fix for the apply of the HWLOC security patch

Author: bratpiorka

.github/workflows/reusable_codeql.yml

@@ -0,0 +1,117 @@
+# CodeQL static analysis
+name: CodeQL
+
+on: workflow_call
+
+permissions:
+  contents: read
+
+env:
+  BUILD_DIR : "${{github.workspace}}/build"
+  INSTL_DIR : "${{github.workspace}}/../install-dir"
+
+jobs:
+  analyze:
+    name: Analyze
+    permissions:
+      security-events: write
+    env:
+      VCPKG_PATH: "${{github.workspace}}/build/vcpkg/packages/hwloc_x64-windows;${{github.workspace}}/build/vcpkg/packages/tbb_x64-windows;${{github.workspace}}/build/vcpkg/packages/jemalloc_x64-windows"
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [windows-latest]
+    
+    # TODO revert
+    runs-on: ["codeql-test", "Windows"]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        fetch-depth: 0
+
+    - name: aaa
+      if: matrix.os == 'windows-latest'
+      run: echo $env:path
+      shell: pwsh
+
+    - name: Check for Python >= 3.10
+      id: check_python
+      run: |
+        $pythonCommand = Get-Command python -ErrorAction SilentlyContinue
+        if ($pythonCommand) {
+          $pythonVersion = python --version 2>&1
+          $versionPattern = 'Python (\d+)\.(\d+)\.(\d+)'
+          echo $pythonVersion
+          if ($pythonVersion -match $versionPattern) {
+            $major = [int]$matches[1]
+            $minor = [int]$matches[2]
+            if ($major -gt 3 -or ($major -eq 3 -and $minor -ge 10)) {
+              echo "##[set-output name=python_exists;]true"
+            } 
+          }
+        } 
+      shell: pwsh
+      
+    - name: Setup Python 3.10
+      if: steps.check_python.outputs.python_exists != 'true'
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      with:
+        python-version: "3.10"
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+      with:
+        languages: cpp
+
+    - name: "[Win] Initialize vcpkg"
+      if: matrix.os == 'windows-latest'
+      uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
+      with:
+        vcpkgGitCommitId: 3dd44b931481d7a8e9ba412621fa810232b66289
+        vcpkgDirectory: ${{env.BUILD_DIR}}/vcpkg
+        vcpkgJsonGlob: '**/vcpkg.json'
+
+    - name: "[Win] Install dependencies"
+      if: matrix.os == 'windows-latest'
+      run: |
+        vcpkg install
+        echo $env:path
+        python3 -m pip install -r third_party/requirements.txt
+      shell: pwsh
+
+    - name: "[Lin] Install apt packages"
+      if: matrix.os == 'ubuntu-latest'
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y cmake clang libhwloc-dev libnuma-dev libjemalloc-dev libtbb-dev
+
+    # Latest distros do not allow global pip installation
+    - name: "[Lin] Install Python requirements in venv"
+      if: matrix.os == 'ubuntu-latest'
+      run: |
+        python3 -m venv .venv
+        . .venv/bin/activate
+        echo "$PATH" >> $GITHUB_PATH
+        python3 -m pip install -r third_party/requirements.txt
+
+    - name: Configure CMake
+      run: >
+        cmake
+        -B ${{env.BUILD_DIR}}
+        ${{matrix.extra_build_option}}
+        -DCMAKE_INSTALL_PREFIX="${{env.INSTL_DIR}}"
+        -DCMAKE_PREFIX_PATH="${{env.VCPKG_PATH}}"
+        -DUMF_FORMAT_CODE_STYLE=OFF
+        -DUMF_DEVELOPER_MODE=ON
+        -DUMF_BUILD_LIBUMF_POOL_JEMALLOC=ON
+        -DUMF_BUILD_LEVEL_ZERO_PROVIDER=ON
+        -DUMF_BUILD_CUDA_PROVIDER=ON
+        -DUMF_TESTS_FAIL_ON_SKIP=ON
+
+    - name: Build
+      run: cmake --build ${{env.BUILD_DIR}} --config Release -j
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2

CMakeLists.txt

@@ -131,21 +131,14 @@ elseif(WINDOWS AND NOT UMF_DISABLE_HWLOC)
     set(HWLOC_ENABLE_TESTING OFF)
     set(HWLOC_SKIP_LSTOPO ON)
     set(HWLOC_SKIP_TOOLS ON)
-    set(HWLOC_PATCH
-        git
-        apply
-        ${PROJECT_SOURCE_DIR}/cmake/fix_coverity_issues.patch
-        ||
-        (exit 0))
 
     message(STATUS "Will fetch hwloc from ${UMF_HWLOC_REPO}")
 
     FetchContent_Declare(
         hwloc_targ
         GIT_REPOSITORY ${UMF_HWLOC_REPO}
         GIT_TAG ${UMF_HWLOC_TAG}
-        PATCH_COMMAND ${HWLOC_PATCH} SOURCE_SUBDIR contrib/windows-cmake/
-                      FIND_PACKAGE_ARGS)
+        SOURCE_SUBDIR contrib/windows-cmake/ FIND_PACKAGE_ARGS)
 
     FetchContent_GetProperties(hwloc_targ)
     if(NOT hwloc_targ_POPULATED)
@@ -162,20 +155,13 @@ elseif(WINDOWS AND NOT UMF_DISABLE_HWLOC)
     message(STATUS "    LIBHWLOC_LIBRARY_DIRS = ${LIBHWLOC_LIBRARY_DIRS}")
 elseif(NOT UMF_DISABLE_HWLOC)
     include(FetchContent)
-    set(HWLOC_PATCH
-        git
-        apply
-        ${PROJECT_SOURCE_DIR}/cmake/fix_coverity_issues.patch
-        ||
-        (exit 0))
 
     message(STATUS "Will fetch hwloc from ${UMF_HWLOC_REPO}")
 
     FetchContent_Declare(
         hwloc_targ
         GIT_REPOSITORY ${UMF_HWLOC_REPO}
-        GIT_TAG ${UMF_HWLOC_TAG}
-        PATCH_COMMAND ${HWLOC_PATCH})
+        GIT_TAG ${UMF_HWLOC_TAG})
 
     FetchContent_GetProperties(hwloc_targ)
     if(NOT hwloc_targ_POPULATED)
@@ -222,6 +208,22 @@ elseif(NOT UMF_DISABLE_HWLOC)
     message(STATUS "    LIBHWLOC_LIBRARY_DIRS = ${LIBHWLOC_LIBRARY_DIRS}")
 endif()
 
+if(hwloc_targ_SOURCE_DIR)
+    # apply security patch for HWLOC
+    execute_process(
+        COMMAND git apply ${PROJECT_SOURCE_DIR}/cmake/fix_coverity_issues.patch
+        WORKING_DIRECTORY ${hwloc_targ_SOURCE_DIR}
+        OUTPUT_VARIABLE UMF_HWLOC_PATCH_OUTPUT
+        ERROR_VARIABLE UMF_HWLOC_PATCH_ERROR)
+
+    if(UMF_HWLOC_PATCH_OUTPUT)
+        message(STATUS "HWLOC patch command output:\n${UMF_HWLOC_PATCH_OUTPUT}")
+    endif()
+    if(UMF_HWLOC_PATCH_ERROR)
+        message(WARNING "HWLOC patch command output:\n${UMF_HWLOC_PATCH_ERROR}")
+    endif()
+endif()
+
 # This build type check is not possible on Windows when CMAKE_BUILD_TYPE is not
 # set, because in this case the build type is determined after a CMake
 # configuration is done (at the build time)