[nrf noup] ci: prevent PRs from installing python pkgs

thst-nordic · thst-nordic · commit 60fc06ec0dd4 · 2025-08-29T16:05:43.000+02:00
pip install requirements-actions.txt from base branch instead of untrusted PR
During install a malicious package can execute code in setup.py
Solution is to split manifest-check and apply-labels

Signed-off-by: Thomas Stilwell &lt;Thomas.Stilwell@nordicsemi.no&gt;
diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml
@@ -1,22 +1,25 @@
-name: Manifest
+name: Manifest Target
 on:
   pull_request_target:
+    branches:
+      - main
 
 permissions:
   contents: read
 
 jobs:
-  contribs:
+  manifest-check:
     runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write # to create/update pull request comments
-    name: Manifest
+    name: Manifest Check
+    outputs:
+      manifest-result: ${{ steps.manifest.outputs.result }}
     steps:
+
       - name: Checkout the code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: zephyrproject/zephyr
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.base.sha }}
           fetch-depth: 0
           persist-credentials: false
 
@@ -32,6 +35,14 @@ jobs:
           cd zephyrproject/zephyr
           pip install -r scripts/requirements-actions.txt --require-hashes
 
+      - name: Checkout the code
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+          with:
+            path: zephyrproject/zephyr
+            ref: ${{ github.event.pull_request.head.sha }}
+            fetch-depth: 0
+            persist-credentials: false
+
       - name: west setup
         env:
           BASE_REF: ${{ github.base_ref }}
@@ -42,6 +53,7 @@ jobs:
           west init -l . || true
 
       - name: Manifest
+        id: manifest
         uses: zephyrproject-rtos/action-manifest@1729cded3fc798cf0de4a789c596dcb9c40eb14c # v1.9.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -55,3 +67,19 @@ jobs:
           dnm-labels: 'DNM (manifest)'
           blobs-added-labels: 'Binary Blobs Added'
           blobs-modified-labels: 'Binary Blobs Modified'
+
+  apply-labels:
+    runs-on: ubuntu-24.04
+    needs: manifest-check
+    permissions:
+      pull-requests: write # to create/update pull request comments and labels
+    name: Apply Labels and Comments
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Process manifest results
+        run: |
+          echo "Manifest check completed with result: ${{ needs.manifest-check.outputs.manifest-result }}"
+          # This job can now add labels and comments based on the manifest check results
+          # The actual logic would depend on what the manifest action outputs
