# The purpose of this workflow is to run the scripts/notify_maintainers.py
# for pull requests against the OP-TEE OS main repository in a secure way.
# It runs on the pull_request_target event, which grants write permission
# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
# write access to PRs and issues, to prevent security issues the
# pull_request_target event also checks out the code in the target branch,
# not the code from the PR. This code can therefore be trusted.
#
# 1. Job 'check_sensitive_files' determines if the PR modified any critical
#    files (.github/workflows/notify.yml or scripts/notify_maintainers.py).
# 2. Job 'notify_maintainers' runs conditionally:
#    - Automatically runs if no critical files were changed. It checks out
#      the PR branch and executes the notify_maintainers.py script.
#    - Requires manual approval (via "Re-run jobs") if critical files were
#      changed, enforcing a human security gate. In this case the job status
#      is 'skipped' so the workflow overall status is 'success' and no error
#      is shown. It is up to the project's admins to trigger a re-run or not.

name: Maintainer notification
on:
  # Run on pull requests with trusted code checked out from the target branch
  pull_request_target:
    types: [opened, synchronize]
permissions:
  contents: read
jobs:
  # Runs on the official repository, uses trusted code to check PR changes
  check_sensitive_files:
    name: Check sensitive files
    runs-on: ubuntu-latest
    if: github.repository == 'OP-TEE/optee_os'
    outputs:
      script_modified: ${{ steps.files.outputs.any_changed }}
    steps:
      - uses: actions/checkout@v4
        with:
          # Checkout the trusted base branch code
          fetch-depth: 0
      - name: Fetch PR head ref
        run: |
          # Also fetch the head of the PR branch
          git fetch origin pull/${{ github.event.pull_request.number }}/head
      - name: Get changed files between base and PR head
        id: files
        uses: tj-actions/changed-files@v46
        with:
          # Compare the checked out version (PR target branch, trusted) against
          # the PR head SHA (untrusted)
          base_sha: ${{ github.event.pull_request.head.sha }}
          files: |
            .github/workflows/notify.yml
            scripts/notify_maintainers.py
      - name: Show result
        run: |
          echo "Sensitive files changed: ${{ steps.files.outputs.any_changed }}"
  notify_maintainers:
    name: Notify maintainers
    runs-on: ubuntu-latest
    needs: check_sensitive_files
    env:
      PR_NUMBER: ${{ github.event.pull_request.number }}
      REPO: ${{ github.repository }}
    permissions:
      issues: write
    if: |
      github.repository == 'OP-TEE/optee_os' &&
      (needs.check_sensitive_files.outputs.script_modified == 'false' ||
       github.run_attempt > 1)
    steps:
      - name: Checkout PR code
        uses: actions/checkout@v4
      - name: Install python3-github
        run: |
          sudo apt-get update
          sudo apt-get install python3-github
      - name: Run scripts/notify_maintainers.py
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Checkout the untrusted code from the PR Branch
          git fetch origin pull/${PR_NUMBER}/head && git checkout FETCH_HEAD
          scripts/notify_maintainers.py