Backport of #26781 with the follow-up fix from #27000 folded in.
On release branches, the ROS integration test now clones a matching
branch from Auterion/px4-ros2-interface-lib instead of always using
main, preventing build failures from uORB message divergence between
main and release branches.
Branch resolution uses GITHUB_BASE_REF on pull requests (the branch
the code is merging into) and falls back to GITHUB_REF_NAME for
direct pushes, so backport PRs resolve to their target release
branch instead of the PR author's branch.
Fixes https://github.com/Auterion/px4-ros2-interface-lib/issues/184
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The current workflow_dispatch path builds whatever HEAD of the dispatch ref
is, labels the resulting image with px4_version, and publishes. That's
fine for rebuilding current state but it cannot rebuild the exact commit
a release tag points to, because the dispatch loads the workflow file
from one ref and implicitly checks out the same ref for the build.
This matters for release recovery. When the v1.17.0-rc2 tag push failed
to publish containers back on 2026-03-13 (the v1 GHA cache protocol
removal in RunsOn v2.12.0), the tag was not re-pushed, so the only way
to publish rc2 containers now is via workflow_dispatch. Without this
change, a dispatch against release/1.17 builds release/1.17 HEAD and
labels it v1.17.0-rc2, which produces a container whose contents do not
match the rc2 tag's actual code. That is not a faithful recovery.
Add a build_ref input that controls only the checkout ref, defaulting
to empty which falls back to github.ref (preserving current behavior
for both push events and dispatches that omit the input). With this,
a release recovery looks like:
gh workflow run dev_container.yml --repo PX4/PX4-Autopilot \
--ref release/1.17 \
-f px4_version=v1.17.0-rc2 \
-f build_ref=v1.17.0-rc2 \
-f deploy_to_registry=true
The workflow loads from release/1.17 HEAD (which has the cache fix
from 39b0568 and the hardening from d74db56a), but the build uses
Tools/setup/Dockerfile from the rc2 tag. The published image has
rc2 contents under the rc2 label, as if the original tag push had
worked.
All three actions/checkout steps (setup, build, deploy) take the same
ref expression so every job sees a consistent workspace. Non-dispatch
events (push, PR) evaluate github.event.inputs.build_ref to empty and
fall back to github.ref exactly as before.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
(cherry picked from commit e4d46f20f4)
Three related fixes to prevent a repeat of the v1.17.0-rc2 incident, where a
post-push GHA cache-export 404 failed the arm64 build after both registry
pushes had already succeeded, fail-fast cancelled amd64, and the deploy job
was skipped, leaving the registries with only a partial arm64 publish and no
multi-arch manifest.
- Mark cache export as non-fatal via ignore-error=true on cache-to. A
successful registry push should never be undone by a cache-layer flake.
This alone would have let rc2 publish correctly.
- Decouple the deploy job from the build job's exit code. Change its if:
gate to !cancelled() + setup success only, and promote the existing
"Verify Images Exist Before Creating Manifest" step from a warning into
a hard precondition. Deploy now runs whenever both per-arch tags actually
exist in the registries, which is its real precondition, and fails loudly
if a tag is missing.
- Bump every action to the current major (runs-on/action v2,
actions/checkout v5, docker/login-action v4, docker/setup-buildx-action v4,
docker/build-push-action v7, docker/metadata-action v6). This gets the
workflow off Node 20 before GitHub's June 2 2026 forced runtime switch
and keeps runs-on/action on the same major as the runs-on platform.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
(cherry picked from commit d74db56a06)
When EKF2_HGT_REF=2 (range sensor) with no GPS, optical flow could
never start. The starting condition required isTerrainEstimateValid()
or isHorizontalAidingActive(), but terrain is never "estimated" when
range is the height reference (ground is the datum, terrain state is
fixed at 0), and there's no horizontal aiding without GPS.
HAGL is directly known from the range measurement in this case, so
optical flow has everything it needs to fuse. Add the range height
reference check to the optical flow starting conditions.
Fixes: https://github.com/PX4/PX4-Autopilot/issues/25248
Backport of #26742 to release/1.17.
RunsOn v2.12.0 (March 6, 2026) removed v1 cache toolkit support,
causing the buildx GHA cache proxy to return 404 for v1 endpoints.
This broke the v1.17.0-rc2 container build.
Removing the explicit version=1 parameter lets buildkit auto-detect
the v2 protocol.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The mavlink_tests module was deleted in 1009268d31 but several
references were left behind, breaking builds on all targets.
Removed:
- CMakeLists.txt: add_subdirectory(mavlink_tests)
- mavlink_ftp.cpp: #include of deleted mavlink_ftp_test.h
- mavlink_ftp.h: MavlinkFtpTest forward decl and friend class
- posix-configs/SITL/init/test/test_mavlink: dead init script
- sitl_tests.cmake: sitl-mavlink CTest target
- install-voxl.sh: px4-mavlink_tests symlink
Ref: https://github.com/PX4/PX4-Autopilot/issues/26738
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Reject Zenoh payloads that exceed the expected uORB topic size plus
CDR header (4 bytes), or that are too small to contain a valid CDR
header. This prevents a stack overflow from crafted network input
where z_bytes_len(payload) controls a VLA allocation.
