workflow: compliance: Use additional compliance checks

.github/workflows/compliance.yml

@@ -1,133 +1,115 @@
 name: Compliance
 
-#  Controls when the workflow will run
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+on: pull_request
 
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
+permissions:
+  contents: read
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
   compliance_job:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Run compliance checks on patch series (PR)
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - name: Checkout the code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - name: Update PATH for west
+      run: |
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Checkout sources
+      uses: nrfconnect/action-checkout-west-update@main
       with:
-        path: nrf-bm
-        ref: ${{ github.event.pull_request.head.sha }}
-        fetch-depth: 0
+        git-fetch-depth: 0
+        git-ref: ${{ github.event.pull_request.head.sha }}
+        rebase: true
+        path: ncs/nrf-bm
 
     - name: cache-pip
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-doc-pip
 
-    - name: Install python prerequisites
-      working-directory: nrf-bm
-      run: |
-        export PATH="$HOME/.local/bin:$PATH"
-        pip3 install -U -r scripts/requirements.txt
-        pip3 show -f west
-
-    - name: West init and update
-      env:
-        BASE_REF: ${{ github.base_ref }}
-      working-directory: nrf-bm
-      run: |
-        git config --global user.email "[email protected]"
-        git config --global user.name "Your Name"
-        git remote -v
-        # Ensure there's no merge commits in the PR
-        #[[ "$(git rev-list --merges --count origin/${BASE_REF}..)" == "0" ]] || \
-        #(echo "::error ::Merge commits not allowed, rebase instead";false)
-        git rebase origin/${BASE_REF}
-        # debug
-        git log  --pretty=oneline | head -n 10
-        west init -l . || true
-        west config manifest.group-filter -- +ci,-optional
-        west update -o=--depth=1 -n 2>&1 1> west.update.log || west update -o=--depth=1 -n 2>&1 1> west.update2.log
-
     - name: Install python dependencies
-      working-directory: nrf
+      working-directory: ncs/nrf
       run: |
         pip3 install -U pip
         pip3 install -U wheel
         grep -E "^setuptools" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
-        grep -E "^python-magic=|^junitparser|^lxml|^gitlint|^pylint|^python-dotenv|^tabulate|^pykwalify|^yamllint|^unidiff" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
+        grep -E "^python-magic=|^junitparser|^lxml|^gitlint|^pylint|^pykwalify|^yamllint|^unidiff|^vermin|^python-dotenv|^tabulate" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
         grep -E "^west" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
         pip3 show -f west
 
+    - name: Run merge commits test
+      env:
+        BASE_REF: ${{ github.base_ref }}
+      working-directory: ncs/nrf-bm
+      run: |
+        # Ensure there's no merge commits in the PR
+        [[ "$(git rev-list --merges --count origin/${BASE_REF}..)" == "0" ]] || \
+        (echo "::error ::Merge commits not allowed, rebase instead";false)
+
     - name: Run CODEOWNERS test
       id: codeowners
       env:
         BASE_REF: ${{ github.base_ref }}
-      working-directory: nrf-bm
+      working-directory: ncs/nrf-bm
       if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       run: |
         ../nrf/scripts/ci/codeowners.py -c origin/${BASE_REF}..
 
+    - name: Get NCS modules needed for compliance tests to run
+      working-directory: ncs/nrf-bm
+      run: |
+        patch -p1 < scripts/ci/ci-compliance.diff
+        west update
+
     - name: Run Compliance Tests
       continue-on-error: true
       id: compliance
       env:
         BASE_REF: ${{ github.base_ref }}
-      working-directory: nrf-bm
+      working-directory: ncs/nrf-bm
       if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
-        export PATH="$HOME/bin:$PATH"
         export ZEPHYR_BASE="$(dirname "$(pwd)")/zephyr"
         # debug
         ls -la
         git log --pretty=oneline | head -n 10
-        exec 2> compliance_errors.txt
-        $ZEPHYR_BASE/scripts/ci/check_compliance.py -m Codeowners -m Devicetree -m Identity -m Nits -m Gitlint -m pylint -c origin/${BASE_REF}..
-        if [[ $? -ne 0 ]]; then
-          echo "$?" >&2
-        fi
+        $ZEPHYR_BASE/scripts/ci/check_compliance.py --annotate \
+        -e KconfigBasicNoModules -e ClangFormat \
+        -e SysbuildKconfigBasicNoModules \
+        -c origin/${BASE_REF}..
 
