Extend COM_ARM_ODID into a unified arming + in-flight failsafe parameter (0 = Disabled, 1 = Warning, 2 = Return, 3 = Land, 4 = Terminate)
Values >= 2 block arming and trigger the configured action if Remote ID
is lost while airborne.
- Replace all MINDPX/MINDPXv2/PX4FMU board references with SaamPixV1_1
- Update Airmind Development Team to Saam Drones Development Team in copyright headers
- Update PX4 copyright year range to 2020-2026 on all C/C++ files
- Rename bootloader binary to match board version (v1_1)
- Remove untracked backup files
Adds a stand-alone workflow that posts or updates sticky PR comments on
behalf of any analysis workflow, including those triggered by fork PRs.
The poster runs on `workflow_run` in the base repo context, which is the
standard GitHub-sanctioned way to get a write token on events that
originate from untrusted forks without ever checking out fork code.
All validation, GitHub API interaction, and upsert logic lives in
Tools/ci/pr-comment-poster.py (Python 3 stdlib only, two subcommands:
`validate` and `post`). The workflow file itself is a thin orchestrator:
sparse-checkout the script, download the pr-comment artifact via
github-script, unzip, then invoke the script twice. No inline jq, no
inline bash validation, no shell-interpolated marker strings. The
sparse-checkout ensures only Tools/ci/pr-comment-poster.py lands in the
workspace, never the rest of the repo.
Artifact contract: a producer uploads an artifact named exactly
`pr-comment` containing `manifest.json` (with `pr_number`, `marker`, and
optional `mode`) and `body.md`. The script validates the manifest
(positive integer pr_number, printable-ASCII marker bounded 1..200
chars, UTF-8 body under 60000 bytes, mode in an allowlist), finds any
existing comment containing the marker via the comments REST API, and
either edits it in place or creates a new one.
The workflow file header documents six security invariants that any
future change MUST preserve, most importantly: NEVER check out PR code,
NEVER execute anything from the artifact, and treat all artifact
contents as opaque data.
Why a generic poster and not `pull_request_target`: `pull_request_target`
is the tool people reach for first and the one that most often turns
into a supply-chain vulnerability, because it hands a write token to a
workflow that is then tempted to check out the PR head. `workflow_run`
gives the same write token without any check-out temptation, because
the only input is a pre-produced artifact treated as opaque data.
Producer migrations
===================
flash_analysis.yml:
- Drop the fork gate on the `post_pr_comment` job.
- Drop the obsolete TODO pointing at issue #24408 (the fork-comment
workflow does not error anymore; it just no-ops).
- Keep the existing "comment only if threshold crossed or previous
comment exists" behaviour verbatim. peter-evans/find-comment@v3
stays as a read-only probe (forks can read issue comments just fine);
its body-includes is updated to search for the new marker
`<!-- pr-comment-poster:flash-analysis -->` instead of the old
"FLASH Analysis" heading substring.
- Replace the peter-evans/create-or-update-comment@v4 step with two
new steps that write pr-comment/manifest.json and pr-comment/body.md
and then upload them as artifact pr-comment. The body markdown is
byte-for-byte identical to the previous heredoc, with the marker
prepended as the first line so subsequent runs can find it.
- The threshold-or-existing-comment gate is preserved on both new
steps. When the gate does not fire no artifact is uploaded and the
poster no-ops.
docs-orchestrator.yml (link-check job):
- Drop the fork gate on the sticky-comment step.
- Replace marocchino/sticky-pull-request-comment@v2 with two new steps
that copy logs/filtered-link-check-results.md into pr-comment/body.md,
write a pr-comment/manifest.json with the marker
`<!-- pr-comment-poster:docs-link-check -->`, and upload the directory
as artifact pr-comment.
- The prepare step checks `test -s` on the results file and emits a
prepared step output; the upload step is gated on that output. In
practice the existing link-check step always writes a placeholder
("No broken links found in changed files.") into the file when empty,
so the guard is defensive but not load-bearing today.
- Tighten the link-check job's permissions from `pull-requests: write`
down to `contents: read`; writing PR comments now happens in the
poster workflow.
The poster's workflows allowlist is seeded with the two active
producers: "FLASH usage analysis" and "Docs - Orchestrator".
clang-tidy (workflow name "Static Analysis") is not in the list because
platisd/clang-tidy-pr-comments posts line-level review comments, a
different REST API from issue comments that the poster script does not
handle. Extending the poster to cover review comments is a follow-up.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
POSIX/SITL builds on macOS produce two classes of benign warnings that
clutter output and obscure real issues:
ranlib: warning: 'lib*.a(foo.o)' has no symbols
ld: warning: ignoring duplicate libraries: ...
