ci: notify_maintainers: simplify scripts and use actions/github-script

Attempting once more to fix a 403 error in the notify_maintainers job.
Simplify the notify_maintainers.py script which now assu

ci: notify_maintainers: simplify scripts and use actions/github-script

Attempting once more to fix a 403 error in the notify_maintainers job.
Simplify the notify_maintainers.py script which now assumes the GitHub
environment with parameters passed as environment variables only and
make it output the message to stdout. It is then the responsibility of
the notify_maintainers job to post it, via the actions/github-script
action. In the tests I performed, the comment was successfully posted
by "github-actions (bot)".

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: notify_maintainers: fix source code comparison (really)

Fix yet another permission issue with the notify workflow [1]. The
GitHub Copilot gives the following diagnostic:

"pull_request_target do

ci: notify_maintainers: fix source code comparison (really)

Fix yet another permission issue with the notify workflow [1]. The
GitHub Copilot gives the following diagnostic:

"pull_request_target does grant a write-capable GITHUB_TOKEN, but you
must run the trusted code (from the target/base branch) when using that
token. Your workflow checks that the notify script wasn't modified, but
then checks out the PR head and runs the script from the untrusted PR;
that makes the token unavailable/limited for writes."

Let's check out the PR head in the run: step of the job instead of
giving it to actions/checkout.

Link: https://github.com/OP-TEE/optee_os/actions/runs/19567616329/job/56033348650?pr=7584 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: notify_maintainers: fix source code comparison (really)

The PR branch head is not available in the default pull_request_target
checkout since it operates on the target branch (optee_os official

ci: notify_maintainers: fix source code comparison (really)

The PR branch head is not available in the default pull_request_target
checkout since it operates on the target branch (optee_os official
repository). A 'git fetch' is needed in order to make the PR code usable
in the subsequent tj-actions/changed-files.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: notify_maintainers: fix source code comparison

On a pull_request_target event, the code checked out by actions/checkout
is the base branch. Therefore, to compare the PR branch against the base
b

ci: notify_maintainers: fix source code comparison

On a pull_request_target event, the code checked out by actions/checkout
is the base branch. Therefore, to compare the PR branch against the base
branch tj-actions/changed-files needs to be given a reference to the PR
head. In other words, base_sha: should actually be the PR head, not the
base. Change it accordingly. Fixes the following error:

Similar commit hashes detected: previous sha: <xxx> is equivalent to
the current sha: <xxx>

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: update tj-actions/changed-files to version v46

Address the GitHub Dependabot security notification about compromised
tj-actions/changed-files.

Link: https://github.com/OP-TEE/optee_os/security/

ci: update tj-actions/changed-files to version v46

Address the GitHub Dependabot security notification about compromised
tj-actions/changed-files.

Link: https://github.com/OP-TEE/optee_os/security/dependabot/1 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Co-developed-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: move notify_maintainers to a separate workflow

The default ${{ secrets.GITHUB_TOKEN }} does not allow write access to
pull requests created from a fork, even when the permissions: block is
suppo

ci: move notify_maintainers to a separate workflow

The default ${{ secrets.GITHUB_TOKEN }} does not allow write access to
pull requests created from a fork, even when the permissions: block is
supposed to allow it (it does for PRs created from the same repository
but not from forks). As a result, the create_issue_comment() returns a
"403: Forbidden" error. See [1] for example.

Fix the issue by moving the notify_maintainers job to a separate
workflow which is triggered on the pull_request_target event. The
mechanism is explained in .github/workflows/notify.yml.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Link: https://github.com/OP-TEE/optee_os/actions/runs/19434849286/job/55602878593?pr=7426 [1]
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...