xref: /optee_os/.github/workflows/notify.yml (revision 6e1990d7d369b2a1339f8c7fa422326ae0722395) 
1# The purpose of this workflow is to run the scripts/notify_maintainers.py
2# for pull requests against the OP-TEE OS main repository in a secure way.
3# It runs on the pull_request_target event, which grants write permission
4# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
5# write access to PRs and issues, to prevent security issues the
6# pull_request_target event also checks out the code in the target branch,
7# not the code from the PR. This code can therefore be trusted.
8#
9# 1. Job 'check_sensitive_files' determines if the PR modified any critical
10#    files (.github/workflows/notify.yml or scripts/notify_maintainers.py).
11# 2. Job 'notify_maintainers' runs conditionally:
12#    - Automatically runs if no critical files were changed. It checks out
13#      the PR branch and executes the notify_maintainers.py script.
14#    - Requires manual approval (via "Re-run jobs") if critical files were
15#      changed, enforcing a human security gate. In this case the job status
16#      is 'skipped' so the workflow overall status is 'success' and no error
17#      is shown. It is up to the project's admins to trigger a re-run or not.
18
19name: Maintainer notification
20on:
21  # Run on pull requests with trusted code checked out from the target branch
22  pull_request_target:
23    types: [opened, synchronize]
24permissions:
25  contents: read
26jobs:
27  # Runs on the official repository, uses trusted code to check PR changes
28  check_sensitive_files:
29    name: Check sensitive files
30    runs-on: ubuntu-latest
31    if: github.repository == 'OP-TEE/optee_os'
32    outputs:
33      script_modified: ${{ steps.files.outputs.any_changed }}
34    steps:
35      - uses: actions/checkout@v4
36        with:
37          # Checkout the trusted base branch code
38          fetch-depth: 0
39      - name: Get changed files between base and PR head
40        id: files
41        uses: tj-actions/changed-files@v46
42        with:
43          # Compare the checked out version (PR target branch, trusted) against
44          # the PR head SHA (untrusted)
45          base_sha: ${{ github.event.pull_request.head.sha }}
46          files: |
47            .github/workflows/notify.yml
48            scripts/notify_maintainers.py
49      - name: Show result
50        run: |
51          echo "Sensitive files changed: ${{ steps.files.outputs.any_changed }}"
52  notify_maintainers:
53    name: Notify maintainers
54    runs-on: ubuntu-latest
55    needs: check_sensitive_files
56    env:
57      PR_NUMBER: ${{ github.event.pull_request.number }}
58      REPO: ${{ github.repository }}
59    permissions:
60      issues: write
61    if: |
62      github.repository == 'OP-TEE/optee_os' &&
63      (needs.check_sensitive_files.outputs.script_modified == 'false' ||
64       github.run_attempt > 1)
65    steps:
66      # Checkout the untrusted code from the PR Branch
67      - name: Checkout PR code
68        uses: actions/checkout@v4
69        with:
70          ref: ${{ github.event.pull_request.head.sha }}
71      - name: Install python3-github
72        run: |
73          sudo apt-get update
74          sudo apt-get install python3-github
75      - name: Run scripts/notify_maintainers.py
76        env:
77          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
78        run: scripts/notify_maintainers.py
79