ci: notify_maintainers: simplify scripts and use actions/github-script

Attempting once more to fix a 403 error in the notify_maintainers job.
Simplify the notify_maintainers.py script which now assu

ci: notify_maintainers: simplify scripts and use actions/github-script

Attempting once more to fix a 403 error in the notify_maintainers job.
Simplify the notify_maintainers.py script which now assumes the GitHub
environment with parameters passed as environment variables only and
make it output the message to stdout. It is then the responsibility of
the notify_maintainers job to post it, via the actions/github-script
action. In the tests I performed, the comment was successfully posted
by "github-actions (bot)".

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: notify_maintainers: fix source code comparison (really)

Fix yet another permission issue with the notify workflow [1]. The
GitHub Copilot gives the following diagnostic:

"pull_request_target do

ci: notify_maintainers: fix source code comparison (really)

Fix yet another permission issue with the notify workflow [1]. The
GitHub Copilot gives the following diagnostic:

"pull_request_target does grant a write-capable GITHUB_TOKEN, but you
must run the trusted code (from the target/base branch) when using that
token. Your workflow checks that the notify script wasn't modified, but
then checks out the PR head and runs the script from the untrusted PR;
that makes the token unavailable/limited for writes."

Let's check out the PR head in the run: step of the job instead of
giving it to actions/checkout.

Link: https://github.com/OP-TEE/optee_os/actions/runs/19567616329/job/56033348650?pr=7584 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: notify_maintainers: fix source code comparison (really)

The PR branch head is not available in the default pull_request_target
checkout since it operates on the target branch (optee_os official

ci: notify_maintainers: fix source code comparison (really)

The PR branch head is not available in the default pull_request_target
checkout since it operates on the target branch (optee_os official
repository). A 'git fetch' is needed in order to make the PR code usable
in the subsequent tj-actions/changed-files.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: notify_maintainers: fix source code comparison

On a pull_request_target event, the code checked out by actions/checkout
is the base branch. Therefore, to compare the PR branch against the base
b

ci: notify_maintainers: fix source code comparison

On a pull_request_target event, the code checked out by actions/checkout
is the base branch. Therefore, to compare the PR branch against the base
branch tj-actions/changed-files needs to be given a reference to the PR
head. In other words, base_sha: should actually be the PR head, not the
base. Change it accordingly. Fixes the following error:

Similar commit hashes detected: previous sha: <xxx> is equivalent to
the current sha: <xxx>

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: update tj-actions/changed-files to version v46

Address the GitHub Dependabot security notification about compromised
tj-actions/changed-files.

Link: https://github.com/OP-TEE/optee_os/security/

ci: update tj-actions/changed-files to version v46

Address the GitHub Dependabot security notification about compromised
tj-actions/changed-files.

Link: https://github.com/OP-TEE/optee_os/security/dependabot/1 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Co-developed-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: move notify_maintainers to a separate workflow

The default ${{ secrets.GITHUB_TOKEN }} does not allow write access to
pull requests created from a fork, even when the permissions: block is
suppo

ci: move notify_maintainers to a separate workflow

The default ${{ secrets.GITHUB_TOKEN }} does not allow write access to
pull requests created from a fork, even when the permissions: block is
supposed to allow it (it does for PRs created from the same repository
but not from forks). As a result, the create_issue_comment() returns a
"403: Forbidden" error. See [1] for example.

Fix the issue by moving the notify_maintainers job to a separate
workflow which is triggered on the pull_request_target event. The
mechanism is explained in .github/workflows/notify.yml.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Link: https://github.com/OP-TEE/optee_os/actions/runs/19434849286/job/55602878593?pr=7426 [1]
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: add 'issues: write' permission for notify_maintainers.py

Add the write permission to issues to the CI workflow so that the
maintainer notification script is allowed to post comments. This should

ci: add 'issues: write' permission for notify_maintainers.py

Add the write permission to issues to the CI workflow so that the
maintainer notification script is allowed to post comments. This should
fix a 403 error [1]. In principle, 'pull-requests: write' should not
be needed.

