xref: /optee_os/.github/workflows/notify.yml (revision e97a138aba3f477dee888d0978e25ab2b7d78819) 
172d6673eSJerome Forissier# The purpose of this workflow is to run the scripts/notify_maintainers.py
272d6673eSJerome Forissier# for pull requests against the OP-TEE OS main repository in a secure way.
372d6673eSJerome Forissier# It runs on the pull_request_target event, which grants write permission
472d6673eSJerome Forissier# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
572d6673eSJerome Forissier# write access to PRs and issues, to prevent security issues the
672d6673eSJerome Forissier# pull_request_target event also checks out the code in the target branch,
772d6673eSJerome Forissier# not the code from the PR. This code can therefore be trusted.
872d6673eSJerome Forissier#
972d6673eSJerome Forissier# 1. Job 'check_sensitive_files' determines if the PR modified any critical
1072d6673eSJerome Forissier#    files (.github/workflows/notify.yml or scripts/notify_maintainers.py).
1172d6673eSJerome Forissier# 2. Job 'notify_maintainers' runs conditionally:
1272d6673eSJerome Forissier#    - Automatically runs if no critical files were changed. It checks out
1372d6673eSJerome Forissier#      the PR branch and executes the notify_maintainers.py script.
1472d6673eSJerome Forissier#    - Requires manual approval (via "Re-run jobs") if critical files were
1572d6673eSJerome Forissier#      changed, enforcing a human security gate. In this case the job status
1672d6673eSJerome Forissier#      is 'skipped' so the workflow overall status is 'success' and no error
1772d6673eSJerome Forissier#      is shown. It is up to the project's admins to trigger a re-run or not.
1872d6673eSJerome Forissier
1972d6673eSJerome Forissiername: Maintainer notification
2072d6673eSJerome Forissieron:
2172d6673eSJerome Forissier  # Run on pull requests with trusted code checked out from the target branch
2272d6673eSJerome Forissier  pull_request_target:
2372d6673eSJerome Forissier    types: [opened, synchronize]
2472d6673eSJerome Forissierpermissions:
2572d6673eSJerome Forissier  contents: read
2672d6673eSJerome Forissierjobs:
2772d6673eSJerome Forissier  # Runs on the official repository, uses trusted code to check PR changes
2872d6673eSJerome Forissier  check_sensitive_files:
2972d6673eSJerome Forissier    name: Check sensitive files
3072d6673eSJerome Forissier    runs-on: ubuntu-latest
3172d6673eSJerome Forissier    if: github.repository == 'OP-TEE/optee_os'
3272d6673eSJerome Forissier    outputs:
3372d6673eSJerome Forissier      script_modified: ${{ steps.files.outputs.any_changed }}
3472d6673eSJerome Forissier    steps:
3572d6673eSJerome Forissier      - uses: actions/checkout@v4
3672d6673eSJerome Forissier        with:
3772d6673eSJerome Forissier          # Checkout the trusted base branch code
3872d6673eSJerome Forissier          fetch-depth: 0
393469b183SJerome Forissier      - name: Fetch PR head ref
403469b183SJerome Forissier        run: |
413469b183SJerome Forissier          # Also fetch the head of the PR branch
423469b183SJerome Forissier          git fetch origin pull/${{ github.event.pull_request.number }}/head
4372d6673eSJerome Forissier      - name: Get changed files between base and PR head
4472d6673eSJerome Forissier        id: files
45b9ff5765SJerome Forissier        uses: tj-actions/changed-files@v46
4672d6673eSJerome Forissier        with:
4735c308f5SJerome Forissier          # Compare the checked out version (PR target branch, trusted) against
4835c308f5SJerome Forissier          # the PR head SHA (untrusted)
4935c308f5SJerome Forissier          base_sha: ${{ github.event.pull_request.head.sha }}
5072d6673eSJerome Forissier          files: |
5172d6673eSJerome Forissier            .github/workflows/notify.yml
5272d6673eSJerome Forissier            scripts/notify_maintainers.py
5372d6673eSJerome Forissier      - name: Show result
5472d6673eSJerome Forissier        run: |
5572d6673eSJerome Forissier          echo "Sensitive files changed: ${{ steps.files.outputs.any_changed }}"
5672d6673eSJerome Forissier  notify_maintainers:
5772d6673eSJerome Forissier    name: Notify maintainers
5872d6673eSJerome Forissier    runs-on: ubuntu-latest
5972d6673eSJerome Forissier    needs: check_sensitive_files
6072d6673eSJerome Forissier    env:
6172d6673eSJerome Forissier      PR_NUMBER: ${{ github.event.pull_request.number }}
6272d6673eSJerome Forissier      REPO: ${{ github.repository }}
6372d6673eSJerome Forissier    permissions:
6472d6673eSJerome Forissier      issues: write
6572d6673eSJerome Forissier    if: |
6672d6673eSJerome Forissier      github.repository == 'OP-TEE/optee_os' &&
6772d6673eSJerome Forissier      (needs.check_sensitive_files.outputs.script_modified == 'false' ||
6872d6673eSJerome Forissier       github.run_attempt > 1)
6972d6673eSJerome Forissier    steps:
7072d6673eSJerome Forissier      - name: Checkout PR code
7172d6673eSJerome Forissier        uses: actions/checkout@v4
7272d6673eSJerome Forissier      - name: Install python3-github
7372d6673eSJerome Forissier        run: |
7472d6673eSJerome Forissier          sudo apt-get update
7572d6673eSJerome Forissier          sudo apt-get install python3-github
7672d6673eSJerome Forissier      - name: Run scripts/notify_maintainers.py
7772d6673eSJerome Forissier        env:
7872d6673eSJerome Forissier          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
79*e97a138aSJerome Forissier        run: |
80*e97a138aSJerome Forissier          # Checkout the untrusted code from the PR Branch
81*e97a138aSJerome Forissier          git fetch origin pull/${PR_NUMBER}/head && git checkout FETCH_HEAD
82*e97a138aSJerome Forissier          scripts/notify_maintainers.py
83