Regain control over the SDK libraries [new variant using rebuilt newlib from Debian sources)

[iartemov-ledger]

Description

Replacement for #1036
Corresponds to https://ledgerhq.atlassian.net/browse/B2CA-1995.

DONE

• libclang_rt.builtins replaces libgcc for Nano X, Stax and Flex targets, built using build_clangrt_builtins.sh script
• libc and libm have been updated from the ones built using build_newlib.sh script (newlib 3.3.0 from Debian 12 currently used for app-builder)
• the both are built using .github/workflows/build_clangrt_builtins.yml workflow (https://github.com/LedgerHQ/ledger-secure-sdk/actions/runs/17647456726 job and pushed through [SDK_LIBS_UPDATE] Updating static SDK libraries #1186 - it matches to the libs built from feat/regain_control_over_libs_2)
• Rust part is not be impacted - tested locally with app-boilerplate-rust and app-starknet apps. This is expected as Rust build does not seem to use libgcc.a and libm.a - only libc.a. So some improvements to be done later in the Rust SDK as follow Regain control over the SDK libraries for Rust ledger-device-rust-sdk#269
• remove libgcc from the SDK (still "used" by NanoS)? - let's do it in an independent PR cleaning up all occurrences!

Tests

• using API_LEVEL_24 derived branch and https://github.com/LedgerHQ/ledger-app-tester/actions/runs/17665725023 tests - see per app size comparison: https://docs.google.com/spreadsheets/d/10lRJbRVR3c8e0jBQqgb4xu2yBWZQiNXEoVCkfQiI1kw/edit?pli=1&gid=1027262762#gid=1027262762
• functions used in app-ethereum - see [[NEW] lib.c.newlib.rebuilt.armv-v8m] column in https://docs.google.com/spreadsheets/d/1qI_2yP-VMc6ze2DHbfCj5uHf3eDwh5NnysEewkuJuBw/edit?gid=1206824572#gid=1206824572
• performance impact - not visible with manual local tets. Tested also by comparing test execution time: https://docs.google.com/spreadsheets/d/10lRJbRVR3c8e0jBQqgb4xu2yBWZQiNXEoVCkfQiI1kw/edit?pli=1&gid=557969334#gid=557969334
• to test on physical device (NanoSP, Flex, app-bitcoin-new, app-boilerplate-rust, app-starknet)

Few other remarks

• the libs in question are not used for he Ledge rOS build
• once we switch to Debian 13 in app-builder we'll need to rebuild the libs and benefit among other from the newest newlib version 4.5.0

Changes include

• Bugfix (non-breaking change that solves an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (change that is not backwards-compatible and/or changes current functionality)
• Tests
• Documentation
• Other (for changes that might not fit in any category)

Breaking changes

Please complete this section if any breaking changes have been made, otherwise delete it.

Additional comments

[x] TARGET_API_LEVEL: API_LEVEL_24
[x] TARGET_API_LEVEL: API_LEVEL_25

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.58%. Comparing base (fddf1d7) to head (3954b8f).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1076   +/-   ##
=======================================
  Coverage   62.58%   62.58%           
=======================================
  Files          14       14           
  Lines        1860     1860           
=======================================
  Hits         1164     1164           
  Misses        696      696           

Flag	Coverage Δ
unittests	62.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[0pendev]

I'll leave @bboilot-ledger to look at the workflow 🙏

[bboilot-ledger]

Workflows look good to me! We could however enforce the GITHUB_TOKEN permissions. The fixes proposed by copilot should work well.

Note that it's recommended to use intermediate env variables in shell scripts as variable exponentiation (${{*}}) happens before the script execution which could result in code execution (https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable). Also those variable should be escaped using double quotes to bind them to only one argument in case the variable contains spaces.
-> Since this workflow can only be triggered by a person with wirte access to the repository there's not much risk.