Link: https://github.com/OP-TEE/optee_os/actions/runs/19324768252/job/55273243282?pr=7603 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: mention reviewers/maintainers from MAINTAINERS

Introduce a new Python script: notify_maintainers.py and run it in CI
as part of a new job. When invoked in the context of a pull request
against t

ci: mention reviewers/maintainers from MAINTAINERS

Introduce a new Python script: notify_maintainers.py and run it in CI
as part of a new job. When invoked in the context of a pull request
against the OP-TEE OS official project, it invokes get_maintainer.py
to find out the GitHub handles of the people to whom the change in the
PR is relevant. It then posts a comment so that these people may be
notified via email. People are mentioned only once per PR (they
normally receive subsequent messages automatically). The PR author,
assignees and requested reviewers (if any) are skipped since they are
already notified, as well as the default maintainers ("THE REST") who
are assumed to receive all PRs. The format of the comment is:

github-actions (bot) commented ...

FYI <handle1> <handle2>...

Note: Subsystem/platform maintainers who have their GitHub handle in
MAINTAINERS and who already "watch" the project will receive two emails
upon creation of a PR that touches their area of expertise: one when
the PR is created, and one shortly after when the script runs and the
GitHub bot tags them in a comment. Hopefully it is only a minor
inconvenience.

Note 2: The script was written with the help of generative AI. It was
reviewed, tested and modified by me.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

ci: add builds for dynamic protected memory

Add two builds for dynamic protected memory, one with and one without
FF-A.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Fo

ci: add builds for dynamic protected memory

Add two builds for dynamic protected memory, one with and one without
FF-A.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat: rpi5: add basic Raspberry Pi 5 support

RPi5 is based on new BCM2712 SoC which is based on quad Cortex-A76.

BCM2712 still does not provide secure memory so we are free to locate
OP-TEE anythin

plat: rpi5: add basic Raspberry Pi 5 support

RPi5 is based on new BCM2712 SoC which is based on quad Cortex-A76.

BCM2712 still does not provide secure memory so we are free to locate
OP-TEE anything we want. It would be most beneficial to locate OP-TEE
right after TF-A, at address 0x80000, but RPi5 loader places kernel
there and it's location can't be changed.

According to PCB silkscreen, RPi5 boards can have 1GB, 2GB, 4GB or 8GB
of memory. To be compatible with any variant, OP-TEE is placed close
to the end of the first gigabyte.

BCM2712 uses PL011 as debug UART so we enable its driver.

According to specification, BCM2712 includes cryptography extensions,
but this basic port does not enable them.

As there is no way to load OP-TEE image into memory during boot
process, TF-A with OPTEE_ALLOW_SMC_LOAD=1 option should be used. In
this case OP-TEE can be loaded via Linux kernel or U-Boot.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Co-developed-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ci: build temporary Docker images

Instead of running the base CI image (jforissier/optee_os_ci:qemu_check)
and pulling the whole OP-TEE source tree (manifest.git) and toolchains
in each check job, d

ci: build temporary Docker images

Instead of running the base CI image (jforissier/optee_os_ci:qemu_check)
and pulling the whole OP-TEE source tree (manifest.git) and toolchains
in each check job, do it once per target platform (QEMUv7, QEMuv8, and
QEMUv8 on arm64) and save the image as a "job artifact". Each check
job then loads the image it needs and proceeds with the check command.
In addition to saving bandwidth on the external network, this has the
advantage of making the jobs easier to reproduce and investigate in case
of failure since it is easy to download the artifact from the CI page,
load it into Docker, and run the same make check command. There is a
small penalty on execution time for saving and restoring the image, but
it's only a few minutes at most.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: QEMUv8: run one command per job

Split the QEMUv8 jobs so that each jobs runs a single "make check"
command. This allows to make the job names more descriptive, and
potentially benefit more from

ci: QEMUv8: run one command per job

Split the QEMUv8 jobs so that each jobs runs a single "make check"
command. This allows to make the job names more descriptive, and
potentially benefit more from multiple parallel jobs.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat: Add support for Qualcomm Kodiak platform

Introduce initial Qualcomm platform support for the Kodiak which is the
SoC codename also known by product names SC7280/QCM6490 in upstream.

Acked-by:

plat: Add support for Qualcomm Kodiak platform

Introduce initial Qualcomm platform support for the Kodiak which is the
SoC codename also known by product names SC7280/QCM6490 in upstream.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Casey Connolly <casey.connolly@linaro.org>
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

ci: rework (host cleanup, matrix builds, Rust enabled, cancel on push)

This is a big cleanup of the CI file:

- Enable Rust again, effectively reverting commit 6c9dd3eb9fec ("ci:
disable Rust glob

ci: rework (host cleanup, matrix builds, Rust enabled, cancel on push)

This is a big cleanup of the CI file:

- Enable Rust again, effectively reverting commit 6c9dd3eb9fec ("ci:
disable Rust globally"). In order to do so, a "host cleanup" script
is introduced (scripts/ci-host-cleanup.sh). It is run by the QEMU
jobs before launching the CI Docker image. The script removes a bunch
of files that are not needed (~ 24 GB), thus leaving more space for
the Docker image to grow as the build proceeds. The script is mostly
copied from the teaclave-trustzone-sdk CI [1].
- Make the platform builds faster and easier to monitor by using the
matrix keyword to launch parallel jobs. Each platform build job now
has the target architecture and platforms clearly specified so it's
easy to see if a platform is broken from the GitHub actions page
without looking at the logs. This also reduces code duplication.
- The ci-cancel.yml workflow is replaced with the cancel-in-progress
setting in the concurrency block of the CI the workflow. This is
simpler and avoids the "Cancel obsolete CI" entries in the project's
actions log.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Link: https://github.com/apache/teaclave-trustzone-sdk/blob/f67a5ddcde3e/.github/workflows/reuse_test_in_optee_repo.yml#L40-L67 [1]
Acked-by: Yuan Zhuang <yuanz@apache.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: disable Rust globally

There has been several job failures due to insufficient disk space on
the CI runners recently. Commit a4b310d68bf8 ("ci: xen: disable Rust to
workaround "no space left on d

ci: disable Rust globally

There has been several job failures due to insufficient disk space on
the CI runners recently. Commit a4b310d68bf8 ("ci: xen: disable Rust to
workaround "no space left on device"") and commit 3d0429ac12cd ("ci:
hafnium: disable Rust to workaround "no space left on device"") fixed
individual jobs. Now other QEMUv8 jobs are failing too, probably because
of the upgrade of the optee_rust project [1]. Therefore, disable Rust
globally until a better solution is found.

Link: https://github.com/OP-TEE/manifest/commit/2987d8edf188 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: hafnium: disable Rust to workaround "no space left on device"

The GitHub Actions CI recently started to fail with a disk space error:

System.IO.IOException: No space left on device : '/home/run

ci: hafnium: disable Rust to workaround "no space left on device"

The GitHub Actions CI recently started to fail with a disk space error:

System.IO.IOException: No space left on device : '/home/runner/actions-runner/cached/_diag/Worker_20251015-153857-utc.log'

Apply the same workaround as in commit a4b310d68bf8 ("ci: xen: disable
Rust to workaround "no space left on device"").

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: xen: disable Rust to workaround "no space left on device"

The GitHub Actions CI recently started to fail with a disk space error:

[...]
2025-09-25T09:24:51.2006517Z >>> Finalizing host direct

ci: xen: disable Rust to workaround "no space left on device"

The GitHub Actions CI recently started to fail with a disk space error:

[...]
2025-09-25T09:24:51.2006517Z >>> Finalizing host directory
2025-09-25T09:24:51.2007142Z mkdir -p /__w/optee_os/optee_repo_qemu_v8/out-br/host
2025-09-25T09:24:51.2028001Z printf "%s/host/\n" bash busybox dtc host-acl host-attr host-autoconf host-automake host-blake3 host-ccache host-e2fsprogs host-fakeroot host-hiredis host-libtool host-m4 host-makedevs host-mkpasswd host-patchelf host-pkgconf host-skeleton host-util-linux host-xxhash host-zstd ifupdown-scripts initscripts keyutils libaio libcurl libffi libglib2 libopenssl libzlib mmc-utils ncurses opensc openssl optee_client_ext optee_examples_ext optee_os_ext optee_rust_examples_ext optee_test_ext pcre2 pcsc-lite pixman qemu readline skeleton skeleton-init-common skeleton-init-sysv slirp strace toolchain toolchain-external toolchain-external-custom tpm2-tools tpm2-tss urandom-scripts util-linux util-linux-libs xen_ext yajl zlib | tac | rsync -a --hard-links --files-from=- --no-R -r /__w/optee_os/optee_repo_qemu_v8/out-br/per-package /__w/optee_os/optee_repo_qemu_v8/out-br/host
2025-09-25T09:24:56.6942688Z rsync: [receiver] write failed on "/__w/optee_os/optee_repo_qemu_v8/out-br/host/lib/libLLVM.so.19.1-rust-1.86.0-stable": No space left on device (28)
2025-09-25T09:24:56.6943698Z rsync error: error in file IO (code 11) at receiver.c(381) [receiver=3.2.7]
2025-09-25T09:24:56.7952984Z rsync: [sender] write error: Broken pipe (32)
2025-09-25T09:24:56.7962889Z make[2]: *** [Makefile:717: host-finalize] Error 11
2025-09-25T09:24:56.7997049Z make[1]: *** [Makefile:23: _all] Error 2
2025-09-25T09:24:56.7998137Z make[1]: Leaving directory '/__w/optee_os/optee_repo_qemu_v8/out-br'
2025-09-25T09:24:56.7999290Z make: *** [common.mk:354: buildroot] Error 2

