diff --git a/.github/test-pr-trigger-fossid.txt b/.github/test-pr-trigger-fossid.txt new file mode 100644 index 0000000..7837c4e --- /dev/null +++ b/.github/test-pr-trigger-fossid.txt @@ -0,0 +1,2 @@ +FOSSID workflow test PR marker +Created: 2026-06-25T13:12:51Z diff --git a/.github/workflows/fossid_integration_stateless_diffscan.yml b/.github/workflows/fossid_integration_stateless_diffscan.yml index d79c61b..8c1f2b1 100644 --- a/.github/workflows/fossid_integration_stateless_diffscan.yml +++ b/.github/workflows/fossid_integration_stateless_diffscan.yml @@ -2,6 +2,22 @@ name: Fossid Pre-merge Stateless Diff Scan on: workflow_call: + inputs: + base_ref: # NEW: optional explicit base ref + description: 'Base ref for diff (e.g. develop). Empty = auto-detect.' + required: false + type: string + default: '' + compare_ref: # NEW: optional explicit compare ref + description: 'Compare ref/SHA for diff. Empty = auto-detect.' + required: false + type: string + default: '' + pr_number: # NEW: PR number (for fetching fork commits) + description: 'PR number (used to fetch fork head ref). Empty = not needed.' + required: false + type: string + default: '' secrets: FOSSID_CONTAINER_USERNAME: required: true @@ -24,6 +40,19 @@ jobs: steps: - name: Checkout Code uses: actions/checkout@v5 + with: + fetch-depth: 0 # Full clone to ensure base ref is available + + # NEW STEP: container runs as different user than checkout — mark safe + - name: Mark workspace safe + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + + # NEW STEP: fetch the fork PR's head commits (not in origin by default) + - name: Fetch PR head ref + if: inputs.pr_number != '' + env: + PR_NUMBER: ${{ inputs.pr_number }} + run: git fetch origin pull/$PR_NUMBER/head - name: Checkout ignore projects file uses: actions/checkout@v5 @@ -33,16 +62,24 @@ jobs: ignore_projects_fossid ref: develop path: tools - + - name: Run fossid-toolbox env: FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }} FOSSID_HOST_TOKEN: ${{ secrets.FOSSID_HOST_TOKEN }} + BASE_REF: ${{ inputs.base_ref }} + COMPARE_REF: ${{ inputs.compare_ref }} run: | + # NEW: build explicit ref args when provided, otherwise let fossid auto-detect + REF_ARGS="" + if [ -n "$BASE_REF" ] && [ -n "$COMPARE_REF" ]; then + REF_ARGS="--base-ref origin/$BASE_REF --compare-ref $COMPARE_REF" + fi fossid \ diffscan \ --fossid-host $FOSSID_HOST_USERNAME \ --fossid-token $FOSSID_HOST_TOKEN \ --format github \ --fail \ - --ignore-projects tools/ignore_projects_fossid + --ignore-projects tools/ignore_projects_fossid \ + $REF_ARGS diff --git a/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml b/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml index 5038b43..19bcee9 100644 --- a/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml +++ b/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml @@ -1,13 +1,63 @@ name: Fossid Stateless Diff Scan -on: +on: pull_request: - branches: - - develop + types: [opened, synchronize, reopened] + workflow_dispatch: # NEW: manual trigger + inputs: + pr_number: + description: 'PR number to scan (including fork PRs)' + required: true + type: string + +permissions: + contents: read + pull-requests: read + jobs: - call-fossid-workflow: - uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@develop - secrets: + # Automatic scan for internal PRs (same repo, not a fork) + call-fossid-pr: + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository + uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@feature/fossid-wflow-dispatch + secrets: + FOSSID_CONTAINER_USERNAME: ${{ secrets.FOSSID_CONTAINER_USERNAME }} + FOSSID_CONTAINER_PASSWORD: ${{ secrets.FOSSID_CONTAINER_PASSWORD }} + FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }} + FOSSID_HOST_TOKEN: ${{ secrets.FOSSID_HOST_TOKEN }} + + # Manual scan for any PR (including fork PRs) — step 1: resolve refs + resolve-pr-refs: + name: Resolve PR Refs + if: github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + outputs: + base_ref: ${{ steps.pr.outputs.base_ref }} + head_sha: ${{ steps.pr.outputs.head_sha }} + steps: + - name: Get PR details + id: pr + uses: actions/github-script@v8 + with: + script: | + const prNumber = parseInt(context.payload.inputs.pr_number, 10); + const { data: pr } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: prNumber + }); + core.setOutput('base_ref', pr.base.ref); + core.setOutput('head_sha', pr.head.sha); + + # Manual scan for any PR (including fork PRs) — step 2: run fossid with explicit refs + call-fossid-dispatch: + if: github.event_name == 'workflow_dispatch' + needs: [resolve-pr-refs] + uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@feature/fossid-wflow-dispatch + with: + base_ref: ${{ needs.resolve-pr-refs.outputs.base_ref }} + compare_ref: ${{ needs.resolve-pr-refs.outputs.head_sha }} + pr_number: ${{ github.event.inputs.pr_number }} + secrets: FOSSID_CONTAINER_USERNAME: ${{ secrets.FOSSID_CONTAINER_USERNAME }} FOSSID_CONTAINER_PASSWORD: ${{ secrets.FOSSID_CONTAINER_PASSWORD }} FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }}