|
| 1 | +# FIPS Protected Directory Check |
| 2 | +# |
| 3 | +# This workflow runs on PRs targeting ciq-*-next branches and checks |
| 4 | +# whether the new upstream commits (the stable release delta) touch |
| 5 | +# any FIPS protected directories. If so, it posts a comment on the |
| 6 | +# PR alerting reviewers to involve the FIPS / Security team. |
| 7 | +# |
| 8 | +# How it works: |
| 9 | +# PR base branch: ciq-X.Y.y-next (created from stable_X.Y.y) |
| 10 | +# Old branch: ciq-X.Y.y (previous CIQ branch, derived by stripping "-next") |
| 11 | +# merge-base(old, next) = last common upstream commit |
| 12 | +# merge-base..ciq-X.Y.y-next = new upstream commits to check |
| 13 | +# |
| 14 | +# TODO: remove ref: clk-fips-check once kernel-src-tree-tools merges that branch |
| 15 | + |
| 16 | +name: FIPS Protected Directory Check |
| 17 | + |
| 18 | +on: |
| 19 | + pull_request: |
| 20 | + types: [opened, synchronize, reopened] |
| 21 | + branches: |
| 22 | + - 'ciq-*-next' |
| 23 | + |
| 24 | +permissions: |
| 25 | + contents: read |
| 26 | + pull-requests: write |
| 27 | + |
| 28 | +jobs: |
| 29 | + fips-check: |
| 30 | + name: FIPS Directory Check |
| 31 | + runs-on: ubuntu-latest |
| 32 | + |
| 33 | + steps: |
| 34 | + - name: Generate GitHub App token |
| 35 | + id: generate_token |
| 36 | + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 |
| 37 | + with: |
| 38 | + client-id: ${{ secrets.APP_ID }} |
| 39 | + private-key: ${{ secrets.APP_PRIVATE_KEY }} |
| 40 | + repositories: | |
| 41 | + kernel-src-tree |
| 42 | + kernel-src-tree-tools |
| 43 | +
|
| 44 | + - name: Checkout kernel source |
| 45 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 46 | + with: |
| 47 | + fetch-depth: 1 |
| 48 | + token: ${{ steps.generate_token.outputs.token }} |
| 49 | + |
| 50 | + - name: Checkout kernel-src-tree-tools |
| 51 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 52 | + with: |
| 53 | + repository: ctrliq/kernel-src-tree-tools |
| 54 | + path: kernel-src-tree-tools |
| 55 | + token: ${{ steps.generate_token.outputs.token }} |
| 56 | + |
| 57 | + - name: Install Python dependencies |
| 58 | + run: pip install gitpython |
| 59 | + |
| 60 | + - name: Fetch branches and run FIPS check |
| 61 | + id: fips_check |
| 62 | + env: |
| 63 | + PYTHONPATH: ${{ github.workspace }}/kernel-src-tree-tools |
| 64 | + BASE_REF: ${{ github.event.pull_request.base.ref }} |
| 65 | + run: | |
| 66 | + OLD_BRANCH="${BASE_REF%-next}" |
| 67 | + echo "Derived old branch: $OLD_BRANCH from PR base: $BASE_REF" |
| 68 | +
|
| 69 | + # Fetch both branches (full history needed for merge-base) |
| 70 | + git fetch origin "$BASE_REF:refs/remotes/origin/$BASE_REF" |
| 71 | + git fetch origin "$OLD_BRANCH:refs/remotes/origin/$OLD_BRANCH" 2>/dev/null || { |
| 72 | + echo "::warning::Could not fetch branch $OLD_BRANCH — skipping FIPS check" |
| 73 | + echo "result=skip" >> "$GITHUB_OUTPUT" |
| 74 | + exit 0 |
| 75 | + } |
| 76 | +
|