     - name: upload-results
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      continue-on-error: True
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
+      continue-on-error: true
       if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       with:
         name: compliance.xml
-        path: nrf-bm/compliance.xml
+        path: ncs/nrf-bm/compliance.xml
+        overwrite: true
 
     - name: check-warns
-      working-directory: nrf-bm
+      working-directory: ncs/nrf-bm
+      if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       run: |
-        if [[ -s 'compliance_errors.txt' ]]; then
-         echo "ERRORS FOUND! Exiting"
-         echo "$(<compliance_errors.txt )"
-         exit 1;
+        export ZEPHYR_BASE="$(dirname "$(pwd)")/zephyr"
+        if [[ ! -s "compliance.xml" ]]; then
+          exit 1;
         fi
 
-    - name: check-warns
-      working-directory: nrf-bm
-      run: |
-        for file in Codeowners.txt Devicetree.txt Gitlint.txt Identity.txt Nits.txt pylint.txt
-        do
-          if [[ -s $file ]]; then
-            errors=$(cat $file)
+        files=($($ZEPHYR_BASE/scripts/ci/check_compliance.py -l))
+        for file in "${files[@]}"; do
+          f="${file}.txt"
+          if [[ -s $f ]]; then
+            errors=$(cat $f)
             errors="${errors//'%'/'%25'}"
             errors="${errors//$'\n'/'%0A'}"
             errors="${errors//$'\r'/'%0D'}"
-            echo "::error file=${file}::$errors"
+            echo "::error file=${f}::$errors"
             exit=1
           fi
         done
 
-        if [[ $exit == 1 ]]; then
-          exit 1
+        if [ "${exit}" == "1" ]; then
+          exit 1;
         fi

.gitignore

@@ -24,11 +24,40 @@ tags
 .xxproject
 .envrc
 .vscode
-sanity-out*
 twister-out*
 
 doc/_build
 doc/*_warnings.txt
 doc/*_doc.log
 
 .west/
+
+# CI output
+compliance.xml
+
+# from check_compliance.py
+BinaryFiles.txt
+BoardYml.txt
+Checkpatch.txt
+ClangFormat.txt
+DevicetreeBindings.txt
+GitDiffCheck.txt
+Gitlint.txt
+Identity.txt
+ImageSize.txt
+Kconfig.txt
+KconfigBasic.txt
+KconfigBasicNoModules.txt
+KconfigHWMv2.txt
+KeepSorted.txt
+MaintainersFormat.txt
+ModulesMaintainers.txt
+Nits.txt
+Pylint.txt
+Ruff.txt
+SphinxLint.txt
+SysbuildKconfig.txt
+SysbuildKconfigBasic.txt
+SysbuildKconfigBasicNoModules.txt
+TextEncoding.txt
+YAMLLint.txt

scripts/ci/ci-compliance.diff

@@ -0,0 +1,17 @@
+diff --git a/west.yml b/west.yml
+index 14a19d9..156cee6 100644
+--- a/west.yml
++++ b/west.yml
+@@ -32,6 +32,13 @@ manifest:
+           - zephyr
+           - cmock
+           - zcbor
++          # For compliance CI testing only
++          - matter
++          - openthread
++          - azure-sdk-for-c
++          - trusted-firmware-m
++          - memfault-firmware-sdk
++          - cjson
+     - name: sdk-nrf-bm-internal
+       path: nrf-bm-internal

subsys/bm_installs/Kconfig

@@ -25,7 +25,7 @@ config BM_INSTALL_ENTRIES
 	  Special field, set by sysbuild automatically, do not alter.
 
 config BM_METADATA_WRITE
-	bool "Enable metadata write functions (DO NOT ALTER)"
+	bool "Metadata write functions (DO NOT ALTER)"
 	select FLASH
 	select FLASH_MAP
 	help

west.yml

@@ -14,7 +14,7 @@ manifest:
   projects:
     - name: nrf
       repo-path: sdk-nrf
-      revision: 8f59dba71f60713358b046efade116bbc93ff141
+      revision: 9d919566c47c7c80ce9b04bf01289787c93d485c
       import:
         name-allowlist:
           - cmsis_6