ci: add CodeQL security scanning workflow#263
Closed
Conversation
Adds a CI workflow that builds DEB/RPM/TGZ packages of TransferBench against the TheRock nightly ROCm SDK, modeled on the ROCmValidationSuite packaging workflow. Packages install to /opt/rocm/extras-<MAJOR> with $ORIGIN-relative RPATH so they are relocatable. - build_packages_local.sh: single source of truth for both local and CI builds. Detects Ubuntu vs AlmaLinux/manylinux, installs deps, fetches TheRock SDK tarball, configures CMake with relocatable RPATH and the new BUILD_RELOCATABLE_PACKAGE option, builds, and invokes CPack for DEB/RPM/TGZ. - .github/workflows/build-relocatable-packages.yml: parallel Ubuntu 22.04 + manylinux_2_28 jobs triggered on push, PR, daily cron, and workflow_dispatch. OIDC-based S3 upload gated on AWS_S3_BUCKET being set; apt/yum repo metadata generated for non-PR builds. Build report artifact summarizes S3 paths. - .github/workflows/README_BUILD_PACKAGES.md: workflow docs covering triggers, local usage, S3 layout, IAM trust policy, and apt/yum install snippets. - CMakeLists.txt: new BUILD_RELOCATABLE_PACKAGE option that bypasses rocm_install/rocm_create_package, names the package amdrocm<MAJOR>-transferbench, and honors caller-set install prefix and CPACK_*_PACKAGE_RELEASE env vars. Default cmake .. behavior is unchanged. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
The tarballs are published as: therock-dist-linux-<family>-<version>.tar.gz not <family>-<version>.tar.gz as I had it. Also TheRock does not publish a per-family LATEST.txt, so the auto-fetch path now lists the bucket via S3 ListObjectsV2 and picks the highest version key with `sort -V`. Updates the pinned fallback to a version that actually exists on the bucket today (7.13.0a20260423). Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
The bucket includes non-release ad-hoc builds (e.g. therock-dist-linux-gfx94X-dcgpu-ADHOCBUILD-7.0.0rc20250625.tar.gz) which `sort -V | tail -1` was selecting because 'A' lexically sorts after digits. The downstream `printf '%02d'` then crashed trying to parse `ADHOCBUILD-7` as the ROCm major. Restrict the auto-fetch grep to keys matching <prefix><MAJOR>.<MINOR>.<patch+suffix>.tar.gz so only properly versioned releases are considered. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
- Gate S3 upload + repo metadata steps on github.repository ==
'ROCm/TransferBench' so forks that set AWS_S3_BUCKET don't try
unauthenticated uploads.
- Add EUID root check to build_packages_local.sh up front (clearer
error than failing later in apt/dnf).
- Rename TAROBALL_BASE -> TARBALL_BASE (typo).
- Sanitize PKG_RELEASE: collapse non-alphanumerics into dots so
feature-branch names stay valid in DEB/RPM release fields.
- Drop ${ROCM_PATH}/lib from RPATH_LIST so the ephemeral SDK
download path is not embedded into the packaged binary.
- Make CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION track the
actual CPACK_PACKAGING_INSTALL_PREFIX instead of hard-coded
/opt/rocm/extras-N paths.
Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
Packages declare runtime deps on hsa-rocr/numactl and only ship the TransferBench binary; the install tree is movable via $ORIGIN RPATH but target systems still need the ROCm/HSA runtime. Update README so the claim matches the actual packaging behavior.
Built binaries dynamically link libibverbs.so.1 / libmpi*.so.* but neither library is bundled by the TheRock SDK or declared as a package dependency, so the binary fails to load on hosts that don't already have rdma-core / OpenMPI installed. Flip both CMake flags off in build_packages_local.sh and drop the unused build-time installs of libibverbs-dev/rdma-core/openmpi-dev so the package runs out of the box with only numactl/libnuma1.
Add CodeQL static analysis workflow following ROCm project standards (amdsmi/aqlprofile pattern). Scans C/C++ code for security vulnerabilities. - Runs on develop/mainline branch pushes and PRs - Weekly scheduled scan on Fridays - Uses security-extended query suite - Builds with minimal dependencies (no NIC/MPI) for faster analysis Part of TheRock component onboarding requirements.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add CodeQL static analysis workflow following ROCm project standards (amdsmi/aqlprofile pattern) to scan C/C++ code for security vulnerabilities.
Details
developandmainlinebranch pushes and PRssecurity-extendedquery suite for comprehensive coverageMotivation
Part of TheRock component onboarding requirements - Security & Compliance check.
Testing
Workflow will run automatically on this PR. Expected to complete successfully with the minimal build configuration.