xref: /optee_os/.github/workflows/notify.yml (revision b9ff57657e12261ee2eca59c2f565803ba3e947d) 
1# The purpose of this workflow is to run the scripts/notify_maintainers.py
2# for pull requests against the OP-TEE OS main repository in a secure way.
3# It runs on the pull_request_target event, which grants write permission
4# (issues: write) using the default short-lived GITHUB_TOKEN. Due to this
5# write access to PRs and issues, to prevent security issues the
6# pull_request_target event also checks out the code in the target branch,
7# not the code from the PR. This code can therefore be trusted.
8#
9# 1. Job 'check_sensitive_files' determines if the PR modified any critical
10#    files (.github/workflows/notify.yml or scripts/notify_maintainers.py).
11# 2. Job 'notify_maintainers' runs conditionally:
12#    - Automatically runs if no critical files were changed. It checks out
13#      the PR branch and executes the notify_maintainers.py script.
14#    - Requires manual approval (via "Re-run jobs") if critical files were
15#      changed, enforcing a human security gate. In this case the job status
16#      is 'skipped' so the workflow overall status is 'success' and no error
17#      is shown. It is up to the project's admins to trigger a re-run or not.
18
19name: Maintainer notification
20on:
21  # Run on pull requests with trusted code checked out from the target branch
22  pull_request_target:
23    types: [opened, synchronize]
24permissions:
25  contents: read
26jobs:
27  # Runs on the official repository, uses trusted code to check PR changes
28  check_sensitive_files:
29    name: Check sensitive files
30    runs-on: ubuntu-latest
31    if: github.repository == 'OP-TEE/optee_os'
32    outputs:
33      script_modified: ${{ steps.files.outputs.any_changed }}
34    steps:
35      - uses: actions/checkout@v4
36        with:
37          # Checkout the trusted base branch code
38          fetch-depth: 0
39      - name: Get changed files between base and PR head
40        id: files
41        uses: tj-actions/changed-files@v46
42        with:
43          # Compare the base SHA (trusted) against the PR head SHA (untrusted)
44          base_sha: ${{ github.event.pull_request.base.sha }}
45          files: |
46            .github/workflows/notify.yml
47            scripts/notify_maintainers.py
48      - name: Show result
49        run: |
50          echo "Sensitive files changed: ${{ steps.files.outputs.any_changed }}"
51  notify_maintainers:
52    name: Notify maintainers
53    runs-on: ubuntu-latest
54    needs: check_sensitive_files
55    env:
56      PR_NUMBER: ${{ github.event.pull_request.number }}
57      REPO: ${{ github.repository }}
58    permissions:
59      issues: write
60    if: |
61      github.repository == 'OP-TEE/optee_os' &&
62      (needs.check_sensitive_files.outputs.script_modified == 'false' ||
63       github.run_attempt > 1)
64    steps:
65      # Checkout the untrusted code from the PR Branch
66      - name: Checkout PR code
67        uses: actions/checkout@v4
68        with:
69          ref: ${{ github.event.pull_request.head.sha }}
70      - name: Install python3-github
71        run: |
72          sudo apt-get update
73          sudo apt-get install python3-github
74      - name: Run scripts/notify_maintainers.py
75        env:
76          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
77        run: scripts/notify_maintainers.py
78