From 1bdbc07b1b31d82b8879483533a126f854cf02bf Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Thu, 4 Dec 2025 19:10:26 -0800 Subject: [PATCH 1/3] github actions: Quote all script expressions that can have special chars Branch names and repository names can contain special characters. Quote all such expressions used in shell scripts. --- .github/workflows/validate-kernel-commits.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate-kernel-commits.yml b/.github/workflows/validate-kernel-commits.yml index 0efc012e9a844..901c245df832b 100644 --- a/.github/workflows/validate-kernel-commits.yml +++ b/.github/workflows/validate-kernel-commits.yml @@ -22,7 +22,7 @@ jobs: - name: Checkout base branch run: | - git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} + git fetch origin "${{ github.base_ref }}":"${{ github.base_ref }}" - name: Checkout kernel-src-tree-tools uses: actions/checkout@v4 @@ -82,7 +82,7 @@ jobs: run: | if ! gh pr comment ${{ github.event.pull_request.number }} \ --body-file ckc_result.txt \ - --repo ${{ github.repository }}; then + --repo "${{ github.repository }}"; then echo "❌ Failed to post check-kernel-commits comment to PR" exit 1 fi @@ -146,7 +146,7 @@ jobs: run: | if ! gh pr comment ${{ github.event.pull_request.number }} \ --body-file interdiff_result.txt \ - --repo ${{ github.repository }}; then + --repo "${{ github.repository }}"; then echo "❌ Failed to post interdiff comment to PR" exit 1 fi @@ -176,8 +176,8 @@ jobs: set +e # Don't exit on error, we want to capture the output OUTPUT=$(python3 jira_pr_check.py \ --kernel-src-tree .. \ - --merge-target ${{ github.base_ref }} \ - --pr-branch ${{ github.head_ref }} 2>&1) + --merge-target "${{ github.base_ref }}" \ + --pr-branch "${{ github.head_ref }}" 2>&1) EXIT_CODE=$? # Filter out any potential credential leaks from output @@ -218,7 +218,7 @@ jobs: run: | if ! gh pr comment ${{ github.event.pull_request.number }} \ --body "${{ steps.jira_check.outputs.output }}" \ - --repo ${{ github.repository }}; then + --repo "${{ github.repository }}"; then echo "❌ Failed to post JIRA check comment to PR" exit 1 fi @@ -231,7 +231,7 @@ jobs: gh pr review ${{ github.event.pull_request.number }} \ --request-changes \ --body "⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch." \ - --repo ${{ github.repository }} + --repo "${{ github.repository }}" - name: Fail workflow if JIRA errors found if: steps.jira_check.outcome == 'failure' From f55b7131d66960d106e83670b1b2acb4b92108f2 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Tue, 2 Dec 2025 13:06:47 -0500 Subject: [PATCH 2/3] github actions: Allow fork checkout for commit validation Since we have external contributors we need process each of the commits for faster reviews, validation that header information is correct and to check the state of our tickets so that is actually tracked correctly internally, on behalf of some external contributors. In addition the order of steps was reordered so the clone and checkout of the base repo and base branch was done first then the PR's were fetched and checked out next. This to ensure that our repo is the base of everything rather than the PR's repo which could be an external contributor. --- .github/workflows/validate-kernel-commits.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate-kernel-commits.yml b/.github/workflows/validate-kernel-commits.yml index 901c245df832b..3225ff8036e5b 100644 --- a/.github/workflows/validate-kernel-commits.yml +++ b/.github/workflows/validate-kernel-commits.yml @@ -14,15 +14,16 @@ jobs: timeout-minutes: 120 steps: - - name: Checkout PR branch + - name: Checkout base branch uses: actions/checkout@v4 with: fetch-depth: 0 - ref: ${{ github.head_ref }} + ref: ${{ github.base_ref }} - - name: Checkout base branch + - name: Fetch PR branch run: | - git fetch origin "${{ github.base_ref }}":"${{ github.base_ref }}" + git fetch "${{ github.event.pull_request.head.repo.clone_url }}" "${{ github.head_ref }}" + echo "HEAD_SHA=$(git rev-parse FETCH_HEAD)" >> "$GITHUB_ENV" - name: Checkout kernel-src-tree-tools uses: actions/checkout@v4 @@ -44,7 +45,7 @@ jobs: set -o pipefail # Capture exit code from python script, not tee python3 check_kernel_commits.py \ --repo .. \ - --pr_branch "${{ github.head_ref }}" \ + --pr_branch "$HEAD_SHA" \ --base_branch "${{ github.base_ref }}" \ --markdown \ --check-cves | tee ../ckc_result.txt @@ -108,7 +109,7 @@ jobs: set -o pipefail # Capture exit code from python script, not tee python3 run_interdiff.py \ --repo .. \ - --pr_branch "${{ github.head_ref }}" \ + --pr_branch "$HEAD_SHA" \ --base_branch "${{ github.base_ref }}" \ --markdown \ --interdiff ../patchutils/src/interdiff | tee ../interdiff_result.txt @@ -177,7 +178,7 @@ jobs: OUTPUT=$(python3 jira_pr_check.py \ --kernel-src-tree .. \ --merge-target "${{ github.base_ref }}" \ - --pr-branch "${{ github.head_ref }}" 2>&1) + --pr-branch "$HEAD_SHA" 2>&1) EXIT_CODE=$? # Filter out any potential credential leaks from output From 7dc7867e73719bfdea3dbea085b8e076726fd986 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 5 Dec 2025 11:04:21 -0500 Subject: [PATCH 3/3] github actions: Skip JIRA checks for forks There are many workflows that are useful without the JIRA checks from Forks. We're still evaluating how to best deal with this without a lot of engineer overhead to check external contributors. --- .github/workflows/validate-kernel-commits.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate-kernel-commits.yml b/.github/workflows/validate-kernel-commits.yml index 3225ff8036e5b..550fe96592c88 100644 --- a/.github/workflows/validate-kernel-commits.yml +++ b/.github/workflows/validate-kernel-commits.yml @@ -152,18 +152,30 @@ jobs: exit 1 fi + - name: Determine if JIRA PR check should run + id: should_check_jira + run: | + if [ "${{ github.event.pull_request.head.repo.full_name }}" = "${{ github.repository }}" ]; then + echo "result=true" >> $GITHUB_OUTPUT + else + echo "result=false" >> $GITHUB_OUTPUT + fi + - name: Install JIRA PR Check dependencies + if: steps.should_check_jira.outputs.result == 'true' run: | python -m pip install --upgrade pip pip install jira - name: Mask JIRA credentials + if: steps.should_check_jira.outputs.result == 'true' run: | echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}" echo "::add-mask::${{ secrets.JIRA_API_USER }}" echo "::add-mask::${{ secrets.JIRA_URL }}" - name: Run JIRA PR Check + if: steps.should_check_jira.outputs.result == 'true' id: jira_check continue-on-error: true # Allow PR comments to be posted before failing workflow env: @@ -213,7 +225,7 @@ jobs: exit $EXIT_CODE - name: Comment PR with JIRA issues - if: steps.jira_check.outputs.has_issues == 'true' + if: steps.should_check_jira.outputs.result == 'true' && steps.jira_check.outputs.has_issues == 'true' env: GH_TOKEN: ${{ github.token }} run: | @@ -225,7 +237,7 @@ jobs: fi - name: Request changes if LTS mismatch - if: steps.jira_check.outputs.has_lts_mismatch == 'true' + if: steps.should_check_jira.outputs.result == 'true' && steps.jira_check.outputs.has_lts_mismatch == 'true' env: GH_TOKEN: ${{ github.token }} run: | @@ -235,7 +247,7 @@ jobs: --repo "${{ github.repository }}" - name: Fail workflow if JIRA errors found - if: steps.jira_check.outcome == 'failure' + if: steps.should_check_jira.outputs.result == 'true' && steps.jira_check.outcome == 'failure' run: | echo "❌ JIRA PR check failed - errors were found in one or more commits" exit 1