ci: fix static checks merge base resolution
This change fetches the full history of the base branch and the change
under test, to avoid problems with unreachable commits.
Signed-off-by: Chris Kay <chris.kay@arm.com>
Change-Id: I7ed38a65678552fff5b0f5efabf6bafc06ea86ee
Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
diff --git a/script/next-checks/next-checks-cargo-doc.sh b/script/next-checks/next-checks-cargo-doc.sh
index 2ce29cf..64044a8 100755
--- a/script/next-checks/next-checks-cargo-doc.sh
+++ b/script/next-checks/next-checks-cargo-doc.sh
@@ -5,9 +5,6 @@
# SPDX-License-Identifier: BSD-3-Clause
#
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/../static-checks/common.sh
-
TF_ROOT="$1"
TEST_CASE="Rust cargo doc checks"
LOG_FILE=`mktemp -t common.XXXX`
diff --git a/script/next-checks/next-checks-cargo-fmt.sh b/script/next-checks/next-checks-cargo-fmt.sh
index 6adb58b..3ce3c03 100755
--- a/script/next-checks/next-checks-cargo-fmt.sh
+++ b/script/next-checks/next-checks-cargo-fmt.sh
@@ -6,9 +6,6 @@
# SPDX-License-Identifier: BSD-3-Clause
#
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/../static-checks/common.sh
-
TF_ROOT="$1"
TEST_CASE="Rust cargo fmt checks"
diff --git a/script/next-checks/next-checks-clippy.sh b/script/next-checks/next-checks-clippy.sh
index e851abb..418c648 100755
--- a/script/next-checks/next-checks-clippy.sh
+++ b/script/next-checks/next-checks-clippy.sh
@@ -5,9 +5,6 @@
# SPDX-License-Identifier: BSD-3-Clause
#
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/../static-checks/common.sh
-
TF_ROOT="$1"
TEST_CASE="Rust clippy checks"
LOG_FILE=`mktemp -t common.XXXX`
diff --git a/script/next-checks/next-checks-generic-tests.sh b/script/next-checks/next-checks-generic-tests.sh
index faf5802..599ff29 100755
--- a/script/next-checks/next-checks-generic-tests.sh
+++ b/script/next-checks/next-checks-generic-tests.sh
@@ -21,8 +21,7 @@
# next tests, usually this will be tfa-next
export GERRIT_BRANCH=${GERRIT_BRANCH:="tfa-next"}
-# git operations e.g. ${get_merge_base} rely on access to tfa-next branch,
-# we need to access via SSH for that to work currently
+# git operations rely on access to tfa-next branch, we need to access via SSH for that to work currently
SSH_PARAMS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 29418 -i ${CI_BOT_KEY}"
REPO_SSH_URL="ssh://${CI_BOT_USERNAME}@review.trustedfirmware.org:29418/${REPO_SPACE}/${REPO_NAME}"
export GIT_SSH_COMMAND="ssh ${SSH_PARAMS}"
diff --git a/script/next-checks/next-checks.sh b/script/next-checks/next-checks.sh
index 39c9d28..4cb0d43 100755
--- a/script/next-checks/next-checks.sh
+++ b/script/next-checks/next-checks.sh
@@ -17,14 +17,19 @@
# next tests, usually this will be main
export GERRIT_BRANCH=${GERRIT_BRANCH:="main"}
+
if [ "$IS_CONTINUOUS_INTEGRATION" == 1 ]; then
- # git operations e.g. ${get_merge_base} rely on access to main branch,
- # we need to access via SSH for that to work currently
+ # git operations rely on access to main branch, we need to access via SSH for that to work currently
SSH_PARAMS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 29418 -i ${CI_BOT_KEY}"
REPO_SSH_URL="ssh://${CI_BOT_USERNAME}@review.trustedfirmware.org:29418/RF-A/rusted-firmware-a"
export GIT_SSH_COMMAND="ssh ${SSH_PARAMS}"
git remote set-url origin ${REPO_SSH_URL}
- git fetch origin
+ git fetch --unshallow --update-shallow origin
+ git fetch --unshallow --update-shallow origin ${GERRIT_BRANCH} ${GERRIT_REFSPEC}
+
+ export merge_base=$(git merge-base \
+ $(head -n1 .git/FETCH_HEAD | cut -f1) \
+ $(tail -n1 .git/FETCH_HEAD | cut -f1))
fi
# Find the absolute path of the scripts' top directory
@@ -32,17 +37,16 @@
export CI_ROOT=$(pwd)
cd -
-. $CI_ROOT/script/static-checks/common.sh
-
echo
echo "###### Rust checks ######" > "$LOG_TEST_FILENAME"
echo >> "$LOG_TEST_FILENAME"
echo "Patch series being checked:" >> "$LOG_TEST_FILENAME"
-git log --oneline $(get_merge_base)..HEAD >> "$LOG_TEST_FILENAME"
+git log --oneline ${merge_base}..HEAD >> "$LOG_TEST_FILENAME"
echo >> "$LOG_TEST_FILENAME"
echo "Base branch reference commit:" >> "$LOG_TEST_FILENAME"
-git log --oneline -1 $(get_merge_base) >> "$LOG_TEST_FILENAME"
+git log --oneline -1 ${merge_base} >> "$LOG_TEST_FILENAME"
+
echo >> "$LOG_TEST_FILENAME"
diff --git a/script/static-checks/common.sh b/script/static-checks/common.sh
deleted file mode 100644
index d7a56b7..0000000
--- a/script/static-checks/common.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# Copyright (c) 2024 Arm Limited. All rights reserved.
