Re: [PR] ci: support PR dependencies via depends-on [nuttx]

Tue, 09 Jun 2026 21:58:22 -0700 


lupyuen commented on code in PR #19075:
URL: https://github.com/apache/nuttx/pull/19075#discussion_r3385610200


##########
.github/workflows/build.yml:
##########
@@ -91,8 +94,35 @@ jobs:
             esac
           fi
 
+          # Parse cross-repo PR dependencies from PR body
+          # Format: depends-on: [apache/nuttx-apps/pull/1234 
https://github.com/apache/nuttx/pull/5678]
+          if [ -n "$PR_BODY" ]; then
+            ARRAY_DEPS=$(echo "$PR_BODY" | grep -oE 
'depends-on:[[:space:]]*\[[^]]+\]' | head -1) || true
+            if [ -n "$ARRAY_DEPS" ]; then
+              DEPS=$(echo "$ARRAY_DEPS" | grep -oE 
'(https://github.com/)?apache/nuttx(-apps)?/pull/[0-9]+') || true
+            else
+              DEPS=$(echo "$PR_BODY" | grep -oE 
'depends-on:[[:space:]]*(https://github.com/)?apache/nuttx(-apps)?/pull/[0-9]+' 
| sed 's/depends-on:[[:space:]]*//' | head -1) || true
+            fi
+
+            for DEP in $DEPS; do
+              DEP=$(echo "$DEP" | sed 's|https://github.com/||')
+              DEP_REPO=$(echo "$DEP" | awk -F'/pull/' '{print $1}')
+              DEP_PR_NUM=$(echo "$DEP" | awk -F'/pull/' '{print $2}')
+
+              if [[ "$DEP_REPO" != "apache/nuttx" && "$DEP_REPO" != 
"apache/nuttx-apps" ]]; then
+                echo "::warning::Ignoring unsupported dependency repo: 
$DEP_REPO"
+                continue
+              fi
+
+              DEPENDS_ON="$DEPENDS_ON ${DEP_REPO}/pull/${DEP_PR_NUM}"
+            done
+
+            DEPENDS_ON=$(echo "$DEPENDS_ON" | tr ' ' '\n' | awk 'NF && 
!a[$0]++' | xargs)

Review Comment:
   Hi NuttX Admins: This script will parse the Untrusted Input from the PR Body 
to extract the Dependency Info safely, which will prevent Injection Attacks 
inside the PR Body. I'm afraid the current NuttX CI Team doesn't have 
sufficient expertise to maintain this, we might introduce Injection Attacks in 
future.
   
   I strongly suggest that we engage a NuttX Team Member familiar with GitHub 
Actions Script Security, who will be able to maintain this script, to prevent 
Injection Attacks in future. We must comply with the Apache Guidelines for 
GitHub Actions Security: https://infra.apache.org/github-actions-policy.html



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to