xref: /optee_os/.github/workflows/notify.yml (revision 1e3057c68b5d8a32a394d3d0324601e3b8888d16) 
1# The purpose of this workflow is to run the scripts/notify_maintainers.py
2# for pull requests against the OP-TEE OS main repository in a secure way.
3# It runs on the pull_request_target event, which grants write permission
4# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
5# write access to PRs and issues, to prevent security issues the
6# pull_request_target event also checks out the code in the target branch,
7# not the code from the PR. This code can therefore be trusted.
8#
9# 1. Job 'check_sensitive_files' determines if the PR modified any critical
10#    files (.github/workflows/notify.yml or scripts/notify_maintainers.py).
11# 2. Job 'notify_maintainers' runs conditionally:
12#    - Automatically runs if no critical files were changed. It checks out
13#      the PR branch and executes the notify_maintainers.py script.
14#    - Requires manual approval (via "Re-run jobs") if critical files were
15#      changed, enforcing a human security gate. In this case the job status
16#      is 'skipped' so the workflow overall status is 'success' and no error
17#      is shown. It is up to the project's admins to trigger a re-run or not.
18
19name: Maintainer notification
20on:
21  # Run on pull requests with trusted code checked out from the target branch
22  pull_request_target:
23    types: [opened, synchronize]
24permissions:
25  contents: read
26jobs:
27  # Runs on the official repository, uses trusted code to check PR changes
28  check_sensitive_files:
29    name: Check sensitive files
30    runs-on: ubuntu-latest
31    if: github.repository == 'OP-TEE/optee_os'
32    outputs:
33      script_modified: ${{ steps.files.outputs.any_changed }}
34    steps:
35      - uses: actions/checkout@v4
36        with:
37          # Checkout the trusted base branch code
38          fetch-depth: 0
39      - name: Fetch PR head ref
40        run: |
41          # Also fetch the head of the PR branch
42          git fetch origin pull/${{ github.event.pull_request.number }}/head
43      - name: Get changed files between base and PR head
44        id: files
45        uses: tj-actions/changed-files@v46
46        with:
47          # Compare the checked out version (PR target branch, trusted) against
48          # the PR head SHA (untrusted)
49          base_sha: ${{ github.event.pull_request.head.sha }}
50          files: |
51            .github/workflows/notify.yml
52            scripts/notify_maintainers.py
53      - name: Show result
54        run: |
55          echo "Sensitive files changed: ${{ steps.files.outputs.any_changed }}"
56  notify_maintainers:
57    name: Notify maintainers
58    runs-on: ubuntu-latest
59    needs: check_sensitive_files
60    env:
61      PR_NUMBER: ${{ github.event.pull_request.number }}
62      REPO: ${{ github.repository }}
63    permissions:
64      issues: write
65    if: |
66      github.repository == 'OP-TEE/optee_os' &&
67      (needs.check_sensitive_files.outputs.script_modified == 'false' ||
68       github.run_attempt > 1)
69    steps:
70      - name: Checkout PR code
71        uses: actions/checkout@v4
72      - name: Install python3-github
73        run: |
74          sudo apt-get update
75          sudo apt-get install python3-github
76      - name: Run scripts/notify_maintainers.py
77        env:
78          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
79        run: |
80          # Checkout the untrusted code from the PR Branch
81          git fetch origin pull/${PR_NUMBER}/head && git checkout FETCH_HEAD
82          scripts/notify_maintainers.py
83