The ranlib warnings come from sources wrapped in #if defined(CONFIG_*)
guards (i2c.cpp, spi.cpp, board_common.c, pab_manifest.c,
px4_log_history.cpp) and dummy.cpp placeholders, which legitimately
compile to empty object files on POSIX. GNU ranlib ignores this;
Apple's warns. The warning is emitted by 'ar qc' (which implicitly
builds a symbol table), not by ranlib itself, so overriding only
ARCHIVE_FINISH is insufficient. Use 'ar qcS' to skip the implicit
symbol table, then let ranlib -no_warning_for_no_symbols build it
quietly via ARCHIVE_FINISH.
The duplicate-library warnings come from CMake intentionally
re-emitting static libraries on the link line to resolve circular
dependencies between px4_layer, px4_work_queue, px4_daemon and
lockstep_scheduler. GNU ld silently dedupes; Apple's ld-prime
(Xcode 15+) warns. Pass -no_warn_duplicate_libraries to the linker.
Both fixes are Darwin-only and have no effect on Linux CI or NuttX
builds.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Switch the Static Analysis workflow to two modes:
- Push to main: run the full "make clang-tidy" target as before.
- Pull request: build the clang compile database with
"make px4_sitl_default-clang", then call Tools/ci/run-clang-tidy-pr.py
(already in-tree) to compute the translation units actually affected
by the PR diff and run clang-tidy only on that subset. PRs that touch
no C++ files exit silently; the large majority of PRs will skip the
slow full analysis entirely.
Replace the inline ccache restore/config/save steps with the composite
actions from .github/actions/setup-ccache and .github/actions/save-ccache,
which use content-hash cache keys (prefix-ref-sha with ref and base_ref
fallbacks), compression, and compiler_check=content. Same 120M cap.
Add a second job, post_clang_tidy_comments, that runs on a GitHub-hosted
runner when the analysis job reports has_findings=true. It downloads the
compile_commands.json artifact produced by the analysis job, rewrites
the AWS RunsOn workspace prefix (/__w/PX4-Autopilot/PX4-Autopilot) to the
GitHub-hosted runner workspace so clang-tidy can chdir into the build
directory, runs clang-tidy-diff-18 to export fixes, and posts inline
review annotations via platisd/clang-tidy-pr-comments@v1.
Annotations are set to request changes (request_changes: true), so a PR
with new clang-tidy findings will be blocked until they are addressed or
waived. suggestions_per_comment is capped at 10. Annotations are gated
to same-repo PRs only; forks skip the annotation job because GITHUB_TOKEN
has no write access there.
The post_clang_tidy_comments job uses if: always() && ... so it runs
whether the analysis job succeeded or failed (findings still need to be
surfaced when the analysis exits non-zero).
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Standardize on the GitHub Container Registry copy of px4-dev:v1.17.0-rc2
across workflows still pulling the old dockerhub v1.16.0-rc1 image, and
move the workflows that were already on v1.17.0-beta1 from docker.io to
ghcr.io so the whole repo pulls from one registry at the same version.
Also modernize the "git ownership workaround" in the touched workflows
that still used `git config --global --add safe.directory "$GITHUB_WORKSPACE"`
to the `--system --add safe.directory '*'` form already in use by
clang-tidy, flash_analysis, failsafe_sim, itcm_check, and docs-orchestrator.
Updated workflows:
- checks.yml
- clang-tidy.yml (was on v1.17.0-beta1, now on rc2)
- docs-orchestrator.yml (was on v1.17.0-beta1, two jobs)
- ekf_functional_change_indicator.yml
- ekf_update_change_indicator.yml
- failsafe_sim.yml
- flash_analysis.yml
- itcm_check.yml
- nuttx_env_config.yml
Deliberately out of scope for this PR and deferred to focused follow-ups:
- fetch-depth: 0 to 1 (firmware builds and flash_analysis base-ref
checkout need git history)
- PX4_SBOM_DISABLE removal in checks.yml (behavioral change)
- fail-fast: false to true (behavioral change)
- codecov-action upgrade
No other workflows touched. compile_ubuntu.yml, ros_integration_tests.yml,
sitl_tests.yml, mavros_*_tests.yml, fuzzing.yml, build_deb_package.yml,
dev_container.yml all use different image families or serve different
purposes and are not part of this sweep.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add four reusable building blocks that upcoming CI optimization PRs will
consume. No existing workflow is modified; these files are dormant until
referenced.
- .github/actions/setup-ccache: restore ~/.ccache with content-hash keys,
write ccache.conf with compression and content-based compiler check
- .github/actions/save-ccache: print stats and save the cache under the
primary key produced by setup-ccache
- .github/actions/build-gazebo-sitl: build px4_sitl_default plus the
Gazebo Classic plugins with ccache stats between stages
- Tools/ci/run-clang-tidy-pr.py: compute the translation units affected
by a PR diff and invoke Tools/run-clang-tidy.py on that subset only,
exiting silently when no C++ files changed
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Split the maintainer role into two types to make it easier to grow the
bench without asking new contributors to commit to a specific component
up front. Code Owners keep their existing scoped responsibility for a
category, while Reviewers help across the project without ownership of
any specific area. Both are full maintainers, share the @PX4/dev-team
GitHub team, and have the same write access and voting rights.
