From 51f6b285cc85ff020e1b7eb9cbb7aee503bb7b15 Mon Sep 17 00:00:00 2001 From: Erik Hu Date: Wed, 29 Oct 2025 11:03:43 +0000 Subject: [PATCH 1/5] add CI workflow for checking SME reviews --- .github/workflows/SME_review_checker.yml | 95 ++++++++++++++++++++++++ .github/workflows/parent-workflow.yml | 14 +++- 2 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/SME_review_checker.yml diff --git a/.github/workflows/SME_review_checker.yml b/.github/workflows/SME_review_checker.yml new file mode 100644 index 0000000000..b30116c53b --- /dev/null +++ b/.github/workflows/SME_review_checker.yml @@ -0,0 +1,95 @@ +name: SME Review Checker + +on: + workflow_call: + inputs: + artifact_id: + description: 'Unique identifier for artifacts' + required: true + type: string + +permissions: + contents: read + pull-requests: read + +jobs: + check-SME-review: + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed-files + run: | + # Get the base branch + BASE_BRANCH="${{ github.event.pull_request.base.ref || 'main' }}" + + # Get all changed files in the PR + CHANGED_FILES=$(git diff --name-only origin/$BASE_BRANCH...HEAD) + + # Save changed files to output + echo "files<> $GITHUB_OUTPUT + echo "$CHANGED_FILES" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + + - name: Check if supported statements are scored + run: | + # Read the changed files + CHANGED_FILES="${{ steps.changed-files.outputs.files }}" + + # Process each changed file + while IFS= read -r file; do + # Skip empty lines + if [[ -z "$file" ]]; then + continue + fi + + echo "Checking file: $file" + + # Check if file is in TSF/trustable folder and ends with .md + if [[ "$file" == TSF/trustable/* && "$file" == *.md ]]; then + # Extract filename without path and extension + filename=$(basename "$file" .md) + + # Skip README files + if [[ "$filename" == "README" ]]; then + continue + fi + + echo "Checking TSF trustable file: $file (filename: $filename)" + + # Check if filename pattern exists in .dotstop.dot + if grep -q "\"$filename\" -> " .dotstop.dot; then + echo " Found reference in .dotstop.dot for: $filename" + + # Check if the file contains "score:" substring + if [[ -f "$file" ]] && grep -q "score:" "$file"; then + echo "ERROR: $file - Error: supported statements shall not be scored" + exit 1 + fi + else + echo "No reference found in .dotstop.dot for: $filename" + fi + done <<< "$CHANGED_FILES" + + echo "All changed TSF items passed validation" + + - name: Generate artifact + run: | + mkdir -p SME_review_checker + echo "SME review checker processed for ${{ inputs.artifact_id }}" > SME_review_checker/SME_review_checker.txt + + - name: Upload SME review checker artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: ${{ inputs.artifact_id }} + path: SME_review_checker/ \ No newline at end of file diff --git a/.github/workflows/parent-workflow.yml b/.github/workflows/parent-workflow.yml index b9b89387e7..da651fcb44 100644 --- a/.github/workflows/parent-workflow.yml +++ b/.github/workflows/parent-workflow.yml @@ -22,6 +22,12 @@ jobs: with: artifact_id: "labeler-${{ github.sha }}" + check_SME_review: + name: Run SME_review_checker Workflow + uses: ./.github/workflows/SME_review_checker.yml + with: + artifact_id: "SME_review_checker-${{ github.sha }}" + check_amalgamation: name: Run Amalgamation Workflow if: ${{ github.event_name == 'pull_request' }} # only run check_amalgamation for PRs @@ -63,11 +69,11 @@ jobs: collect_artifacts_pr: name: "Collect Results & Deploy (PR)" if: github.event_name == 'pull_request' - needs: [labeler, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] + needs: [labeler, check_SME_review, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] runs-on: ubuntu-latest strategy: matrix: - target: [labeler, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] + target: [labeler, check_SME_review, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] steps: - name: Checkout code @@ -96,11 +102,11 @@ jobs: collect_artifacts_non_pr: name: "Collect Results & Deploy (Non-PR)" if: github.event_name != 'pull_request' - needs: [labeler, test_trudag_extensions, codeql, ubuntu] # no check_amalgamation or dependency_review if non PR + needs: [labeler, check_SME_review, test_trudag_extensions, codeql, ubuntu] # no check_amalgamation or dependency_review if non PR runs-on: ubuntu-latest strategy: matrix: - target: [labeler, test_trudag_extensions, codeql, ubuntu] + target: [labeler, check_SME_review, test_trudag_extensions, codeql, ubuntu] steps: - name: Checkout code From 0e2c01114e7874008d7406883951618c4f4963ff Mon Sep 17 00:00:00 2001 From: Erik Hu Date: Wed, 29 Oct 2025 11:56:31 +0000 Subject: [PATCH 2/5] give pull request read permission --- .github/workflows/parent-workflow.