Fixes GHSA-69g4-hcqf-j45p
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Use logical OR (||) instead of AND (&&) in _workWrite() and _workBurst()
session validation, matching the correct logic already used in _workRead()
and _workTerminate(). The AND operator allowed operations to proceed with
an invalid session ID as long as a valid file descriptor existed.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove the old MAVLINK_FTP_UNIT_TEST infrastructure that has been dead
code for years (not enabled in any board config). This includes:
- src/modules/mavlink/mavlink_tests/ directory (test suite, CMakeLists)
- All #ifdef MAVLINK_FTP_UNIT_TEST blocks in mavlink_ftp.cpp
- set_unittest_worker() callback mechanism in mavlink_ftp.h
- Conditional uAvionix include in mavlink_bridge_header.h
The test suite will be ported to GTest as a follow-up.
Ref: https://github.com/PX4/PX4-Autopilot/issues/26738
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add bounds checking in the CAN frame assembly loop to prevent a buffer
overflow when copying payloads into the Tattu12SBatteryMessage struct.
A crafted CAN frame with a corrupt payload_size could write past the
48-byte struct boundary. Also guard against payload_size of 0 which
would cause an unsigned integer underflow on the size_t subtraction.
Fixes GHSA-wxwm-xmx9-hr32
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Reject replies with length >= sizeof(BSTPacket) to prevent OOB read
in CRC calculation. Clamp dev_name_len to buffer size to prevent OOB
write during null termination.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove the step that uploaded every version tag to the stable/ S3
directory, which caused QGC users selecting "stable" to receive
pre-release firmware (#26340). The stable/ and beta/ directories
are now controlled exclusively by their respective branch pushes,
while version tags only upload to their versioned archive directory
(e.g., v1.16.1/). Pre-release tags are also correctly marked on
GitHub Releases.
Co-authored-by: Julian Oes <julian@oes.ch>
Fixes#26340
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add PWM_*_CENTERx for each servo.
Use a bilinear transform to map actuator_servos to PWM signals.
This solution only works for PWM based servos. Other types of servos are not affected.
* PWM: Add servo trim option
* PWM: Improve documentation of PWM trim feature
* PWM: cleaner clamping and docs typo
* update documentation & safety
* add migration formula
* rename param from trim to center
* docs with center instead of trim
* move clamping and reorder values
* improve documentation
* adress failing range check
* improve documentation
* CA: add event for setting CENTER with TRIM
Signed-off-by: Silvan <silvan@auterion.com>
---------
Signed-off-by: Silvan <silvan@auterion.com>
Co-authored-by: Silvan <silvan@auterion.com>
* astyle: remove max line length (#25717)
* failsafe unit test: add cases for 1 allow taking over from degraded failsafes 2 not cause immediate takeover when failsafe happens because of mode switch
The first test makes sure the user can take over when an RTL failsafe was triggered but degraded to a Land.
The second test rules out the easiest fix of removing the condition `_selected_action == selected_action` which causes the problem for test one but is there for a reason.
* commander/failsafe: fix user takeover not possible in fallback Land action when configured RTL is not possible
---------
Co-authored-by: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
* failure_injection: improve previously vague motor faulure
Reading it again I decided adding the sentance in 4d2170c13e is not clear enough.
* docs/safety: add a motor failure detection paragraph
The functionality is in my eyes pretty basic but so far completely undocumented so I went through the code and added a paragraph based on questions I received.
* Subedit
* Apply suggestion from @hamishwillee
---------
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
* rc_update: remove 1% deadzone for all channels
this should be handled higher level.
* Remove all references to the RC{n}_DZ parameters
Regular expression: RC.{0,2}_DZ
---------
Co-authored-by: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
* ROMFS: do not exit airframe loading if SYS_AUTOSTART is 0
Do not treat 0 as a magic value that skips the aiframe loading.
Instead leave it tot he rc.autostart to load an airframe that if finds
appropriate (can be defined in external aiframe).
Signed-off-by: Silvan <silvan@auterion.com>
* ROMFS: adjust airframe load spacing and message/comment wording
---------
Signed-off-by: Silvan <silvan@auterion.com>
Co-authored-by: Silvan <silvan@auterion.com>
During a mission the last waypoint is often a LAND. If the previous waypoint is not directly above the land waypoint the offtrack calculation is incorrect. This regression was introduced when the offtrack calculation switched from 2D to 3D.
* Fix formatting and capitalization in dev_env_mac.md
Updated formatting and capitalization for consistency in the macOS development environment documentation.
* Correct 'Mac OS' to 'macOS' in documentation
* Fix capitalization of 'macOS' in documentation
Move ramvectors from DTCM to ITCM, this seems to better in general.
Also ITCM is marked as RO so is safer anyhow, now that DTCM is fully
unused we add DTCM region of 256kB to memory allocator. Increases usable
memory from 1536kB to 1792kB and decrease system load a bit since DTCM
is faster
Ramon Roche