Skip to content

Commit 556794c

Browse files
committed
github actions: Add FIPS protected directory check for PRs
Adds a workflow that runs on PRs targeting ciq-*-next branches and checks whether new upstream commits touch FIPS protected directories. Posts a PR comment alerting reviewers if changes are found. Uses check_fips_changes.py from kernel-src-tree-tools to perform the check.
1 parent 0ad59df commit 556794c

1 file changed

Lines changed: 157 additions & 0 deletions

File tree

Lines changed: 157 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
# FIPS Protected Directory Check
2+
#
3+
# This workflow runs on PRs targeting ciq-*-next branches and checks
4+
# whether the new upstream commits (the stable release delta) touch
5+
# any FIPS protected directories. If so, it posts a comment on the
6+
# PR alerting reviewers to involve the FIPS / Security team.
7+
#
8+
# How it works:
9+
# PR base branch: ciq-X.Y.y-next (created from stable_X.Y.y)
10+
# Old branch: ciq-X.Y.y (previous CIQ branch, derived by stripping "-next")
11+
# merge-base(old, next) = last common upstream commit
12+
# merge-base..ciq-X.Y.y-next = new upstream commits to check
13+
#
14+
# TODO: remove ref: clk-fips-check once kernel-src-tree-tools merges that branch
15+
16+
name: FIPS Protected Directory Check
17+
18+
on:
19+
pull_request:
20+
types: [opened, synchronize, reopened]
21+
branches:
22+
- 'ciq-*-next'
23+
24+
permissions:
25+
contents: read
26+
pull-requests: write
27+
28+
jobs:
29+
fips-check:
30+
name: FIPS Directory Check
31+
runs-on: ubuntu-latest
32+
33+
steps:
34+
- name: Generate GitHub App token
35+
id: generate_token
36+
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
37+
with:
38+
client-id: ${{ secrets.APP_ID }}
39+
private-key: ${{ secrets.APP_PRIVATE_KEY }}
40+
repositories: |
41+
kernel-src-tree
42+
kernel-src-tree-tools
43+
44+
- name: Checkout kernel source
45+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
46+
with:
47+
fetch-depth: 1
48+
token: ${{ steps.generate_token.outputs.token }}
49+
50+
- name: Checkout kernel-src-tree-tools
51+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
52+
with:
53+
repository: ctrliq/kernel-src-tree-tools
54+
path: kernel-src-tree-tools
55+
token: ${{ steps.generate_token.outputs.token }}
56+
57+
- name: Install Python dependencies
58+
run: pip install gitpython
59+
60+
- name: Fetch branches and run FIPS check
61+
id: fips_check
62+
env:
63+
PYTHONPATH: ${{ github.workspace }}/kernel-src-tree-tools
64+
BASE_REF: ${{ github.event.pull_request.base.ref }}
65+
run: |
66+
OLD_BRANCH="${BASE_REF%-next}"
67+
echo "Derived old branch: $OLD_BRANCH from PR base: $BASE_REF"
68+
69+
# Fetch both branches (full history needed for merge-base)
70+
git fetch origin "$BASE_REF:refs/remotes/origin/$BASE_REF"
71+
git fetch origin "$OLD_BRANCH:refs/remotes/origin/$OLD_BRANCH" 2>/dev/null || {
72+
echo "::warning::Could not fetch branch $OLD_BRANCH — skipping FIPS check"
73+
echo "result=skip" >> "$GITHUB_OUTPUT"
74+
exit 0
75+
}
76+
77+
MERGE_BASE=$(git merge-base "origin/$OLD_BRANCH" "origin/$BASE_REF" 2>/dev/null) || {
78+
echo "::warning::Could not compute merge-base between $OLD_BRANCH and $BASE_REF"
79+
echo "result=skip" >> "$GITHUB_OUTPUT"
80+
exit 0
81+
}
82+
83+
echo "Merge base: $MERGE_BASE"
84+
echo "Checking upstream commits: $MERGE_BASE..origin/$BASE_REF"
85+
86+
python3 kernel-src-tree-tools/check_fips_changes.py \
87+
--repo . \
88+
--base-ref "$MERGE_BASE" \
89+
--target-ref "origin/$BASE_REF" \
90+
--fips-override 2>&1 | tee fips_report.txt
91+
92+
if grep -q "FIPS protected changes detected" fips_report.txt; then
93+
echo "result=found" >> "$GITHUB_OUTPUT"
94+
else
95+
echo "result=clean" >> "$GITHUB_OUTPUT"
96+
fi
97+
98+
- name: Post or update PR comment
99+
if: always()
100+
env:
101+
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
102+
PR_NUMBER: ${{ github.event.pull_request.number }}
103+
RESULT: ${{ steps.fips_check.outputs.result }}
104+
run: |
105+
MARKER="<!-- fips-protected-directory-check -->"
106+
REPO="${{ github.repository }}"
107+
108+
# Find any existing FIPS check comment
109+
EXISTING_ID=$(gh api "repos/$REPO/issues/$PR_NUMBER/comments" \
110+
--jq ".[] | select(.body | contains(\"$MARKER\")) | .id" | head -1)
111+
112+
if [ "$RESULT" = "found" ]; then
113+
REPORT=$(cat fips_report.txt)
114+
BODY=$(cat <<EOF
115+
$MARKER
116+
## :warning: FIPS Protected Directory Changes Detected
117+
118+
New upstream commits in this rebase touch FIPS protected directories.
119+
Please consult the CIQ FIPS / Security team before merging.
120+
121+
<details>
122+
<summary>Details</summary>
123+
124+
\`\`\`
125+
$REPORT
126+
\`\`\`
127+
128+
</details>
129+
EOF
130+
)
131+
elif [ "$RESULT" = "clean" ]; then
132+
BODY=$(cat <<EOF
133+
$MARKER
134+
## :white_check_mark: FIPS Check: No Protected Directory Changes
135+
136+
No FIPS protected directories were modified in the new upstream commits.
137+
EOF
138+
)
139+
else
140+
BODY=$(cat <<EOF
141+
$MARKER
142+
## :x: FIPS Check: Unable to Run
143+
144+
Could not determine the upstream delta for this PR. The FIPS protected
145+
directory check was skipped. Please verify manually.
146+
EOF
147+
)
148+
fi
149+
150+
if [ -n "$EXISTING_ID" ]; then
151+
gh api "repos/$REPO/issues/comments/$EXISTING_ID" \
152+
-X PATCH -f body="$BODY"
153+
echo "Updated existing comment $EXISTING_ID"
154+
else
155+
gh pr comment "$PR_NUMBER" --repo "$REPO" --body "$BODY"
156+
echo "Created new comment"
157+
fi

0 commit comments

Comments
 (0)