-#
-# SPDX-License-Identifier: BSD-3-Clause
-#
-
-function get_merge_base() {
- git fetch origin ${GERRIT_BRANCH#refs/heads/}
- git merge-base HEAD FETCH_HEAD | head -1
-}
diff --git a/script/static-checks/static-checks-banned-apis.sh b/script/static-checks/static-checks-banned-apis.sh
index 424bbcb..ba10537 100755
--- a/script/static-checks/static-checks-banned-apis.sh
+++ b/script/static-checks/static-checks-banned-apis.sh
@@ -7,10 +7,6 @@
# static-checks-banned-apis.sh <path-to-root-folder> [patch]
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/common.sh
-
-
LOG_FILE=$(mktemp -t banned-api-check.XXXX)
if [[ "$2" == "patch" ]]; then
@@ -43,5 +39,3 @@
rm -f "$LOG_FILE"
exit "$EXIT_VALUE"
-
-
diff --git a/script/static-checks/static-checks-check-copyright.sh b/script/static-checks/static-checks-check-copyright.sh
index 56d2e9d..3903c8a 100755
--- a/script/static-checks/static-checks-check-copyright.sh
+++ b/script/static-checks/static-checks-check-copyright.sh
@@ -7,10 +7,6 @@
# test-package-check-copyright.sh DIRECTORY COPYRIGHT_FLAGS
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/common.sh
-
-
DIRECTORY="$1"
COPYRIGHT_FLAGS="$2"
diff --git a/script/static-checks/static-checks-coding-style-line-endings.sh b/script/static-checks/static-checks-coding-style-line-endings.sh
index 5aed85a..dabe42c 100755
--- a/script/static-checks/static-checks-coding-style-line-endings.sh
+++ b/script/static-checks/static-checks-coding-style-line-endings.sh
@@ -5,10 +5,6 @@
# SPDX-License-Identifier: BSD-3-Clause
#
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/common.sh
-
-
TEST_CASE="Line endings are valid"
EXIT_VALUE=0
diff --git a/script/static-checks/static-checks-coding-style.sh b/script/static-checks/static-checks-coding-style.sh
index 9ff51cf..018b926 100755
--- a/script/static-checks/static-checks-coding-style.sh
+++ b/script/static-checks/static-checks-coding-style.sh
@@ -9,10 +9,6 @@
# against the Linux coding style using the checkpatch.pl script from
# the Linux kernel source tree.
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/common.sh
-
-
TEST_CASE="Coding style on current patch"
echo "# Check coding style on the last patch"
diff --git a/script/static-checks/static-checks-cpu-erratum-order.sh b/script/static-checks/static-checks-cpu-erratum-order.sh
new file mode 100755
index 0000000..e6e32c5
--- /dev/null
+++ b/script/static-checks/static-checks-cpu-erratum-order.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2025 Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+LOG_FILE=$(mktemp -t cpu_workaround_order_check_log.XXXX)
+
+if [[ "$2" == "patch" ]]; then
+ TEST_CASE="Checking ascending order of CPU ERRATUM and CVE in the patch series"
+ echo "# $TEST_CASE"
+ "$CI_ROOT/script/static-checks/static-checks-cpu-erratum-order.py" --tree "$1" \
+ --patch --from-ref ${merge_base} &> "$LOG_FILE"
+else
+ TEST_CASE="Checking ascending order of CPU ERRATUM and CVE in the entire source tree"
+ echo "# $TEST_CASE"
+ "$CI_ROOT/script/static-checks/static-checks-cpu-erratum-order.py" --tree "$1" &> "$LOG_FILE"
+fi
+
+EXIT_VALUE=$?