| 77 | + MERGE_BASE=$(git merge-base "origin/$OLD_BRANCH" "origin/$BASE_REF" 2>/dev/null) || { |
| 78 | + echo "::warning::Could not compute merge-base between $OLD_BRANCH and $BASE_REF" |
| 79 | + echo "result=skip" >> "$GITHUB_OUTPUT" |
| 80 | + exit 0 |
| 81 | + } |
| 82 | +
|
| 83 | + echo "Merge base: $MERGE_BASE" |
| 84 | + echo "Checking upstream commits: $MERGE_BASE..origin/$BASE_REF" |
| 85 | +
|
| 86 | + python3 kernel-src-tree-tools/check_fips_changes.py \ |
| 87 | + --repo . \ |
| 88 | + --base-ref "$MERGE_BASE" \ |
| 89 | + --target-ref "origin/$BASE_REF" \ |
| 90 | + --fips-override 2>&1 | tee fips_report.txt |
| 91 | +
|
| 92 | + if grep -q "FIPS protected changes detected" fips_report.txt; then |
| 93 | + echo "result=found" >> "$GITHUB_OUTPUT" |
| 94 | + else |
| 95 | + echo "result=clean" >> "$GITHUB_OUTPUT" |
| 96 | + fi |
| 97 | +
|
| 98 | + - name: Post or update PR comment |
| 99 | + if: always() |
| 100 | + env: |
| 101 | + GH_TOKEN: ${{ steps.generate_token.outputs.token }} |
| 102 | + PR_NUMBER: ${{ github.event.pull_request.number }} |
| 103 | + RESULT: ${{ steps.fips_check.outputs.result }} |
| 104 | + run: | |
| 105 | + MARKER="<!-- fips-protected-directory-check -->" |
| 106 | + REPO="${{ github.repository }}" |
| 107 | +
|
| 108 | + # Find any existing FIPS check comment |
| 109 | + EXISTING_ID=$(gh api "repos/$REPO/issues/$PR_NUMBER/comments" \ |
| 110 | + --jq ".[] | select(.body | contains(\"$MARKER\")) | .id" | head -1) |
| 111 | +
|
| 112 | + if [ "$RESULT" = "found" ]; then |
| 113 | + REPORT=$(cat fips_report.txt) |
| 114 | + BODY=$(cat <<EOF |
| 115 | + $MARKER |
| 116 | + ## :warning: FIPS Protected Directory Changes Detected |
| 117 | +
|
| 118 | + New upstream commits in this rebase touch FIPS protected directories. |
| 119 | + Please consult the CIQ FIPS / Security team before merging. |
| 120 | +
|
| 121 | + <details> |
| 122 | + <summary>Details</summary> |
| 123 | +
|
| 124 | + \`\`\` |
| 125 | + $REPORT |
| 126 | + \`\`\` |
| 127 | +
|
| 128 | + </details> |
| 129 | + EOF |
| 130 | + ) |
| 131 | + elif [ "$RESULT" = "clean" ]; then |
| 132 | + BODY=$(cat <<EOF |
| 133 | + $MARKER |
| 134 | + ## :white_check_mark: FIPS Check: No Protected Directory Changes |
| 135 | +
|
| 136 | + No FIPS protected directories were modified in the new upstream commits. |
| 137 | + EOF |
| 138 | + ) |
| 139 | + else |
| 140 | + BODY=$(cat <<EOF |
| 141 | + $MARKER |
| 142 | + ## :x: FIPS Check: Unable to Run |
| 143 | +
|
| 144 | + Could not determine the upstream delta for this PR. The FIPS protected |
| 145 | + directory check was skipped. Please verify manually. |
| 146 | + EOF |
| 147 | + ) |
| 148 | + fi |
| 149 | +
|
| 150 | + if [ -n "$EXISTING_ID" ]; then |
| 151 | + gh api "repos/$REPO/issues/comments/$EXISTING_ID" \ |
| 152 | + -X PATCH -f body="$BODY" |
| 153 | + echo "Updated existing comment $EXISTING_ID" |
| 154 | + else |
| 155 | + gh pr comment "$PR_NUMBER" --repo "$REPO" --body "$BODY" |
| 156 | + echo "Created new comment" |
| 157 | + fi |
0 commit comments