Skip to content

github actions: Allow fork checkout for commit validation #743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PlaidCat merged 3 commits into from
Dec 5, 2025
+28 −15
Merged

github actions: Allow fork checkout for commit validation #743

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1bdbc07
github actions: Quote all script expressions that can have special chars
kerneltoast Dec 5, 2025
f55b713
github actions: Allow fork checkout for commit validation
PlaidCat Dec 2, 2025
7dc7867
github actions: Skip JIRA checks for forks
PlaidCat Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 28 additions & 15 deletions .github/workflows/validate-kernel-commits.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,16 @@ jobs:
timeout-minutes: 120

steps:
- name: Checkout PR branch
- name: Checkout base branch
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.head_ref }}
ref: ${{ github.base_ref }}

- name: Checkout base branch
- name: Fetch PR branch
run: |
git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
git fetch "${{ github.event.pull_request.head.repo.clone_url }}" "${{ github.head_ref }}"
echo "HEAD_SHA=$(git rev-parse FETCH_HEAD)" >> "$GITHUB_ENV"

- name: Checkout kernel-src-tree-tools
uses: actions/checkout@v4
Expand All @@ -44,7 +45,7 @@ jobs:
set -o pipefail # Capture exit code from python script, not tee
python3 check_kernel_commits.py \
--repo .. \
--pr_branch "${{ github.head_ref }}" \
--pr_branch "$HEAD_SHA" \
--base_branch "${{ github.base_ref }}" \
--markdown \
--check-cves | tee ../ckc_result.txt
Expand Down Expand Up @@ -82,7 +83,7 @@ jobs:
run: |
if ! gh pr comment ${{ github.event.pull_request.number }} \
--body-file ckc_result.txt \
--repo ${{ github.repository }}; then
--repo "${{ github.repository }}"; then
echo "❌ Failed to post check-kernel-commits comment to PR"
exit 1
fi
Expand All @@ -108,7 +109,7 @@ jobs:
set -o pipefail # Capture exit code from python script, not tee
python3 run_interdiff.py \
--repo .. \
--pr_branch "${{ github.head_ref }}" \
--pr_branch "$HEAD_SHA" \
--base_branch "${{ github.base_ref }}" \
--markdown \
--interdiff ../patchutils/src/interdiff | tee ../interdiff_result.txt
Expand Down Expand Up @@ -146,23 +147,35 @@ jobs:
run: |
if ! gh pr comment ${{ github.event.pull_request.number }} \
--body-file interdiff_result.txt \
--repo ${{ github.repository }}; then
--repo "${{ github.repository }}"; then
echo "❌ Failed to post interdiff comment to PR"
exit 1
fi

- name: Determine if JIRA PR check should run
id: should_check_jira
run: |
if [ "${{ github.event.pull_request.head.repo.full_name }}" = "${{ github.repository }}" ]; then
echo "result=true" >> $GITHUB_OUTPUT
else
echo "result=false" >> $GITHUB_OUTPUT
fi

- name: Install JIRA PR Check dependencies
if: steps.should_check_jira.outputs.result == 'true'
run: |
python -m pip install --upgrade pip
pip install jira

- name: Mask JIRA credentials
if: steps.should_check_jira.outputs.result == 'true'
run: |
echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}"
echo "::add-mask::${{ secrets.JIRA_API_USER }}"
echo "::add-mask::${{ secrets.JIRA_URL }}"

- name: Run JIRA PR Check
if: steps.should_check_jira.outputs.result == 'true'
id: jira_check
continue-on-error: true # Allow PR comments to be posted before failing workflow
env:
Expand All @@ -176,8 +189,8 @@ jobs:
set +e # Don't exit on error, we want to capture the output
OUTPUT=$(python3 jira_pr_check.py \
--kernel-src-tree .. \
--merge-target ${{ github.base_ref }} \
--pr-branch ${{ github.head_ref }} 2>&1)
--merge-target "${{ github.base_ref }}" \
--pr-branch "$HEAD_SHA" 2>&1)
EXIT_CODE=$?

# Filter out any potential credential leaks from output
Expand Down Expand Up @@ -212,29 +225,29 @@ jobs:
exit $EXIT_CODE

- name: Comment PR with JIRA issues
if: steps.jira_check.outputs.has_issues == 'true'
if: steps.should_check_jira.outputs.result == 'true' && steps.jira_check.outputs.has_issues == 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
if ! gh pr comment ${{ github.event.pull_request.number }} \
--body "${{ steps.jira_check.outputs.output }}" \
--repo ${{ github.repository }}; then
--repo "${{ github.repository }}"; then
echo "❌ Failed to post JIRA check comment to PR"
exit 1
fi

- name: Request changes if LTS mismatch
if: steps.jira_check.outputs.has_lts_mismatch == 'true'
if: steps.should_check_jira.outputs.result == 'true' && steps.jira_check.outputs.has_lts_mismatch == 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
gh pr review ${{ github.event.pull_request.number }} \
--request-changes \
--body "⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch." \
--repo ${{ github.repository }}
--repo "${{ github.repository }}"

- name: Fail workflow if JIRA errors found
if: steps.jira_check.outcome == 'failure'
if: steps.should_check_jira.outputs.result == 'true' && steps.jira_check.outcome == 'failure'
run: |
echo "❌ JIRA PR check failed - errors were found in one or more commits"
exit 1