[nrf noup] ci: prevent PRs from installing python pkgs

thst-nordic · thst-nordic · commit 1fc4c8f45926 · 2025-08-29T13:49:35.000+02:00
pip install requirements-actions.txt from base branch instead of untrusted PR
During install a malicious package can execute code in setup.py
Solution is to split manifest-check and apply-labels

Signed-off-by: Thomas Stilwell &lt;Thomas.Stilwell@nordicsemi.no&gt;
diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml
@@ -1,25 +1,28 @@
-name: Manifest
+name: Manifest Target
 on:
   pull_request_target:
+    branches:
+      - main
 
 permissions:
   contents: read
 
 jobs:
-  contribs:
+  manifest-check:
     runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write # to create/update pull request comments
-    name: Manifest
+    name: Manifest Check
+    outputs:
+      manifest-result: ${{ steps.manifest.outputs.result }}
     steps:
+      
       - name: Checkout the code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: zephyrproject/zephyr
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
           persist-credentials: false
-
+      
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
@@ -42,6 +45,7 @@ jobs:
           west init -l . || true
 
       - name: Manifest
+        id: manifest
         uses: zephyrproject-rtos/action-manifest@1729cded3fc798cf0de4a789c596dcb9c40eb14c # v1.9.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -55,3 +59,19 @@ jobs:
           dnm-labels: 'DNM (manifest)'
           blobs-added-labels: 'Binary Blobs Added'
           blobs-modified-labels: 'Binary Blobs Modified'
+
+  apply-labels:
+    runs-on: ubuntu-24.04
+    needs: manifest-check
+    permissions:
+      pull-requests: write # to create/update pull request comments and labels
+    name: Apply Labels and Comments
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Process manifest results
+        run: |
+          echo "Manifest check completed with result: ${{ needs.manifest-check.outputs.manifest-result }}"
+          # This job can now add labels and comments based on the manifest check results
+          # The actual logic would depend on what the manifest action outputs
