| Tomás González | 45c0500 | 2025-06-19 13:16:52 +0100 | [diff] [blame^] | 1 | - job: |
| 2 | name: tf-a-unsafe-tfa-next |
| 3 | node: docker-amd64-tf-a-jammy |
| 4 | project-type: freestyle |
| 5 | concurrent: true |
| 6 | disabled: false |
| 7 | defaults: global |
| 8 | description: Check for Unsafe changes in Trusted Firmware Next |
| 9 | properties: |
| 10 | - build-discarder: |
| 11 | days-to-keep: 14 |
| 12 | triggers: |
| 13 | - gerrit: |
| 14 | server-name: 'review.trustedfirmware.org' |
| 15 | projects: |
| 16 | - branches: |
| 17 | - branch-compare-type: PLAIN |
| 18 | branch-pattern: 'main' |
| 19 | project-compare-type: PLAIN |
| 20 | project-pattern: 'RF-A/rusted-firmware-a' |
| 21 | trigger-on: |
| 22 | - patchset-created-event: |
| 23 | exclude-drafts: true |
| 24 | exclude-trivial-rebase: false |
| 25 | exclude-no-code-change: true |
| 26 | exclude-private: true |
| 27 | exclude-wip: true |
| 28 | - comment-added-contains-event: |
| 29 | comment-contains-value: '^RUN_UNSAFE_CI$' |
| 30 | override-votes: true |
| 31 | # without explicitly setting these values to 0, the plugin will by |
| 32 | # default leave Code Review votes |
| 33 | gerrit-build-started-codereview-value: 0 |
| 34 | gerrit-build-successful-codereview-value: 0 |
| 35 | gerrit-build-failed-codereview-value: 0 |
| 36 | gerrit-build-unstable-codereview-value: 0 |
| 37 | gerrit-build-notbuilt-codereview-value: 0 |
| 38 | silent: false |
| 39 | silent-start: false |
| 40 | parameters: |
| 41 | # GERRIT_{PROJECT,BRANCH,REFSPEC} are set when triggered by a Gerrit |
| 42 | # patchset - defaults below are for manual triggers |
| 43 | - string: |
| 44 | name: GERRIT_PROJECT |
| 45 | default: 'RF-A/rusted-firmware-a' |
| 46 | - string: |
| 47 | name: GERRIT_BRANCH |
| 48 | default: 'refs/heads/main' |
| 49 | - string: |
| 50 | name: GERRIT_REFSPEC |
| 51 | default: '+refs/heads/main:refs/remotes/origin/main' |
| 52 | description: | |
| 53 | 'e.g. refs/changes/13/31138/1' |
| 54 | - string: |
| 55 | name: RF_GERRIT_REFSPEC |
| 56 | default: ${GERRIT_REFSPEC} |
| 57 | description: | |
| 58 | 'do-not-amend: used by scripts/clone.sh to fetch the correct Gerrit patchset - use GERRIT_REFSPEC instead' |
| 59 | - string: |
| 60 | name: CI_REFSPEC |
| 61 | default: '+refs/heads/tfa-next:refs/remotes/origin/tfa-next' |
| 62 | description: | |
| 63 | 'Refs to fetch for the tf-a-ci-scripts repo e.g. refs/changes/13/31138/1' |
| 64 | - string: |
| 65 | name: JOBS_REFSPEC |
| 66 | default: 'refs/heads/master' |
| 67 | description: | |
| 68 | tf-a-job-configs refspec to use. The master branch is used by default. |
| 69 | - string: |
| 70 | name: SHARE_FOLDER |
| 71 | default: '/srv/shared/${JOB_NAME}/${BUILD_NUMBER}' |
| 72 | description: 'Folder containing shared repositories for downstream pipeline jobs' |
| 73 | - string: |
| 74 | name: CLONE_REPOS |
| 75 | default: "rusted-firmware-a" |
| 76 | description: | |
| 77 | Optional arg to clone only specific projects from default list (tf-a-ci-scripts,rusted-firmware-a,tf-a-tests,spm,tf-m-tests,tf-m-extras) |
| 78 | - string: |
| 79 | name: FETCH_SSH |
| 80 | default: 1 |
| 81 | description: | |
| 82 | Fetch branches with authenticated SSH instead of anonymous HTTPS |
| 83 | wrappers: |
| 84 | - credentials-binding: |
| 85 | - ssh-user-private-key: |
| 86 | credential-id: TFA_CI_BOT_USER_SSH_KEY |
| 87 | key-file-variable: CI_BOT_KEY |
| 88 | username-variable: CI_BOT_USERNAME |
| 89 | passphrase-variable: '' |
| 90 | - timestamps |
| 91 | - timeout: |
| 92 | timeout: 240 |
| 93 | fail: true |
| 94 | builders: |
| 95 | - shell: |
| 96 | !include-raw: scripts/clone.sh |
| 97 | - shell: | |
| 98 | #!/bin/bash |
| 99 | set -ex |
| 100 | cat << EOF > tf-a-env.param |
| 101 | RF_GERRIT_PROJECT=${GERRIT_PROJECT} |
| 102 | RF_GERRIT_REFSPEC=${GERRIT_REFSPEC} |
| 103 | SHARE_FOLDER=${SHARE_FOLDER} |
| 104 | EOF |
| 105 | |
| 106 | cd ${WORKSPACE}/rusted-firmware-a |
| 107 | |
| 108 | # Vote Unsafe-Review+1 on patches not touching any unsafe code |
| 109 | |
| 110 | # 1. Check if the patch touches unsafe code: |
| 111 | |
| 112 | # if the grep command finds nothing, it will exit 1 and because we have set -e the program |
| 113 | # will fail. Doing || true makes it so that the final exit command is always 0 so the flow is not |
| 114 | # interrupted and we can check `diff` to know if the program was successful or not. |
| 115 | diff=$(echo $(git show -U10 --format=) | grep "unsafe" || true) |
| 116 | if [ "$diff" != "" ]; then |
| 117 | exit 1 |
| 118 | fi |
| 119 | |
| 120 | # 2. Cast the Unsafe-Review +1 vote if the patch does NOT touch unsafe code: |
| 121 | |
| 122 | SSH_PARAMS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 29418 -i ${CI_BOT_KEY}" |
| 123 | GERRIT_URL="review.trustedfirmware.org" |
| 124 | SET_SAFE_CMD="${SSH_PARAMS} ${CI_BOT_USERNAME}@${GERRIT_URL} gerrit review --label Unsafe-Review=1 -m Safe" |
| 125 | ssh ${SET_SAFE_CMD} ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} |