From 13b34099da4817d5cdcb9de178167b35d42e48c5 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 6 Jun 2025 12:28:11 -0400 Subject: [PATCH 1/4] This commit references a bogus upstream hash jira VULN-XXXX cve CVE-2025-1234 commit 1234567890abcde1234567890abcde1234567890 This isn't a real commit Do i dont have to say anything here --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 6a53e15f15c04..c0d76e7db8270 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,8 @@ # SPDX-License-Identifier: GPL-2.0 + + + + VERSION = 4 PATCHLEVEL = 18 SUBLEVEL = 0 From 7030739055fc6f19cfcf03af17f33c23356dd1a2 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Tue, 10 Jun 2025 10:56:33 -0400 Subject: [PATCH 2/4] This commit references an upstream hash with a fix available jira VULN-XXXX cve CVE-2025-1234 commit a85fb91e3d728bdfc80833167e8162cce8bc7004 This isn't a real commit Do i dont have to say anything here --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index c0d76e7db8270..489ec1e40f14c 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ + VERSION = 4 PATCHLEVEL = 18 SUBLEVEL = 0 From 096902b3b681199ca66b1d12d9e3653f1bfe2b61 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Tue, 10 Jun 2025 14:22:01 -0400 Subject: [PATCH 3/4] This commit references an upstream hash with multiple fixes commit 0d0f4174f6c87be7d0b992c008cc6f464edea2fa That is all --- Makefile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Makefile b/Makefile index 489ec1e40f14c..6a53e15f15c04 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,4 @@ # SPDX-License-Identifier: GPL-2.0 - - - - - VERSION = 4 PATCHLEVEL = 18 SUBLEVEL = 0 From 97a0c5dd4ef15ce0ee495ce9142b96b6cd90813f Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Thu, 5 Jun 2025 15:09:03 -0400 Subject: [PATCH 4/4] github actions: Add upstream commit checker This github actions checks the PR commits for references to upstream linux commits (lines starting with "commit ") and does two things: 1. Checks that this hash exists in the upstream linux kernel history 2. Checks if there are any Fixes: references for the referenced commit in the upstream linux kernel history If either of those are found to be true a comment is added to the PR with the pertinent information. The logic for the check is provided by the check_upstream_commits.py script from kernel-src-tree-tools --- .github/workflows/upstream-commit-check.yml | 54 +++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/upstream-commit-check.yml diff --git a/.github/workflows/upstream-commit-check.yml b/.github/workflows/upstream-commit-check.yml new file mode 100644 index 0000000000000..c1477d0ad0f82 --- /dev/null +++ b/.github/workflows/upstream-commit-check.yml @@ -0,0 +1,54 @@ +name: Check Kernel Commits for Upstream Fixes + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: read + pull-requests: write + +jobs: + check-upstream-fixes: + runs-on: ubuntu-latest + + steps: + - name: Checkout PR branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.head_ref }} + + - name: Checkout base branch + run: | + git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} + + - name: Download check_kernel_commits.py + run: | + curl -sL \ + https://raw.githubusercontent.com/ctrliq/kernel-src-tree-tools/check_kernel_commits/check_kernel_commits.py \ + -o check_kernel_commits.py + chmod +x check_kernel_commits.py + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Run upstream fixes check + id: checkkernel + run: | + python3 check_kernel_commits.py . "${{ github.head_ref }}" "${{ github.base_ref }}" --markdown | tee result.txt + # Save non-empty results for PR comment + if grep -q -v "All referenced commits exist upstream and have no Fixes: tags." result.txt; then + echo "has_findings=true" >> $GITHUB_OUTPUT + fi + + - name: Comment on PR if issues found + if: steps.checkkernel.outputs.has_findings == 'true' + env: + GH_TOKEN: ${{ github.token }} + run: | + gh pr comment ${{ github.event.pull_request.number }} \ + --body "$(cat result.txt)" \ + --repo ${{ github.repository }}