zephyr/.github/workflows/compliance.yml

name: Compliance Checks

on:
  pull_request:
    types:
    - edited
    - opened
    - reopened
    - synchronize

permissions:
  contents: read

jobs:
  check_compliance:
    runs-on: ubuntu-22.04
    name: Run compliance checks on patch series (PR)
    steps:
    - name: Update PATH for west
      run: |
        echo "$HOME/.local/bin" >> $GITHUB_PATH        

    - name: Checkout the code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ github.event.pull_request.head.sha }}
        fetch-depth: 0

    - name: Rebase onto the target branch
      env:
        BASE_REF: ${{ github.base_ref }}
      run: |
        git config --global user.email "you@example.com"
        git config --global user.name "Your Name"
        git remote -v
        # Ensure there's no merge commits in the PR
        [[ "$(git rev-list --merges --count origin/${BASE_REF}..)" == "0" ]] || \
        (echo "::error ::Merge commits not allowed, rebase instead";false)
        rm -fr ".git/rebase-apply"
        rm -fr ".git/rebase-merge"
        git rebase origin/${BASE_REF}
        git clean -f -d
        # debug
        git log  --pretty=oneline | head -n 10        

    - name: Set up Python
      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
      with:
        python-version: 3.12
        cache: pip
        cache-dependency-path: scripts/requirements-actions.txt

    - name: Install Python packages
      run: |
        pip install -r scripts/requirements-actions.txt --require-hashes        

    - name: west setup
      run: |
        west init -l . || true
        west config manifest.group-filter -- +ci,-optional
        west update -o=--depth=1 -n 2>&1 1> west.update.log || west update -o=--depth=1 -n 2>&1 1> west.update2.log        

    - name: Run Compliance Tests
      continue-on-error: true
      id: compliance
      env:
        BASE_REF: ${{ github.base_ref }}
      run: |
        export ZEPHYR_BASE=$PWD
        # debug
        ls -la
        git log  --pretty=oneline | head -n 10
        # Increase rename limit to allow for large PRs
        git config diff.renameLimit 10000
        excludes="-e KconfigBasic -e SysbuildKconfigBasic -e ClangFormat"
        # The signed-off-by check for dependabot should be skipped
        if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
          excludes="$excludes -e Identity"
        fi
        ./scripts/ci/check_compliance.py --annotate $excludes -c origin/${BASE_REF}..        

    - name: upload-results
      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      continue-on-error: true
      with:
        name: compliance.xml
        path: compliance.xml

    - name: check-warns
      run: |
        if [[ ! -s "compliance.xml" ]]; then
          exit 1;
        fi

        warns=("ClangFormat")
        files=($(./scripts/ci/check_compliance.py -l))

        for file in "${files[@]}"; do
          f="${file}.txt"
          if [[ -s $f ]]; then
            results=$(cat $f)
            results="${results//'%'/'%25'}"
            results="${results//$'\n'/'%0A'}"
            results="${results//$'\r'/'%0D'}"

            if [[ "${warns[@]}" =~ "${file}" ]]; then
              echo "::warning file=${f}::$results"
            else
              echo "::error file=${f}::$results"
              exit=1
            fi
          fi
        done

        if [ "${exit}" == "1" ]; then
          echo "Compliance error, check for error messages in the \"Run Compliance Tests\" step"
          echo "You can run this step locally with the ./scripts/ci/check_compliance.py script."
          exit 1;
        fi

        if [ "${{ steps.pr_description.outcome }}" == "failure" ]; then
          echo "PR description cannot be empty"
          exit 1;
        fi