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/parent-workflow.yml b/.github/workflows/parent-workflow.yml index da651fcb44..42ba7c49ee 100644 --- a/.github/workflows/parent-workflow.yml +++ b/.github/workflows/parent-workflow.yml @@ -23,6 +23,9 @@ jobs: artifact_id: "labeler-${{ github.sha }}" check_SME_review: + permissions: + contents: read + pull-requests: read name: Run SME_review_checker Workflow uses: ./.github/workflows/SME_review_checker.yml with: From 51c6cf823fea2960c459c728f93e063913b20b0c Mon Sep 17 00:00:00 2001 From: Erik Hu Date: Wed, 29 Oct 2025 11:57:10 +0000 Subject: [PATCH 3/5] fix indentation --- .github/workflows/parent-workflow.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/parent-workflow.yml b/.github/workflows/parent-workflow.yml index 42ba7c49ee..e093c18ed9 100644 --- a/.github/workflows/parent-workflow.yml +++ b/.github/workflows/parent-workflow.yml @@ -23,9 +23,9 @@ jobs: artifact_id: "labeler-${{ github.sha }}" check_SME_review: - permissions: - contents: read - pull-requests: read + permissions: + contents: read + pull-requests: read name: Run SME_review_checker Workflow uses: ./.github/workflows/SME_review_checker.yml with: From 6e2de57a89c600bda71deca846c345994bd49fcf Mon Sep 17 00:00:00 2001 From: Erik Hu Date: Wed, 29 Oct 2025 13:17:29 +0000 Subject: [PATCH 4/5] fix typo --- .github/workflows/SME_review_checker.yml | 1 + .github/workflows/parent-workflow.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/SME_review_checker.yml b/.github/workflows/SME_review_checker.yml index b30116c53b..fdc4271479 100644 --- a/.github/workflows/SME_review_checker.yml +++ b/.github/workflows/SME_review_checker.yml @@ -79,6 +79,7 @@ jobs: else echo "No reference found in .dotstop.dot for: $filename" fi + fi done <<< "$CHANGED_FILES" echo "All changed TSF items passed validation" diff --git a/.github/workflows/parent-workflow.yml b/.github/workflows/parent-workflow.yml index e093c18ed9..67dcc2cd26 100644 --- a/.github/workflows/parent-workflow.yml +++ b/.github/workflows/parent-workflow.yml @@ -27,6 +27,7 @@ jobs: contents: read pull-requests: read name: Run SME_review_checker Workflow + if: ${{ github.event_name == 'pull_request' }} # only run check_SME_review for PRs uses: ./.github/workflows/SME_review_checker.yml with: artifact_id: "SME_review_checker-${{ github.sha }}" From 8dbf29f67c6ddaad316b7c99a72df06bf00d8530 Mon Sep 17 00:00:00 2001 From: Erik Hu Date: Wed, 29 Oct 2025 14:41:11 +0000 Subject: [PATCH 5/5] fix typo --- .github/workflows/parent-workflow.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/parent-workflow.yml b/.github/workflows/parent-workflow.yml index 67dcc2cd26..9a51bbad60 100644 --- a/.github/workflows/parent-workflow.yml +++ b/.github/workflows/parent-workflow.yml @@ -22,12 +22,12 @@ jobs: with: artifact_id: "labeler-${{ github.sha }}" - check_SME_review: + SME_review_checker: permissions: contents: read pull-requests: read name: Run SME_review_checker Workflow - if: ${{ github.event_name == 'pull_request' }} # only run check_SME_review for PRs + if: ${{ github.event_name == 'pull_request' }} # only run SME_review_checker for PRs uses: ./.github/workflows/SME_review_checker.yml with: artifact_id: "SME_review_checker-${{ github.sha }}" @@ -73,11 +73,11 @@ jobs: collect_artifacts_pr: name: "Collect Results & Deploy (PR)" if: github.event_name == 'pull_request' - needs: [labeler, check_SME_review, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] + needs: [labeler, SME_review_checker, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] runs-on: ubuntu-latest strategy: matrix: - target: [labeler, check_SME_review, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] + target: [labeler, SME_review_checker, check_amalgamation, test_trudag_extensions, dependency_review, codeql, ubuntu] steps: - name: Checkout code @@ -106,11 +106,11 @@ jobs: collect_artifacts_non_pr: name: "Collect Results & Deploy (Non-PR)" if: github.event_name != 'pull_request' - needs: [labeler, check_SME_review, test_trudag_extensions, codeql, ubuntu] # no check_amalgamation or dependency_review if non PR + needs: [labeler, SME_review_checker, test_trudag_extensions, codeql, ubuntu] # no check_amalgamation or dependency_review if non PR runs-on: ubuntu-latest strategy: matrix: - target: [labeler, check_SME_review, test_trudag_extensions, codeql, ubuntu] + target: [labeler, SME_review_checker, test_trudag_extensions, codeql, ubuntu] steps: - name: Checkout code