github actions: Add JIRA PR Check

bmastbergen · bmastbergen · commit 45d663006000 · 2025-10-22T16:22:14.000-04:00
We will be reaching into our JIRA to check the state of each commits
jira.  In this we want to ensure that the target branch matches the
defined branch for that product and validate that the CVE ID is also
correct for the ticket.  It will also check to confirm that the tickets
are in progress and have time logged, if either are untrue then it will
produce a warning.

In the event there are Product or CVE mis matches it will block the PR
and request changes.
diff --git a/.github/workflows/validate-kernel-commits.yml b/.github/workflows/validate-kernel-commits.yml
@@ -85,3 +85,100 @@ jobs:
           gh pr comment ${{ github.event.pull_request.number }} \
             --body "$(cat interdiff_result.txt)" \
             --repo ${{ github.repository }}
+
+      - name: Install JIRA PR Check dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install jira
+
+      - name: Mask JIRA credentials
+        run: |
+          echo "::add-mask::${{ secrets.JIRA_API_USER }}"
+          echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}"
+
+      - name: Run JIRA PR Check
+        id: jira_check
+        continue-on-error: true
+        env:
+          JIRA_URL: ${{ secrets.JIRA_URL }}
+          JIRA_API_USER: ${{ secrets.JIRA_API_USER }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+        working-directory: kernel-src-tree-tools
+        run: |
+          # Run script and capture output, ensuring credentials are never echoed
+          set +x  # Disable command echo to prevent credential exposure
+          set +e  # Don't exit on error, we want to capture the output
+          OUTPUT=$(python3 jira_pr_check.py \
+            --jira-url "${JIRA_URL}" \
+            --jira-user "${JIRA_API_USER}" \
+            --jira-key "${JIRA_API_TOKEN}" \
+            --kernel-src-tree .. \
+            --merge-target ${{ github.base_ref }} \
+            --pr-branch ${{ github.head_ref }} 2>&1)
+          EXIT_CODE=$?
+
+          # Filter out any potential credential leaks from output
+          FILTERED_OUTPUT=$(echo "$OUTPUT" | grep -v "jira-user\|jira-key\|basic_auth\|Authorization" || true)
+
+          echo "$FILTERED_OUTPUT"
+          echo "output<<EOF" >> $GITHUB_OUTPUT
+          echo "$FILTERED_OUTPUT" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+          # Check if there are any issues based on output patterns
+          if echo "$FILTERED_OUTPUT" | grep -q "❌ Errors:"; then
+            echo "has_issues=true" >> $GITHUB_OUTPUT
+
+            # Check specifically for LTS mismatch errors
+            if echo "$FILTERED_OUTPUT" | grep -q "expects branch"; then
+              echo "has_lts_mismatch=true" >> $GITHUB_OUTPUT
+            else
+              echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
+            fi
+          elif echo "$FILTERED_OUTPUT" | grep -q "⚠️ Warnings:"; then
+            echo "has_issues=true" >> $GITHUB_OUTPUT
+            echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_issues=false" >> $GITHUB_OUTPUT
+            echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
+          fi
+
+          # Exit with the script's exit code
+          exit $EXIT_CODE
+
+      - name: Comment PR with JIRA issues
+        if: steps.jira_check.outputs.has_issues == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = process.env.CHECK_OUTPUT;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });
+        env:
+          CHECK_OUTPUT: ${{ steps.jira_check.outputs.output }}
+
+      - name: Request changes if LTS mismatch
+        if: steps.jira_check.outputs.has_lts_mismatch == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              event: 'REQUEST_CHANGES',
+              body: '⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.'
+            });
+
+      - name: Fail workflow if JIRA errors found
+        if: steps.jira_check.outcome == 'failure'
+        run: |
+          echo "❌ JIRA PR check failed - errors were found in one or more commits"
+          exit 1