+
+echo >> "$LOG_TEST_FILENAME"
+echo "****** $TEST_CASE ******" >> "$LOG_TEST_FILENAME"
+echo >> "$LOG_TEST_FILENAME"
+cat "$LOG_FILE" >> "$LOG_TEST_FILENAME"
+echo >> "$LOG_TEST_FILENAME"
+if [[ "$EXIT_VALUE" == 0 ]]; then
+ echo "Result : SUCCESS" >> "$LOG_TEST_FILENAME"
+else
+ echo "Result : FAILURE" >> "$LOG_TEST_FILENAME"
+fi
+
+rm -f "$LOG_FILE"
+
+exit "$EXIT_VALUE"
diff --git a/script/static-checks/static-checks-detect-newly-added-files.sh b/script/static-checks/static-checks-detect-newly-added-files.sh
index 008a147..154e308 100755
--- a/script/static-checks/static-checks-detect-newly-added-files.sh
+++ b/script/static-checks/static-checks-detect-newly-added-files.sh
@@ -11,10 +11,6 @@
# It runs on every TF-A patch and detects the new files and updates
# the patch contibutor to include them for Coverity Scan analysis.
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/common.sh
-
-
LOG_FILE=$(mktemp -t files-detection-check.XXXX)
TFA_PATCH_NEWFILES_LIST=$(mktemp -t tfa-patch-newfiles-list.XXXX)
EXIT_VALUE=0
diff --git a/script/static-checks/static-checks-include-order.sh b/script/static-checks/static-checks-include-order.sh
index 21fcb72..67c8e4e 100755
--- a/script/static-checks/static-checks-include-order.sh
+++ b/script/static-checks/static-checks-include-order.sh
@@ -7,10 +7,6 @@
# unittest-include-order.sh <path-to-root-folder> [patch]
-this_dir="$(readlink -f "$(dirname "$0")")"
-. $this_dir/common.sh
-
-
LOG_FILE=$(mktemp -t include-order-check.XXXX)
if [[ "$2" == "patch" ]]; then
diff --git a/script/static-checks/static-checks.sh b/script/static-checks/static-checks.sh
index 1424349..7e7f1fa 100755
--- a/script/static-checks/static-checks.sh
+++ b/script/static-checks/static-checks.sh
@@ -15,33 +15,12 @@
export CI_ROOT=$(pwd)
cd -
-. $CI_ROOT/script/static-checks/common.sh
+git fetch --unshallow --update-shallow origin
+git fetch --unshallow --update-shallow origin ${GERRIT_BRANCH} ${GERRIT_REFSPEC}
-merge_base=$(get_merge_base)
-if [[ -z "$merge_base" ]]; then
- echo "Failed to find merge base, fetching entire change history"
-
- # Set GERRIT_REFSPEC if not already defined
- if [[ -z "$GERRIT_REFSPEC" ]]; then
- if [[ "$TF_GERRIT_PROJECT" == *tf-a-tests ]]; then
- GERRIT_REFSPEC="$TFTF_GERRIT_REFSPEC"
- else
- GERRIT_REFSPEC="$TF_GERRIT_REFSPEC"
- fi
- fi
-
- git fetch --depth=100 origin "$GERRIT_REFSPEC"
- git checkout FETCH_HEAD
-
- merge_base=$(get_merge_base)
-
- if [[ -z "$merge_base" ]]; then
- echo "Failed to determine merge base after fetching. Exiting." >&2
- exit 1
- fi
-fi
-
-export merge_base
+export merge_base=$(git merge-base \
+ $(head -n1 .git/FETCH_HEAD | cut -f1) \
+ $(tail -n1 .git/FETCH_HEAD | cut -f1))
export LOG_TEST_FILENAME=$(pwd)/static-checks.log