Skip to content

github actions: Introduce kernel-build-and-test-multiarch-trigger.yml #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
roxanan1996 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

github actions: Introduce kernel-build-and-test-multiarch-trigger.yml #993

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 137 additions & 0 deletions .github/workflows/kernel-build-and-test-multiarch-trigger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
name: Trigger Automated kernel build and test (multi-arch)

on:
workflow_call:
inputs:
architectures:
description: 'Comma-separated architectures to build (x86_64, aarch64)'
required: false
type: string
default: 'x86_64,aarch64'
skip_kabi:
description: 'Skip kABI compatibility check'
required: false
type: boolean
default: false

permissions:
contents: read
actions: read
packages: read
# No pull-requests: write needed - we don't comment here

jobs:
trigger-kernelCI:
runs-on: ubuntu-latest

Copy link
Collaborator

@PlaidCat PlaidCat Mar 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a time out of 120m in https://github.com/ctrliq/kernel-src-tree/blob/main/.github/workflows/validate-kernel-commits.yml#L14, we could make it that or maybe 60m since we're not doing compute here. Just so its not a 360m default time out

steps:
- name: Validate and sanitize inputs
id: validate_inputs
env:
BASE_REF: ${{ github.base_ref }}
HEAD_REF: ${{ github.head_ref }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_COMMITS: ${{ github.event.pull_request.commits }}
run: |
# Validate base branch name (alphanumeric, dots, slashes, dashes, underscores, curly braces)
# Note: hyphen must be at end of character class or escaped to be literal
if ! [[ "$BASE_REF" =~ ^[a-zA-Z0-9/_.{}-]+$ ]]; then
echo "❌ Invalid base branch name: $BASE_REF"
exit 1
fi

# Validate head branch name
if ! [[ "$HEAD_REF" =~ ^[a-zA-Z0-9/_.{}-]+$ ]]; then
echo "❌ Invalid head branch name: $HEAD_REF"
exit 1
fi

# Validate length (prevent resource exhaustion)
if [ ${#BASE_REF} -gt 255 ]; then
echo "❌ Base branch name too long"
exit 1
fi

if [ ${#HEAD_REF} -gt 255 ]; then
echo "❌ Head branch name too long"
exit 1
fi

# Validate PR number is numeric
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
echo "❌ Invalid PR number: $PR_NUMBER"
exit 1
fi

# Validate commits count is numeric
if ! [[ "$PR_COMMITS" =~ ^[0-9]+$ ]]; then
echo "❌ Invalid commits count: $PR_COMMITS"
exit 1
fi

# Pass validated values to environment
echo "BASE_REF=$BASE_REF" >> "$GITHUB_ENV"
echo "HEAD_REF=$HEAD_REF" >> "$GITHUB_ENV"
echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV"
echo "PR_COMMITS=$PR_COMMITS" >> "$GITHUB_ENV"

Comment on lines +24 to +77
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sanitization/clone pattern introduced here is duplicated in .github/workflows/validate-kernel-commits.yml. Because this is security-sensitive logic, consider extracting it into a shared composite action or reusable workflow so fixes (e.g., regex tweaks, fetch strategy changes) don’t have to be maintained in multiple places.

Suggested change
trigger-kernelCI:
runs-on: ubuntu-latest
steps:
- name: Validate and sanitize inputs
id: validate_inputs
env:
BASE_REF: ${{ github.base_ref }}
HEAD_REF: ${{ github.head_ref }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_COMMITS: ${{ github.event.pull_request.commits }}
run: |
# Validate base branch name (alphanumeric, dots, slashes, dashes, underscores, curly braces)
# Note: hyphen must be at end of character class or escaped to be literal
if ! [[ "$BASE_REF" =~ ^[a-zA-Z0-9/_.{}-]+$ ]]; then
echo "❌ Invalid base branch name: $BASE_REF"
exit 1
fi
# Validate head branch name
if ! [[ "$HEAD_REF" =~ ^[a-zA-Z0-9/_.{}-]+$ ]]; then
echo "❌ Invalid head branch name: $HEAD_REF"
exit 1
fi
# Validate length (prevent resource exhaustion)
if [ ${#BASE_REF} -gt 255 ]; then
echo "❌ Base branch name too long"
exit 1
fi
if [ ${#HEAD_REF} -gt 255 ]; then
echo "❌ Head branch name too long"
exit 1
fi
# Validate PR number is numeric
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
echo "❌ Invalid PR number: $PR_NUMBER"
exit 1
fi
# Validate commits count is numeric
if ! [[ "$PR_COMMITS" =~ ^[0-9]+$ ]]; then
echo "❌ Invalid commits count: $PR_COMMITS"
exit 1
fi
# Pass validated values to environment
echo "BASE_REF=$BASE_REF" >> "$GITHUB_ENV"
echo "HEAD_REF=$HEAD_REF" >> "$GITHUB_ENV"
echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV"
echo "PR_COMMITS=$PR_COMMITS" >> "$GITHUB_ENV"
validate-kernel-commits:
uses: ./.github/workflows/validate-kernel-commits.yml
permissions: inherit
trigger-kernelCI:
needs: validate-kernel-commits
runs-on: ubuntu-latest
steps:

