TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / ci / tf-a-job-configs.git / aa6220bf360b6289304e380a9ba914b5334648f8 / . / tf-a-unsafe-tfa-next.yaml
blob: 2908d92ccbb4ac6ed6877400d95c30485fd3d1fa [file] [log] [blame]
- job:
name: tf-a-unsafe-tfa-next
node: docker-amd64-tf-a-jammy
project-type: freestyle
concurrent: true
disabled: false
defaults: global
description: Check for Unsafe changes in Trusted Firmware Next
properties:
- build-discarder:
days-to-keep: 14
triggers:
- gerrit:
server-name: 'review.trustedfirmware.org'
projects:
- branches:
- branch-compare-type: PLAIN
branch-pattern: 'main'
project-compare-type: PLAIN
project-pattern: 'RF-A/rusted-firmware-a'
trigger-on:
- patchset-created-event:
exclude-drafts: true
exclude-trivial-rebase: false
exclude-no-code-change: true
exclude-private: true
exclude-wip: true
- comment-added-contains-event:
comment-contains-value: '^RUN_UNSAFE_CI$'
override-votes: true
# without explicitly setting these values to 0, the plugin will by
# default leave Code Review votes
gerrit-build-started-codereview-value: 0
gerrit-build-successful-codereview-value: 0
gerrit-build-failed-codereview-value: 0
gerrit-build-unstable-codereview-value: 0
gerrit-build-notbuilt-codereview-value: 0
silent: false
silent-start: false
parameters:
# GERRIT_{PROJECT,BRANCH,REFSPEC} are set when triggered by a Gerrit
# patchset - defaults below are for manual triggers
- string:
name: GERRIT_PROJECT
default: 'RF-A/rusted-firmware-a'
- string:
name: GERRIT_BRANCH
default: 'refs/heads/main'
- string:
name: GERRIT_REFSPEC
default: '+refs/heads/main:refs/remotes/origin/main'
description: |
'e.g. refs/changes/13/31138/1'
- string:
name: RF_GERRIT_REFSPEC
default: ${GERRIT_REFSPEC}
description: |
'do-not-amend: used by scripts/clone.sh to fetch the correct Gerrit patchset - use GERRIT_REFSPEC instead'
- string:
name: CI_REFSPEC
default: '+refs/heads/tfa-next:refs/remotes/origin/tfa-next'
description: |
'Refs to fetch for the tf-a-ci-scripts repo e.g. refs/changes/13/31138/1'
- string:
name: JOBS_REFSPEC
default: 'refs/heads/master'
description: |
tf-a-job-configs refspec to use. The master branch is used by default.
- string:
name: SHARE_FOLDER
default: '/srv/shared/${JOB_NAME}/${BUILD_NUMBER}'
description: 'Folder containing shared repositories for downstream pipeline jobs'
- string:
name: CLONE_REPOS
default: "rusted-firmware-a"
description: |
Optional arg to clone only specific projects from default list (tf-a-ci-scripts,rusted-firmware-a,tf-a-tests,spm,tf-m-tests,tf-m-extras)
- string:
name: FETCH_SSH
default: 1
description: |
Fetch branches with authenticated SSH instead of anonymous HTTPS
wrappers:
- credentials-binding:
- ssh-user-private-key:
credential-id: TFA_CI_BOT_USER_SSH_KEY
key-file-variable: CI_BOT_KEY
username-variable: CI_BOT_USERNAME
passphrase-variable: ''
- timestamps
- timeout:
timeout: 240
fail: true
builders:
- shell:
!include-raw: scripts/clone.sh
- shell: |
#!/bin/bash
set -ex
cat << EOF > tf-a-env.param
RF_GERRIT_PROJECT=${GERRIT_PROJECT}
RF_GERRIT_REFSPEC=${GERRIT_REFSPEC}
SHARE_FOLDER=${SHARE_FOLDER}
EOF
cd ${WORKSPACE}/rusted-firmware-a
# Vote Unsafe-Review+1 on patches not touching any unsafe code
# 1. Check if the patch touches unsafe code:
# if the grep command finds nothing, it will exit 1 and because we have set -e the program
# will fail. Doing || true makes it so that the final exit command is always 0 so the flow is not
# interrupted and we can check `diff` to know if the program was successful or not.
diff=$(echo $(git show -U10 --format=) | grep "unsafe" || true)
if [ "$diff" != "" ]; then
exit 1
fi
# 2. Cast the Unsafe-Review +1 vote if the patch does NOT touch unsafe code:
SSH_PARAMS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 29418 -i ${CI_BOT_KEY}"
GERRIT_URL="review.trustedfirmware.org"
SET_SAFE_CMD="${SSH_PARAMS} ${CI_BOT_USERNAME}@${GERRIT_URL} gerrit review --label Unsafe-Review=1 -m Safe"
ssh ${SET_SAFE_CMD} ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}