xref: /optee_os/.github/workflows/notify.yml (revision 023b04ce9a01a2b211891d5d17e463069e519369) 
172d6673eSJerome Forissier# The purpose of this workflow is to run the scripts/notify_maintainers.py
272d6673eSJerome Forissier# for pull requests against the OP-TEE OS main repository in a secure way.
372d6673eSJerome Forissier# It runs on the pull_request_target event, which grants write permission
472d6673eSJerome Forissier# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
572d6673eSJerome Forissier# write access to PRs and issues, to prevent security issues the
672d6673eSJerome Forissier# pull_request_target event also checks out the code in the target branch,
772d6673eSJerome Forissier# not the code from the PR. This code can therefore be trusted.
872d6673eSJerome Forissier
972d6673eSJerome Forissiername: Maintainer notification
1072d6673eSJerome Forissieron:
1172d6673eSJerome Forissier  pull_request_target:
1272d6673eSJerome Forissier    types: [opened, synchronize]
1372d6673eSJerome Forissierpermissions:
1472d6673eSJerome Forissier  contents: read
15*023b04ceSJerome Forissier  pull-requests: write
1672d6673eSJerome Forissierjobs:
17*023b04ceSJerome Forissier  notify-maintainers:
1872d6673eSJerome Forissier    runs-on: ubuntu-latest
1972d6673eSJerome Forissier    steps:
20*023b04ceSJerome Forissier      - name: Checkout base branch
2172d6673eSJerome Forissier        uses: actions/checkout@v4
2272d6673eSJerome Forissier      - name: Install python3-github
2372d6673eSJerome Forissier        run: |
2472d6673eSJerome Forissier          sudo apt-get update
2572d6673eSJerome Forissier          sudo apt-get install python3-github
26*023b04ceSJerome Forissier      - name: Compute maintainers
27*023b04ceSJerome Forissier        id: compute
2872d6673eSJerome Forissier        env:
29*023b04ceSJerome Forissier          REPO: ${{ github.repository }}
30*023b04ceSJerome Forissier          PR_NUMBER: ${{ github.event.pull_request.number }}
3172d6673eSJerome Forissier          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
32e97a138aSJerome Forissier        run: |
33*023b04ceSJerome Forissier          python3 scripts/notify_maintainers.py | tee output.txt
34*023b04ceSJerome Forissier          grep message= output.txt >> $GITHUB_OUTPUT
35*023b04ceSJerome Forissier      - name: Comment on PR
36*023b04ceSJerome Forissier        if: steps.compute.outputs.message != ''
37*023b04ceSJerome Forissier        uses: actions/github-script@v8
38*023b04ceSJerome Forissier        with:
39*023b04ceSJerome Forissier          script: |
40*023b04ceSJerome Forissier            const message = "${{ steps.compute.outputs.message }}";
41*023b04ceSJerome Forissier            await github.rest.issues.createComment({
42*023b04ceSJerome Forissier              owner: context.repo.owner,
43*023b04ceSJerome Forissier              repo: context.repo.repo,
44*023b04ceSJerome Forissier              issue_number: context.issue.number,
45*023b04ceSJerome Forissier              body: message
46*023b04ceSJerome Forissier            });
47