1# The purpose of this workflow is to run the scripts/notify_maintainers.py 2# for pull requests against the OP-TEE OS main repository in a secure way. 3# It runs on the pull_request_target event, which grants write permission 4# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this 5# write access to PRs and issues, to prevent security issues the 6# pull_request_target event also checks out the code in the target branch, 7# not the code from the PR. This code can therefore be trusted. 8 9name: Maintainer notification 10on: 11 pull_request_target: 12 types: [opened, synchronize] 13permissions: 14 contents: read 15 pull-requests: write 16jobs: 17 notify-maintainers: 18 runs-on: ubuntu-latest 19 steps: 20 - name: Checkout base branch 21 uses: actions/checkout@v4 22 - name: Install python3-github 23 run: | 24 sudo apt-get update 25 sudo apt-get install python3-github 26 - name: Compute maintainers 27 id: compute 28 env: 29 REPO: ${{ github.repository }} 30 PR_NUMBER: ${{ github.event.pull_request.number }} 31 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 32 run: | 33 python3 scripts/notify_maintainers.py | tee output.txt 34 grep message= output.txt >> $GITHUB_OUTPUT 35 - name: Comment on PR 36 if: steps.compute.outputs.message != '' 37 uses: actions/github-script@v8 38 with: 39 script: | 40 const message = "${{ steps.compute.outputs.message }}"; 41 await github.rest.issues.createComment({ 42 owner: context.repo.owner, 43 repo: context.repo.repo, 44 issue_number: context.issue.number, 45 body: message 46 }); 47