1- name : Check Kernel Commits for Upstream Fixes
1+ name : PR Commit Processing
22
33on :
44 pull_request :
@@ -9,21 +9,40 @@ permissions:
99 pull-requests : write
1010
1111jobs :
12- check-upstream-fixes :
12+ commit-validation :
1313 runs-on : ubuntu-latest
1414
1515 steps :
16- - name : Checkout PR branch
16+ - name : Checkout kernel-src-tree
1717 uses : actions/checkout@v4
1818 with :
19- repository : ${{ github.event.pull_request.head.repo.full_name }}
2019 fetch-depth : 0
2120 ref : ${{ github.head_ref }}
2221
23- - name : Checkout base branch
22+ - name : Fetch base branch
2423 run : |
25- git remote add base_repo https://github.com/${{ github.repository }}.git
26- git fetch base_repo ${{ github.base_ref }}:${{ github.base_ref }}
24+ git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
25+
26+ name : Checkout kernel-src-tree-tools
27+ uses : actions/checkout@v4
28+ with :
29+ repository : ctrliq/kernel-src-tree-tools
30+ ref : ' {jmaple}_pr_jira_test'
31+ path : kernel-src-tree-tools
32+
33+ - name : Set up Python
34+ uses : actions/setup-python@v5
35+ with :
36+ python-version : ' 3.x'
37+
38+ - name : Install dependencies
39+ run : |
40+ python -m pip install --upgrade pip
41+ pip install jira
42+
43+ # ============================================================
44+ # Step 1: Upstream Commit Check
45+ # ============================================================
2746
2847 - name : Download check_kernel_commits.py
2948 run : |
3251 -o check_kernel_commits.py
3352 chmod +x check_kernel_commits.py
3453
35- name : Set up Python
36- uses : actions/setup-python@v5
37- with :
38- python-version : ' 3.x'
39-
4054name : Run upstream fixes check
4155 id : checkkernel
4256 run : |
@@ -46,11 +60,108 @@ jobs:
4660 echo "has_findings=true" >> $GITHUB_OUTPUT
4761 fi
4862
49- name : Comment on PR if issues found
63+ name : Comment on PR if upstream issues found
5064 if : steps.checkkernel.outputs.has_findings == 'true'
5165 env :
5266 GH_TOKEN : ${{ github.token }}
5367 run : |
5468 gh pr comment ${{ github.event.pull_request.number }} \
5569 --body "$(cat result.txt)" \
5670 --repo ${{ github.repository }}
71+
72+ # ============================================================
73+ # Step 2: JIRA PR Check
74+ # ============================================================
75+
76+ - name : Mask JIRA credentials
77+ run : |
78+ echo "::add-mask::${{ secrets.JIRA_API_USER }}"
79+ echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}"
80+
81+ name : Run JIRA PR Check
82+ id : jira_check
83+ continue-on-error : true
84+ env :
85+ JIRA_URL : ${{ secrets.JIRA_URL }}
86+ JIRA_API_USER : ${{ secrets.JIRA_API_USER }}
87+ JIRA_API_TOKEN : ${{ secrets.JIRA_API_TOKEN }}
88+ run : |
89+ cd kernel-src-tree-tools
90+
91+ # Run script and capture output, ensuring credentials are never echoed
92+ set +x # Disable command echo to prevent credential exposure
93+ set +e # Don't exit on error, we want to capture the output
94+ OUTPUT=$(python3 jira_pr_check.py \
95+ --jira-url "${JIRA_URL}" \
96+ --jira-user "${JIRA_API_USER}" \
97+ --jira-key "${JIRA_API_TOKEN}" \
98+ --kernel-src-tree .. \
99+ --merge-target ${{ github.base_ref }} \
100+ --pr-branch ${{ github.head_ref }} 2>&1)
101+ EXIT_CODE=$?
102+
103+ # Filter out any potential credential leaks from output
104+ FILTERED_OUTPUT=$(echo "$OUTPUT" | grep -v "jira-user\|jira-key\|basic_auth\|Authorization" || true)
105+
106+ echo "$FILTERED_OUTPUT"
107+ echo "output<<EOF" >> $GITHUB_OUTPUT
108+ echo "$FILTERED_OUTPUT" >> $GITHUB_OUTPUT
109+ echo "EOF" >> $GITHUB_OUTPUT
110+
111+ # Check if there are any issues based on output patterns
112+ if echo "$FILTERED_OUTPUT" | grep -q "❌ Errors:"; then
113+ echo "has_issues=true" >> $GITHUB_OUTPUT
114+
115+ # Check specifically for LTS mismatch errors
116+ if echo "$FILTERED_OUTPUT" | grep -q "expects branch"; then
117+ echo "has_lts_mismatch=true" >> $GITHUB_OUTPUT
118+ else
119+ echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
120+ fi
121+ elif echo "$FILTERED_OUTPUT" | grep -q "⚠️ Warnings:"; then
122+ echo "has_issues=true" >> $GITHUB_OUTPUT
123+ echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
124+ else
125+ echo "has_issues=false" >> $GITHUB_OUTPUT
126+ echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
127+ fi
128+
129+ # Exit with the script's exit code
130+ exit $EXIT_CODE
131+
132+ name : Comment PR with JIRA issues
133+ if : steps.jira_check.outputs.has_issues == 'true'
134+ uses : actions/github-script@v7
135+ with :
136+ github-token : ${{ secrets.GITHUB_TOKEN }}
137+ script : |
138+ const output = process.env.CHECK_OUTPUT;
139+
140+ github.rest.issues.createComment({
141+ issue_number: context.issue.number,
142+ owner: context.repo.owner,
143+ repo: context.repo.repo,
144+ body: output
145+ });
146+ env :
147+ CHECK_OUTPUT : ${{ steps.jira_check.outputs.output }}
148+
149+ - name : Request changes if LTS mismatch
150+ if : steps.jira_check.outputs.has_lts_mismatch == 'true'
151+ uses : actions/github-script@v7
152+ with :
153+ github-token : ${{ secrets.GITHUB_TOKEN }}
154+ script : |
155+ github.rest.pulls.createReview({
156+ owner: context.repo.owner,
157+ repo: context.repo.repo,
158+ pull_number: context.issue.number,
159+ event: 'REQUEST_CHANGES',
160+ body: '⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.'
161+ });
162+
163+ name : Fail workflow if JIRA errors found
164+ if : steps.jira_check.outcome == 'failure'
165+ run : |
166+ echo "❌ JIRA PR check failed - errors were found in one or more commits"
167+ exit 1
0 commit comments