Add reusable validate kernel commits workflow #649
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bmastbergen
requested review from
PlaidCat,
kerneltoast and
shreeya-patel98
as code owners
PlaidCat
reviewed
Oct 27, 2025
PlaidCat
reviewed
Oct 27, 2025
bmastbergen
force-pushed
the
bmastbergen_main-add-reusable-validate-kernel-commits
branch
from
45d6630 to
3cc867c
Compare
PlaidCat
previously approved these changes
Oct 27, 2025
roxanan1996
reviewed
Oct 28, 2025
roxanan1996
reviewed
Oct 29, 2025
shreeya-patel98
previously approved these changes
Oct 29, 2025
bmastbergen
dismissed stale reviews from shreeya-patel98 and PlaidCat
via
c5b4313
kerneltoast
requested changes
Oct 29, 2025
bmastbergen
force-pushed
the
bmastbergen_main-add-reusable-validate-kernel-commits
branch
from
c5b4313 to
93bdcb5
Compare
PlaidCat
reviewed
Oct 31, 2025
PlaidCat
reviewed
Oct 31, 2025
PlaidCat
reviewed
Oct 31, 2025
bmastbergen
force-pushed
the
bmastbergen_main-add-reusable-validate-kernel-commits
branch
from
93bdcb5 to
dc56b8a
Compare
PlaidCat
previously approved these changes
Oct 31, 2025
kerneltoast
requested changes
Oct 31, 2025
Converts the upstream-commit-check workflow (from ciqlts9_2) to a reusable workflow that can be referenced from branches. This allows maintaining the workflow definition in one place while using it across many branches. The workflow uses workflow_call trigger and accepts all necessary context from the calling workflow via github context variables. We are renaming the workflow and some of the labels it uses to be more general. In the future, more kernel commit validation will happen in this workflow besides just the upstream fixes check
This causes check_kernel_commits.py to check the kernel's vulns database to ensure the CVEs referenced in the commit are correct, check for missing CVE references, and to add CVE references to suggested upstream bugfixes
Add steps to look for differences between upsteam commits referenced in PR commit and the upsteam change they are backporting. This is accomplished with a customized version of interdiff with fuzzy diffing and the run_interdiff.py helper script. Since the custom fuzzy diffing changes aren't available in upstream patchutils yet this workflow pulls down and builds the custom version.
We are using two scripts from that repo and there will be more. Just clone the whole thing instead of fetching scripts one by one.
We will be reaching into our JIRA to check the state of each commits jira. In this we want to ensure that the target branch matches the defined branch for that product and validate that the CVE ID is also correct for the ticket. It will also check to confirm that the tickets are in progress and have time logged, if either are untrue then it will produce a warning. In the event there are Product or CVE mis matches it will block the PR and request changes.
s/result.txt/ckc_result.txt/g
This keeps all of our PR interaction consistent
We want the return code of our python scripts, not of tee
bmastbergen
force-pushed
the
bmastbergen_main-add-reusable-validate-kernel-commits
branch
from
dc56b8a to
6acca96
Compare
kerneltoast
approved these changes
Nov 3, 2025
bmastbergen
deleted the
bmastbergen_main-add-reusable-validate-kernel-commits
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This started as upstream-commit-check.yml from ciqlts9_2 and then the following changes were made:
The idea with the reusable workflow in main, is that each branch will have a minimal validate-kernel-commits.yml that references the main version. Then, when changes need to be made to the workflow they can be made in one place instead of having to touch every branch. If this works out well, maybe we can move other workflows to this model.
This is an example of what it looks like for a branch workflow to reference this reusable workflow:
bmastbergen@534b3ed