Three related fixes to prevent a repeat of the v1.17.0-rc2 incident, where a
post-push GHA cache-export 404 failed the arm64 build after both registry
pushes had already succeeded, fail-fast cancelled amd64, and the deploy job
was skipped, leaving the registries with only a partial arm64 publish and no
multi-arch manifest.
- Mark cache export as non-fatal via ignore-error=true on cache-to. A
successful registry push should never be undone by a cache-layer flake.
This alone would have let rc2 publish correctly.
- Decouple the deploy job from the build job's exit code. Change its if:
gate to !cancelled() + setup success only, and promote the existing
"Verify Images Exist Before Creating Manifest" step from a warning into
a hard precondition. Deploy now runs whenever both per-arch tags actually
exist in the registries, which is its real precondition, and fails loudly
if a tag is missing.
- Bump every action to the current major (runs-on/action v2,
actions/checkout v5, docker/login-action v4, docker/setup-buildx-action v4,
docker/build-push-action v7, docker/metadata-action v6). This gets the
workflow off Node 20 before GitHub's June 2 2026 forced runtime switch
and keeps runs-on/action on the same major as the runs-on platform.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
(cherry picked from commit d74db56a060ee333535e29c765074572f73f0139)
When EKF2_HGT_REF=2 (range sensor) with no GPS, optical flow could
never start. The starting condition required isTerrainEstimateValid()
or isHorizontalAidingActive(), but terrain is never "estimated" when
range is the height reference (ground is the datum, terrain state is
fixed at 0), and there's no horizontal aiding without GPS.
HAGL is directly known from the range measurement in this case, so
optical flow has everything it needs to fuse. Add the range height
reference check to the optical flow starting conditions.
Fixes: https://github.com/PX4/PX4-Autopilot/issues/25248
Backport of #26742 to release/1.17.
RunsOn v2.12.0 (March 6, 2026) removed v1 cache toolkit support,
causing the buildx GHA cache proxy to return 404 for v1 endpoints.
This broke the v1.17.0-rc2 container build.
Removing the explicit version=1 parameter lets buildkit auto-detect
the v2 protocol.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The mavlink_tests module was deleted in 1009268d311 but several
references were left behind, breaking builds on all targets.
Removed:
- CMakeLists.txt: add_subdirectory(mavlink_tests)
- mavlink_ftp.cpp: #include of deleted mavlink_ftp_test.h
- mavlink_ftp.h: MavlinkFtpTest forward decl and friend class
- posix-configs/SITL/init/test/test_mavlink: dead init script
- sitl_tests.cmake: sitl-mavlink CTest target
- install-voxl.sh: px4-mavlink_tests symlink
Ref: https://github.com/PX4/PX4-Autopilot/issues/26738
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Reject Zenoh payloads that exceed the expected uORB topic size plus
CDR header (4 bytes), or that are too small to contain a valid CDR
header. This prevents a stack overflow from crafted network input
where z_bytes_len(payload) controls a VLA allocation.
Fixes GHSA-69g4-hcqf-j45p
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Use logical OR (||) instead of AND (&&) in _workWrite() and _workBurst()
session validation, matching the correct logic already used in _workRead()
and _workTerminate(). The AND operator allowed operations to proceed with
an invalid session ID as long as a valid file descriptor existed.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove the old MAVLINK_FTP_UNIT_TEST infrastructure that has been dead
code for years (not enabled in any board config). This includes:
- src/modules/mavlink/mavlink_tests/ directory (test suite, CMakeLists)
- All #ifdef MAVLINK_FTP_UNIT_TEST blocks in mavlink_ftp.cpp
- set_unittest_worker() callback mechanism in mavlink_ftp.h
- Conditional uAvionix include in mavlink_bridge_header.h
The test suite will be ported to GTest as a follow-up.
Ref: https://github.com/PX4/PX4-Autopilot/issues/26738
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add bounds checking in the CAN frame assembly loop to prevent a buffer
overflow when copying payloads into the Tattu12SBatteryMessage struct.
A crafted CAN frame with a corrupt payload_size could write past the
48-byte struct boundary. Also guard against payload_size of 0 which
would cause an unsigned integer underflow on the size_t subtraction.