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@PlaidCat PlaidCat Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point but if we do this I'd like to see us maintaining our own common actions

- name: Clone base branch
env:
BASE_CLONE_URL: ${{ github.event.pull_request.base.repo.clone_url }}
run: |
# Use environment variables to prevent injection
git clone --depth=1 --no-checkout "$BASE_CLONE_URL" -b "$BASE_REF" .

- name: Fetch PR branch
env:
HEAD_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
run: |
# Use environment variables to prevent command injection
git fetch --depth=$((PR_COMMITS + 1)) "$HEAD_CLONE_URL" "$HEAD_REF"
HEAD_SHA=$(git rev-parse FETCH_HEAD)

# Validate SHA format (40 hex characters)
if ! [[ "$HEAD_SHA" =~ ^[0-9a-f]{40}$ ]]; then
echo "❌ Invalid SHA format: $HEAD_SHA"
exit 1
Comment on lines +89 to +96
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git fetch --depth=$((PR_COMMITS + 1)) uses the PR commit count directly, which can be very large and lead to excessive network usage/time (resource exhaustion). Consider enforcing an upper bound for PR_COMMITS (or for the computed depth) and/or fetching the exact head SHA via the GitHub API/ref instead of scaling depth with commit count.

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@PlaidCat PlaidCat Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is pulled from PR commit processing. I don't think we need a dynamic range so depth=1 should be sufficient for build and test code right ?
Unless you're doing something with the state in the next workflow (but I think you still need to check it out again there?)

fi

echo "HEAD_SHA=$HEAD_SHA" >> "$GITHUB_ENV"

- name: Verify PR branch isn't on stale base
run: |
if ! git merge-base --is-ancestor "$BASE_REF" "$HEAD_SHA"; then
echo "❌ PR branch must be rebased onto latest base branch commit"
exit 1
fi
Comment on lines +101 to +106
Copy link
Collaborator

@PlaidCat PlaidCat Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an annoying feature from the Comments Processing ... I would prefer if we drop this so it can run regardless if the PR isn't immediately pointed at head.


- name: Save PR metadata for workflow
env:
HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
REPOSITORY: ${{ github.repository }}
ARCHITECTURES: ${{ inputs.architectures }}
SKIP_KABI: ${{ inputs.skip_kabi }}
run: |
mkdir -p pr_metadata

# Save validated metadata
echo "$PR_NUMBER" > pr_metadata/pr_number.txt
echo "$REPOSITORY" > pr_metadata/repository.txt
echo "$BASE_REF" > pr_metadata/base_ref.txt
echo "$HEAD_REF" > pr_metadata/head_ref.txt
echo "$HEAD_SHA" > pr_metadata/head_sha.txt
echo "$HEAD_REPO_FULL_NAME" > pr_metadata/head_repo.txt
echo "$ARCHITECTURES" > pr_metadata/architectures.txt
Copy link
Collaborator

@bmastbergen bmastbergen Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HEAD_REPO_FULL_NAME and ARCHITECTURES don't receive any kind of validation. Whether or not that is bad depends on how they eventually get used in the next workflow, but some basic checks here couldn't hurt. HEAD_REPO_FULL_NAME may not be much of an issue since I'm guessing there are already limits on how you can name your repo.

"These get validated in the next workflow" is an acceptable answer. :)

Copy link
Contributor Author

@roxanan1996 roxanan1996 Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I have them validated on the other side.
But needed here too

echo "$SKIP_KABI" > pr_metadata/skip_kabi.txt

# Create a checksum of metadata for integrity verification
(cd pr_metadata && sha256sum *.txt > checksums.txt)

- name: Upload check results
uses: actions/upload-artifact@v4
if: always() # Upload even if checks fail
with:
name: check-results
path: |
pr_metadata/
retention-days: 3 # Increased from 1 (then 3) to prevent premature deletion and support manual follow-ups
Loading