Skip to content

Quarantine: Workflows for notifications publishing #25502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PerMac wants to merge 26 commits into
base: main
Choose a base branch
from
Open

Quarantine: Workflows for notifications publishing #25502

PerMac wants to merge 26 commits into from

Conversation

@PerMac
Copy link
Contributor

@PerMac PerMac commented Nov 10, 2025

Add github workflows and python script responsible for publishing a comment with notifications for codeowners whenever an item under their ownership is added/removed into the quarantine file.

@PerMac PerMac requested review from a team as code owners November 10, 2025 11:46
@PerMac PerMac changed the title Quar newst Quarantine: Workflows for notifications publishing Nov 10, 2025
@PerMac PerMac mentioned this pull request Nov 10, 2025
Closed
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 10, 2025
edited
Loading

CI Information

To view the history of this post, click the 'edited' button above
Build number: 38

Inputs:

Sources:

sdk-nrf: PR head: 74bc1196990242e33557e745f466a3207de98224

more details

sdk-nrf:

PR head: 74bc1196990242e33557e745f466a3207de98224
merge base: 3653fec21b6a44d996217a37d3093ffe42b09160
target head (main): 20839e643c7632798bb9d8549c4c806eb4e24d86
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (6) 
.github
│  ├── workflows
│  │  ├── review-quarantine-generate.yml
│  │  ├── review-quarantine-pr.yml
│  │  │ review-quarantine-publish.yml
CODEOWNERS
scripts
│  ├── ci
│  │  │ quarantine_notifier.py
│  │ compare_quarantine.py

Outputs:

Toolchain

Version: f911d4f4e7
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:f911d4f4e7_5ea73affbf

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
  • ✅ Integration tests
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • desktop52_verification
    • test_ble_nrf_config
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-chip
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_cloud
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-nrf_crypto
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-tfm
    • test-fw-nrfconnect-thread-main
    • test-low-level
    • test-sdk-audio
    • test-sdk-dfu
    • test-sdk-find-my
    • test-sdk-mcuboot
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@PerMac
Copy link
Contributor Author

PerMac commented Nov 10, 2025

can be seen in action here PerMac#34

@PerMac
Copy link
Contributor Author

PerMac commented Nov 10, 2025

@nrfconnect/ncs-ci AFIK the sonnarcloud issue is that some regexes in the added python script can take a long time if some wrong values are passed there. But they only evaluate changes to the quarantine files in PRs in sdk-nrf, on github agents. I don't think it can be part of any DoS attack. Who can evaluate/discard those checks?

@PerMac PerMac force-pushed the quar_newst branch 4 times, most recently from 40e648f to 0e3f446 Compare November 10, 2025 14:07
karhama
karhama reviewed Nov 10, 2025
View reviewed changes
.github/workflows/review-quarantine-generate.yml
on:
pull_request:
types: [opened, reopened, synchronize, ready_for_review]

Copy link
Contributor

@karhama karhama Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could it be like in old workflow? So only if PR touches quarantine files this workflow runs:
paths:
- '**/scripts/quarantine*.yaml'

@PerMac PerMac force-pushed the quar_newst branch 4 times, most recently from 40a2d1a to bec0cc2 Compare November 13, 2025 08:30
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
.github/workflows/review-quarantine-publish.yml Outdated
Comment on lines 38 to 46
run: |
set -euo pipefail
PR_FILE="$(find ./quarantine-artifacts/pr -name 'pr_number.txt' -print -quit)"
if [[ -z "${PR_FILE}" || ! -s "${PR_FILE}" ]]; then
echo "ERROR: pr_number.txt not found or empty." >&2
exit 1
fi
PR_NUMBER="$(head -n1 "${PR_FILE}" | tr -d '\r')"
echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"

Check failure

Code scanning / CodeQL

Environment variable built from user-controlled sources

Potential environment variable injection in [set -euo pipefail PR_FILE="$(find ./quarantine-artifacts/pr -name 'pr_number.txt' -print -quit)" if \[\[ -z "${PR_FILE}" || ! -s "${PR_FILE}" \]\]; then echo "ERROR: pr_number.txt not found or empty." >&2 exit 1 fi PR_NUMBER="$(head -n1 "${PR_FILE}" | tr -d '\\r')" echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"](1), which may be controlled by an external user ([workflow_run](2)).
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
@PerMac PerMac force-pushed the quar_newst branch 4 times, most recently from 669afaf to bc54b01 Compare November 13, 2025 14:31
@PerMac PerMac requested review from a team as code owners November 13, 2025 14:31
@PerMac PerMac marked this pull request as draft November 13, 2025 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karhama karhama karhama left review comments

@nordic-piks nordic-piks nordic-piks left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@PerMac @NordicBuilder @nordic-piks @karhama @katgiadla