TEST TEST TEST PR Checker #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Commit Processing | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| commit-validation: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout kernel-src-tree | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.head_ref }} | |
| - name: Fetch base branch | |
| run: | | |
| git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} | |
| - name: Checkout kernel-src-tree-tools | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ctrliq/kernel-src-tree-tools | |
| ref: '{jmaple}_pr_jira_test' | |
| path: kernel-src-tree-tools | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install jira | |
| # ============================================================ | |
| # Step 1: Upstream Commit Check | |
| # ============================================================ | |
| - name: Download check_kernel_commits.py | |
| run: | | |
| curl -sL \ | |
| https://raw.githubusercontent.com/ctrliq/kernel-src-tree-tools/mainline/check_kernel_commits.py \ | |
| -o check_kernel_commits.py | |
| chmod +x check_kernel_commits.py | |
| - name: Run upstream fixes check | |
| id: checkkernel | |
| run: | | |
| python3 check_kernel_commits.py --repo . --pr_branch "${{ github.head_ref }}" --base_branch "${{ github.base_ref }}" --markdown | tee result.txt | |
| # Save non-empty results for PR comment | |
| if grep -q -v "All referenced commits exist upstream and have no Fixes: tags." result.txt; then | |
| echo "has_findings=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Comment on PR if upstream issues found | |
| if: steps.checkkernel.outputs.has_findings == 'true' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh pr comment ${{ github.event.pull_request.number }} \ | |
| --body "$(cat result.txt)" \ | |
| --repo ${{ github.repository }} | |
| # ============================================================ | |
| # Step 2: JIRA PR Check | |
| # ============================================================ | |
| - name: Mask JIRA credentials | |
| run: | | |
| echo "::add-mask::${{ secrets.JIRA_API_USER }}" | |
| echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}" | |
| - name: Run JIRA PR Check | |
| id: jira_check | |
| continue-on-error: true | |
| env: | |
| JIRA_URL: ${{ secrets.JIRA_URL }} | |
| JIRA_API_USER: ${{ secrets.JIRA_API_USER }} | |
| JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} | |
| run: | | |
| cd kernel-src-tree-tools | |
| # Run script and capture output, ensuring credentials are never echoed | |
| set +x # Disable command echo to prevent credential exposure | |
| set +e # Don't exit on error, we want to capture the output | |
| OUTPUT=$(python3 jira_pr_check.py \ | |
| --jira-url "${JIRA_URL}" \ | |
| --jira-user "${JIRA_API_USER}" \ | |
| --jira-key "${JIRA_API_TOKEN}" \ | |
| --kernel-src-tree .. \ | |
| --merge-target ${{ github.base_ref }} \ | |
| --pr-branch ${{ github.head_ref }} 2>&1) | |
| EXIT_CODE=$? | |
| # Filter out any potential credential leaks from output | |
| FILTERED_OUTPUT=$(echo "$OUTPUT" | grep -v "jira-user\|jira-key\|basic_auth\|Authorization" || true) | |
| echo "$FILTERED_OUTPUT" | |
| echo "output<<EOF" >> $GITHUB_OUTPUT | |
| echo "$FILTERED_OUTPUT" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| # Check if there are any issues based on output patterns | |
| if echo "$FILTERED_OUTPUT" | grep -q "❌ Errors:"; then | |
| echo "has_issues=true" >> $GITHUB_OUTPUT | |
| # Check specifically for LTS mismatch errors | |
| if echo "$FILTERED_OUTPUT" | grep -q "expects branch"; then | |
| echo "has_lts_mismatch=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT | |
| fi | |
| elif echo "$FILTERED_OUTPUT" | grep -q "⚠️ Warnings:"; then | |
| echo "has_issues=true" >> $GITHUB_OUTPUT | |
| echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_issues=false" >> $GITHUB_OUTPUT | |
| echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT | |
| fi | |
| # Exit with the script's exit code | |
| exit $EXIT_CODE | |
| - name: Comment PR with JIRA issues | |
| if: steps.jira_check.outputs.has_issues == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const output = process.env.CHECK_OUTPUT; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }); | |
| env: | |
| CHECK_OUTPUT: ${{ steps.jira_check.outputs.output }} | |
| - name: Request changes if LTS mismatch | |
| if: steps.jira_check.outputs.has_lts_mismatch == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| github.rest.pulls.createReview({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: context.issue.number, | |
| event: 'REQUEST_CHANGES', | |
| body: '⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.' | |
| }); | |
| - name: Fail workflow if JIRA errors found | |
| if: steps.jira_check.outcome == 'failure' | |
| run: | | |
| echo "❌ JIRA PR check failed - errors were found in one or more commits" | |
| exit 1 |