Rename the Active Maintainers table to Code Owners with no change to
the current roster. Add an empty Reviewers table so future nominations
land in their own PRs. Update the contributor docs to describe the two
types, cover both in the recruitment and onboarding flow, and note the
promotion path from Reviewer to Code Owner.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* offboard: report specific failures
Figuring out offboard failures is quite difficult because the user currently
gets a single, very generic error message that does not identify the actual
missing requirement.
This change aims to improve the user experience by:
- moving offboard failure reporting into OffboardChecks, where the exact cause is known
- reporting specific arming failures for missing local position, local velocity and attitude estimates
- keeping the generic offboard signal error only as a fallback for true signal-loss cases
- removing the duplicate offboard check from ModeChecks (as already invoked by HealthAndArmingChecks)
Signed-off-by: Onur Özkan <work@onurozkan.dev>
* offboard: handle attitude mode in offboard check
Signed-off-by: Onur Özkan <work@onurozkan.dev>
---------
Signed-off-by: Onur Özkan <work@onurozkan.dev>
The previous logic used GITHUB_HEAD_REF, which on a pull request is
the source (PR author's) branch name. For backport PRs (e.g.
mrpollo/backport-26781-1.17), no matching branch exists in
px4-ros2-interface-lib, so the script fell back to main and the
build broke from uORB message divergence.
Switch to GITHUB_BASE_REF, which on a PR is the branch the code is
being merged into (main or release/X.Y), and fall back to
GITHUB_REF_NAME for direct pushes. This always resolves to a real
branch in px4-ros2-interface-lib.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Adds an explicit Citation section before Governance so researchers can
copy a canonical BibTeX entry without clicking through to Zenodo. Uses
the same author list and concept DOI as CITATION.cff so the citation
always resolves to the latest release. Follows the pattern used by
borglab/gtsam and huggingface/transformers.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Split badges into two rows: release/DOI/Discord on top, and LF-ecosystem
health signals (OpenSSF Best Practices, LFX Health Score, Contributors,
Active Contributors) below. Removed the noisy "Build all targets" badge
and switched the Discord badge from the pixelated widget PNG to the
shields.io SVG endpoint so it renders crisply on HiDPI displays.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Upgrades the project Code of Conduct from Contributor Covenant v1.4
(2016) to v2.1 (2021). v2.1 adds the Enforcement Guidelines section
(Correction / Warning / Temporary Ban / Permanent Ban) and modernizes
the language around inclusion and community leadership.
Replaces the personal reporting address (lorenz@px4.io) with an
institutional one (coc@dronecode.org) so Code of Conduct reports flow
to the Dronecode Foundation rather than a single maintainer's inbox.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add 'if: startsWith(runner.name, "runs-on--")' to the mirror swap step
in both workflows so fork users can see at a glance that the step only
fires on runs-on runners and is a no-op on standard GitHub-hosted
runners. The script keeps its internal RUNS_ON_AWS_REGION check as
defense in depth for callers outside these workflows.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The mirror swap was duplicated across two workflows. Move it into
Tools/ci/use_aws_apt_mirror.sh and call the script from each workflow
after checkout but before any heavy apt work like Tools/setup/ubuntu.sh.
The script no-ops outside runs-on (RUNS_ON_AWS_REGION unset), so it is
safe to call from forks, self-hosted runners, or local container runs
without changing behavior there. The region is read from the runs-on
environment instead of being hardcoded, so future region changes only
need updating where the runner is provisioned.
The bootstrap 'apt install git' step keeps the default mirror because
git is one package and is unlikely to hit the dep11 desync issue that
broke ubuntu.sh.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The compile_ubuntu workflow's apt operations talk directly to
archive.ubuntu.com, which round-robins across community mirrors that
occasionally serve out-of-sync index files mid-sync and break apt update
for everyone until the upstream catches up.
Apply the same mirror swap as build_deb_package.yml: rewrite the
container's apt sources to point at us-west-2.ec2.archive.ubuntu.com
before any apt operation runs, so both the inline 'apt update' and the
later Tools/setup/ubuntu.sh call benefit from the regional mirror.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The SIH image is the canonical PX4 SITL container, so drop the redundant
-sih suffix and publish it as px4io/px4-sitl. Gazebo continues to publish
as px4io/px4-sitl-gazebo.
Decouples the published image name from the matrix.image identifier by
introducing a matrix.repo field, so renames like this don't require
touching the matrix logic.
This is a breaking change for anyone pulling px4io/px4-sitl-sih directly;
the old tags remain available but no new ones will be published under
that name.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The default archive.ubuntu.com round-robin can serve out-of-sync index
files mid-sync, which makes apt-get update fail with 'File has unexpected
size' errors and breaks the deb build job for everyone until the upstream
mirror catches up.
Rewrite the container's apt sources to point at us-west-2.ec2.archive.
ubuntu.com instead. The EC2 archive mirrors are Canonical-operated,
region-local to the runs-on instances, and sync aggressively, eliminating
the round-robin lottery as a CI failure mode.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
