tf-a-unsafe-tfa-next.yaml

- job:
    name: tf-a-unsafe-tfa-next
    node: docker-amd64-tf-a-jammy
    project-type: freestyle
    concurrent: true
    disabled: false
    defaults: global
    description: Check for Unsafe changes in Trusted Firmware Next
    properties:
      - build-discarder:
          days-to-keep: 14
    triggers:
      - gerrit:
          server-name: review.trustedfirmware.org
          projects:
            - branches:
                - branch-compare-type: PLAIN
                  branch-pattern: main
              project-compare-type: PLAIN
              project-pattern: RF-A/rusted-firmware-a
          trigger-on:
            - patchset-created-event:
                exclude-drafts: true
                exclude-trivial-rebase: false
                exclude-no-code-change: true
                exclude-private: true
                exclude-wip: true
            - comment-added-contains-event:
                comment-contains-value: ^RUN_UNSAFE_CI$
          override-votes: true
          # without explicitly setting these values to 0, the plugin will by
          # default leave Code Review votes
          gerrit-build-started-codereview-value: 0
          gerrit-build-successful-codereview-value: 0
          gerrit-build-failed-codereview-value: 0
          gerrit-build-unstable-codereview-value: 0
          gerrit-build-notbuilt-codereview-value: 0
          silent: false
          silent-start: false
    parameters:
      # GERRIT_{PROJECT,BRANCH,REFSPEC} are set when triggered by a Gerrit
      # patchset - defaults below are for manual triggers
      - string:
          name: GERRIT_PROJECT
          default: RF-A/rusted-firmware-a
      - string:
          name: GERRIT_BRANCH
          default: refs/heads/main
      - string:
          name: GERRIT_REFSPEC
          default: +refs/heads/main:refs/remotes/origin/main
          description: |
            'e.g. refs/changes/13/31138/1'
      - string:
          name: RF_GERRIT_REFSPEC
          default: ${GERRIT_REFSPEC}
          description: |
            'do-not-amend: used by scripts/clone.sh to fetch the correct Gerrit patchset - use GERRIT_REFSPEC instead'
      - string:
          name: CI_REFSPEC
          default: +refs/heads/tfa-next:refs/remotes/origin/tfa-next
          description: |
            'Refs to fetch for the tf-a-ci-scripts repo e.g. refs/changes/13/31138/1'
      - string:
          name: JOBS_REFSPEC
          default: refs/heads/master
          description: |
            tf-a-job-configs refspec to use. The master branch is used by default.
      - string:
          name: SHARE_FOLDER
          default: /srv/shared/${JOB_NAME}/${BUILD_NUMBER}
          description: Folder containing shared repositories for downstream pipeline jobs
      - string:
          name: CLONE_REPOS
          default: rusted-firmware-a
          description: |
            Optional arg to clone only specific projects from default list (tf-a-ci-scripts,rusted-firmware-a,tf-a-tests,spm,tf-m-tests,tf-m-extras)
      - string:
          name: FETCH_SSH
          default: 1
          description: |
            Fetch branches with authenticated SSH instead of anonymous HTTPS
    wrappers:
      - credentials-binding:
          - ssh-user-private-key:
              credential-id: TFA_CI_BOT_USER_SSH_KEY
              key-file-variable: CI_BOT_KEY
              username-variable: CI_BOT_USERNAME
              passphrase-variable: ""
      - timestamps
      - timeout:
          timeout: 240
          fail: true
    builders:
      - shell: !include-raw: scripts/clone.sh
      - shell: |
          #!/bin/bash
          set -ex
          cat << EOF > tf-a-env.param
          RF_GERRIT_PROJECT=${GERRIT_PROJECT}
          RF_GERRIT_REFSPEC=${GERRIT_REFSPEC}
          SHARE_FOLDER=${SHARE_FOLDER}
          EOF

          cd ${WORKSPACE}/rusted-firmware-a

          # Vote Unsafe-Review+1 on patches not touching any unsafe code

          # 1. Check if the patch touches unsafe code:

          # if the grep command finds nothing, it will exit 1 and because we have set -e the program
          # will fail. Doing || true makes it so that the final exit command is always 0 so the flow is not
          # interrupted and we can check `diff` to know if the program was successful or not.
          diff=$(echo $(git show -U10 --format=) | grep "unsafe" || true)
          if [ "$diff" != "" ]; then
              exit 1
          fi

          # 2. Cast the Unsafe-Review +1 vote if the patch does NOT touch unsafe code:

          SSH_PARAMS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 29418 -i ${CI_BOT_KEY}"
          GERRIT_URL="review.trustedfirmware.org"
          SET_SAFE_CMD="${SSH_PARAMS} ${CI_BOT_USERNAME}@${GERRIT_URL} gerrit review --label Unsafe-Review=1 -m Safe"
          ssh ${SET_SAFE_CMD} ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}