Fixes GHSA-wxwm-xmx9-hr32
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Reject replies with length >= sizeof(BSTPacket) to prevent OOB read
in CRC calculation. Clamp dev_name_len to buffer size to prevent OOB
write during null termination.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove the step that uploaded every version tag to the stable/ S3
directory, which caused QGC users selecting "stable" to receive
pre-release firmware (#26340). The stable/ and beta/ directories
are now controlled exclusively by their respective branch pushes,
while version tags only upload to their versioned archive directory
(e.g., v1.16.1/). Pre-release tags are also correctly marked on
GitHub Releases.
Co-authored-by: Julian Oes <julian@oes.ch>
Fixes#26340
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add PWM_*_CENTERx for each servo.
Use a bilinear transform to map actuator_servos to PWM signals.
This solution only works for PWM based servos. Other types of servos are not affected.
* PWM: Add servo trim option
* PWM: Improve documentation of PWM trim feature
* PWM: cleaner clamping and docs typo
* update documentation & safety
* add migration formula
* rename param from trim to center
* docs with center instead of trim
* move clamping and reorder values
* improve documentation
* adress failing range check
* improve documentation
* CA: add event for setting CENTER with TRIM
Signed-off-by: Silvan <silvan@auterion.com>
---------
Signed-off-by: Silvan <silvan@auterion.com>
Co-authored-by: Silvan <silvan@auterion.com>
* astyle: remove max line length (#25717)
* failsafe unit test: add cases for 1 allow taking over from degraded failsafes 2 not cause immediate takeover when failsafe happens because of mode switch
The first test makes sure the user can take over when an RTL failsafe was triggered but degraded to a Land.
The second test rules out the easiest fix of removing the condition `_selected_action == selected_action` which causes the problem for test one but is there for a reason.
* commander/failsafe: fix user takeover not possible in fallback Land action when configured RTL is not possible
---------
Co-authored-by: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
* failure_injection: improve previously vague motor faulure
Reading it again I decided adding the sentance in 4d2170c13ea4d42c5b0b464dbbcbb68fb098cbcc is not clear enough.
* docs/safety: add a motor failure detection paragraph
The functionality is in my eyes pretty basic but so far completely undocumented so I went through the code and added a paragraph based on questions I received.
* Subedit
* Apply suggestion from @hamishwillee
---------
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
* rc_update: remove 1% deadzone for all channels
this should be handled higher level.
* Remove all references to the RC{n}_DZ parameters
Regular expression: RC.{0,2}_DZ
---------
Co-authored-by: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
* Remove support for MAVLink 1
* Add back support for MAVLink 1 but don't default to it
* Update src/modules/mavlink/mavlink_params.c
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
---------
Co-authored-by: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
Co-authored-by: Hamish Willee <hamishwillee@gmail.com>
* ROMFS: do not exit airframe loading if SYS_AUTOSTART is 0
Do not treat 0 as a magic value that skips the aiframe loading.
Instead leave it tot he rc.autostart to load an airframe that if finds
appropriate (can be defined in external aiframe).
Signed-off-by: Silvan <silvan@auterion.com>
* ROMFS: adjust airframe load spacing and message/comment wording
---------
Signed-off-by: Silvan <silvan@auterion.com>
Co-authored-by: Silvan <silvan@auterion.com>
During a mission the last waypoint is often a LAND. If the previous waypoint is not directly above the land waypoint the offtrack calculation is incorrect. This regression was introduced when the offtrack calculation switched from 2D to 3D.
* Fix formatting and capitalization in dev_env_mac.md
Updated formatting and capitalization for consistency in the macOS development environment documentation.
* Correct 'Mac OS' to 'macOS' in documentation
* Fix capitalization of 'macOS' in documentation
Move ramvectors from DTCM to ITCM, this seems to better in general.
Also ITCM is marked as RO so is safer anyhow, now that DTCM is fully
unused we add DTCM region of 256kB to memory allocator. Increases usable
memory from 1536kB to 1792kB and decrease system load a bit since DTCM
is faster
