xref: /optee_os/.github/workflows/notify.yml (revision b9ff57657e12261ee2eca59c2f565803ba3e947d) 
172d6673eSJerome Forissier# The purpose of this workflow is to run the scripts/notify_maintainers.py
272d6673eSJerome Forissier# for pull requests against the OP-TEE OS main repository in a secure way.
372d6673eSJerome Forissier# It runs on the pull_request_target event, which grants write permission
472d6673eSJerome Forissier# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
572d6673eSJerome Forissier# write access to PRs and issues, to prevent security issues the
672d6673eSJerome Forissier# pull_request_target event also checks out the code in the target branch,
772d6673eSJerome Forissier# not the code from the PR. This code can therefore be trusted.
872d6673eSJerome Forissier#
972d6673eSJerome Forissier# 1. Job 'check_sensitive_files' determines if the PR modified any critical
1072d6673eSJerome Forissier#    files (.github/workflows/notify.yml or scripts/notify_maintainers.py).
1172d6673eSJerome Forissier# 2. Job 'notify_maintainers' runs conditionally:
1272d6673eSJerome Forissier#    - Automatically runs if no critical files were changed. It checks out
1372d6673eSJerome Forissier#      the PR branch and executes the notify_maintainers.py script.
1472d6673eSJerome Forissier#    - Requires manual approval (via "Re-run jobs") if critical files were
1572d6673eSJerome Forissier#      changed, enforcing a human security gate. In this case the job status
1672d6673eSJerome Forissier#      is 'skipped' so the workflow overall status is 'success' and no error
1772d6673eSJerome Forissier#      is shown. It is up to the project's admins to trigger a re-run or not.
1872d6673eSJerome Forissier
1972d6673eSJerome Forissiername: Maintainer notification
2072d6673eSJerome Forissieron:
2172d6673eSJerome Forissier  # Run on pull requests with trusted code checked out from the target branch
2272d6673eSJerome Forissier  pull_request_target:
2372d6673eSJerome Forissier    types: [opened, synchronize]
2472d6673eSJerome Forissierpermissions:
2572d6673eSJerome Forissier  contents: read
2672d6673eSJerome Forissierjobs:
2772d6673eSJerome Forissier  # Runs on the official repository, uses trusted code to check PR changes
2872d6673eSJerome Forissier  check_sensitive_files:
2972d6673eSJerome Forissier    name: Check sensitive files
3072d6673eSJerome Forissier    runs-on: ubuntu-latest
3172d6673eSJerome Forissier    if: github.repository == 'OP-TEE/optee_os'
3272d6673eSJerome Forissier    outputs:
3372d6673eSJerome Forissier      script_modified: ${{ steps.files.outputs.any_changed }}
3472d6673eSJerome Forissier    steps:
3572d6673eSJerome Forissier      - uses: actions/checkout@v4
3672d6673eSJerome Forissier        with:
3772d6673eSJerome Forissier          # Checkout the trusted base branch code
3872d6673eSJerome Forissier          fetch-depth: 0
3972d6673eSJerome Forissier      - name: Get changed files between base and PR head
4072d6673eSJerome Forissier        id: files
41*b9ff5765SJerome Forissier        uses: tj-actions/changed-files@v46
4272d6673eSJerome Forissier        with:
4372d6673eSJerome Forissier          # Compare the base SHA (trusted) against the PR head SHA (untrusted)
4472d6673eSJerome Forissier          base_sha: ${{ github.event.pull_request.base.sha }}
4572d6673eSJerome Forissier          files: |
4672d6673eSJerome Forissier            .github/workflows/notify.yml
4772d6673eSJerome Forissier            scripts/notify_maintainers.py
4872d6673eSJerome Forissier      - name: Show result
4972d6673eSJerome Forissier        run: |
5072d6673eSJerome Forissier          echo "Sensitive files changed: ${{ steps.files.outputs.any_changed }}"
5172d6673eSJerome Forissier  notify_maintainers:
5272d6673eSJerome Forissier    name: Notify maintainers
5372d6673eSJerome Forissier    runs-on: ubuntu-latest
5472d6673eSJerome Forissier    needs: check_sensitive_files
5572d6673eSJerome Forissier    env:
5672d6673eSJerome Forissier      PR_NUMBER: ${{ github.event.pull_request.number }}
5772d6673eSJerome Forissier      REPO: ${{ github.repository }}
5872d6673eSJerome Forissier    permissions:
5972d6673eSJerome Forissier      issues: write
6072d6673eSJerome Forissier    if: |
6172d6673eSJerome Forissier      github.repository == 'OP-TEE/optee_os' &&
6272d6673eSJerome Forissier      (needs.check_sensitive_files.outputs.script_modified == 'false' ||
6372d6673eSJerome Forissier       github.run_attempt > 1)
6472d6673eSJerome Forissier    steps:
6572d6673eSJerome Forissier      # Checkout the untrusted code from the PR Branch
6672d6673eSJerome Forissier      - name: Checkout PR code
6772d6673eSJerome Forissier        uses: actions/checkout@v4
6872d6673eSJerome Forissier        with:
6972d6673eSJerome Forissier          ref: ${{ github.event.pull_request.head.sha }}
7072d6673eSJerome Forissier      - name: Install python3-github
7172d6673eSJerome Forissier        run: |
7272d6673eSJerome Forissier          sudo apt-get update
7372d6673eSJerome Forissier          sudo apt-get install python3-github
7472d6673eSJerome Forissier      - name: Run scripts/notify_maintainers.py
7572d6673eSJerome Forissier        env:
7672d6673eSJerome Forissier          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7772d6673eSJerome Forissier        run: scripts/notify_maintainers.py
78