I could not identify which change exactly caused the limit to be reached,
and I didn't manage to identify any obvious waste of disk space in the
build. I noticed however that building with RUST_ENABLE=y (the default)
uses approximately 6 GB more than with RUST_ENABLE=n (27 GB vs 21 GB,
that's the size of the whole OP-TEE tree in the end).
The two "nightly" Rust toolchains that are downloaded when optee_rust is
built account for 1.6 GB on their own.

Therefore, and until we find a better solution or GitHub increases the
disk space allocated to CI jobs, disable Rust in the Xen and Xen FF-A
jobs. This allows the Xen jobs to pass again.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: add STM32MP23 platforms build

Adds STM32MP235f-dk board build to the CI.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

github: update stale workflow to v10.0.0

Update actions/stale@v4.1.0 to the latest version (v10.0.0). One
difference is that issues and PRs are closed by the bot as
"not_planned" rather than "comple

github: update stale workflow to v10.0.0

Update actions/stale@v4.1.0 to the latest version (v10.0.0). One
difference is that issues and PRs are closed by the bot as
"not_planned" rather than "completed", which is the main reason for
updating.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: add build stm32mp215f-dk with SCP firmware

Add CI rules to build the board STM32MP215F-DK with the SCMI server.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Jerome For

ci: add build stm32mp215f-dk with SCP firmware

Add CI rules to build the board STM32MP215F-DK with the SCMI server.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

ci: remove build stm32mp2 without SCP firmware

STM32MP2x families can only be built with the SCMI server provided by
SCP firmware.
Remove builds of STM32MP2 families executed without the SCP firmwar

ci: remove build stm32mp2 without SCP firmware

STM32MP2x families can only be built with the SCMI server provided by
SCP firmware.
Remove builds of STM32MP2 families executed without the SCP firmware.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

ci: add build for PLATFORM=vexpress-qemu_sbsa

Add a compile test for PLATFORM=vexpress-qemu_sbsa.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carri

ci: add build for PLATFORM=vexpress-qemu_sbsa

Add a compile test for PLATFORM=vexpress-qemu_sbsa.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: add test run with ASan stack instrumentation

Setting CFG_DYN_CONFIG=n enables additional ASan stack
instrumentation, which helps detect stack memory errors.

Signed-off-by: Aleksandr Iashchenko

ci: add test run with ASan stack instrumentation

Setting CFG_DYN_CONFIG=n enables additional ASan stack
instrumentation, which helps detect stack memory errors.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-marvell: Add support for CN20K SoCs

Add support for Octeon20(CN20K) SoCs from Marvell.

Only tested 64-bit mode with default configurations:

1. Build command
make PLATFORM=marvell-cn20ka
mak

plat-marvell: Add support for CN20K SoCs

Add support for Octeon20(CN20K) SoCs from Marvell.

Only tested 64-bit mode with default configurations:

1. Build command
make PLATFORM=marvell-cn20ka
make PLATFORM=marvell-cnf20ka
2. Passed xtest

Signed-off-by: Anil Kumar Reddy <areddy3@marvell.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Revert "ci: disable QEMUv8 Xen FF-A job"

This reverts commit 5297f233bb222febf97a33c4aebff2ecb48a43a4. The Linux
repository that is used in the OP-TEE OS CI has temporary fixes [1]
and the proper fi

Revert "ci: disable QEMUv8 Xen FF-A job"

This reverts commit 5297f233bb222febf97a33c4aebff2ecb48a43a4. The Linux
repository that is used in the OP-TEE OS CI has temporary fixes [1]
and the proper fixes are on their way upstream [2] [3].

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Link: https://github.com/linaro-swg/linux/pull/122 [1]
Link: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/tee?h=next-20250617&id=312d02adb959ea199372f375ada06e0186f651e4 [2]
Link: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers?h=next-20250617&id=9ca7a421229bbdfbe2e1e628cff5cfa782720a10 [3]
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...