uses: actions/configure-pages@v5
- name: Upload Generated Docs
if: ${{ inputs.deploy }}
uses: actions/upload-pages-artifact@v3
with: { path: docs/output/html }
deploy:
deploy-docs:
name: Deploy Documentation
needs: build-docs
if: ${{ inputs.deploy }}
permissions:
pages: write
id-token: write
Expand Down
35 changes: 35 additions & 0 deletions .github/workflows/esp_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: ESP Registry
on:
workflow_call:
inputs:
dry_run:
type: boolean
description: Do not actually upload the components
default: true
jobs:
esp_registry:
name: Upload Components
runs-on: ubuntu-latest
env:
COMPONENTS: |
nanopb:./components/third_party/nanopb
khash:./components/third_party/khash
steps:
- uses: actions/checkout@v4
with: { submodules: recursive }
- name: Upload Components (Dry Run)
uses: espressif/upload-components-ci-action@v2
if: ${{ inputs.dry_run }}
with:
components: ${{ env.COMPONENTS }}
namespace: livekit
api_token: ${{ secrets.ESP_REGISTRY_TOKEN }}
dry_run: true
- name: Upload Components
uses: espressif/upload-components-ci-action@v2
if: ${{ !inputs.dry_run }}
with:
components: ${{ env.COMPONENTS }}
namespace: livekit
api_token: ${{ secrets.ESP_REGISTRY_TOKEN }}
dry_run: false
Comment on lines +11 to +35

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 25 days ago

To fix this issue, you should explicitly specify a permissions block within the affected job (or at the workflow root if desired). In this workflow, the esp_registry job appears to only need read access to contents for actions/checkout@v4 and uses a third-party action with a provided token for uploading components. Unless the upload action requires additional write permissions (which is uncommon, as it uses a secret), the minimal permissions should be contents: read. This should be added under the job's definition, for esp_registry. The fix is to insert:

permissions:
  contents: read

directly below line 11, so the job block starts with its name, then permissions, then runs-on, etc. No other code needs to change.

Suggested changeset 1
.github/workflows/esp_registry.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/esp_registry.yml b/.github/workflows/esp_registry.yml
--- a/.github/workflows/esp_registry.yml
+++ b/.github/workflows/esp_registry.yml
@@ -9,6 +9,8 @@
 jobs:
   esp_registry:
     name: Upload Components
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       COMPONENTS: |
EOF
@@ -9,6 +9,8 @@
jobs:
esp_registry:
name: Upload Components
permissions:
contents: read
runs-on: ubuntu-latest
env:
COMPONENTS: |
Copilot is powered by AI and may make mistakes. Always verify output.
14 changes: 14 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: Release
on:
workflow_dispatch:
push:
branches: [main]
jobs:
registry-upload:
name: Registry Upload
uses: ./.github/workflows/esp_registry.yml
with: { dry_run: false }
deploy-docs:
Comment on lines +8 to +11

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 25 days ago

To address the issue, add an explicit permissions: block at the workflow (top) level to ensure the GITHUB_TOKEN only receives the least privilege necessary. Since the jobs are uses-calls to reusable workflows (which may themselves require certain permissions), the most broadly safe minimal permission is contents: read. However, if documentation deployment or registry upload requires writing to the repository (for releases or PRs), you might need to extend permissions (e.g., contents: write). As a starting point—and as per best practices and recommendation—add:

permissions:
  contents: read

above the jobs: block, ideally after the on: block (line 6). This declares globally that all jobs—unless individually overridden—will have only read permission for repository contents. Reusable workflows can request higher permissions if they need them.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,8 @@
   workflow_dispatch:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   registry-upload:
     name: Registry Upload
EOF
@@ -3,6 +3,8 @@
workflow_dispatch:
push:
branches: [main]
permissions:
contents: read
jobs:
registry-upload:
name: Registry Upload
Copilot is powered by AI and may make mistakes. Always verify output.
name: Deploy Documentation
uses: ./.github/workflows/docs.yml
with: { deploy: true }
Comment on lines +12 to +14

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 25 days ago

The best way to fix the problem is by adding an explicit permissions block, specifying only the least privileges required for the jobs within the workflow (.github/workflows/release.yml). This is typically done at the root of the workflow to cover all jobs, unless a particular job needs broader permissions, in which case job-specific blocks can be used.
For a minimal starting point, permissions: contents: read is usually safe unless jobs need to write data back to the repo or perform other actions (e.g., pull-requests: write). Since the deploy-docs and registry-upload jobs both call reusable workflows, and we don't know their exact needs from the given snippet, we can start with the minimal contents: read and those workflows can further elevate permissions if required.

You should add the following block near the top of the workflow file (directly after the name: and on: keys):

permissions:
  contents: read

No other changes are needed in the visible regions.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,8 @@
   workflow_dispatch:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   registry-upload:
     name: Registry Upload
EOF
@@ -3,6 +3,8 @@
workflow_dispatch:
push:
branches: [main]
permissions:
contents: read
jobs:
registry-upload:
name: Registry Upload
Copilot is powered by AI and may make mistakes. Always verify output.
6 changes: 2 additions & 4 deletions components/livekit/idf_component.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ dependencies:
espressif/esp_peer: ~1.2.3
media_lib_sal:
path: ../third_party/esp-webrtc-solution/components/media_lib_sal
nanopb:
path: ../third_party/nanopb
khash:
path: ../third_party/khash
livekit/nanopb: ~0.4.9
livekit/khash: ~0.1.0
files:
use_gitignore: true
7 changes: 7 additions & 0 deletions components/third_party/khash/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Khash

A generic hash table with open addressing from [Klib](https://github.com/attractivechaos/klib).

---

**Important**: This component is uploaded to the ESP Component Registry unofficially and is not affiliated with the Klib project. It is used as a dependency of the [LiveKit ESP32 SDK](https://github.com/livekit/client-sdk-esp32) and may not be regularly updated with the upstream project.
4 changes: 3 additions & 1 deletion components/third_party/khash/idf_component.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
description: Khash (from klib)
version: 0.1.0
description: A generic hash table with open addressing.
url: https://attractivechaos.github.io/klib/
repository: https://github.com/attractivechaos/klib
license: MIT
7 changes: 7 additions & 0 deletions components/third_party/nanopb/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Nanopb

Protocol buffer library for embedded systems.

---

**Important**: This component is uploaded to the ESP Component Registry unofficially and is not affiliated with the Nanopb project. It is used as a dependency of the [LiveKit ESP32 SDK](https://github.com/livekit/client-sdk-esp32) and may not be regularly updated with the upstream project.
4 changes: 2 additions & 2 deletions components/third_party/nanopb/idf_component.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
description: Nanopb
version: 0.4.9
description: Protocol buffer library for embedded systems.
url: https://jpa.kapsi.fi/nanopb/
repository: https://github.com/nanopb/nanopb/
documentation: https://jpa.kapsi.fi/nanopb/docs/
version: 0.4.9
license: Zlib