ci: Add check-executable-permissions workflow to catch misconfigured file modes

smuppand · smuppand · commit 7551c734b048 · 2025-06-17T10:53:26.000+05:30
Adds a GitHub Actions workflow to validate that only explicitly intended files (like run.sh or executable binaries) have executable permissions.
This helps prevent accidental commits of files with incorrect modes (e.g., *.md, *.txt marked as executable).

The check runs on each PR and fails the job if any suspicious file permission is detected, improving repo hygiene and review quality.

Exemptions (e.g., run.sh) can be controlled by editing the allowlist.

Signed-off-by: Srikanth Muppandam &lt;smuppand@qti.qualcomm.com&gt;
diff --git a/.github/workflows/check-executable-permissions.yml b/.github/workflows/check-executable-permissions.yml
@@ -0,0 +1,42 @@
+name: Enforce Script Executable Permissions
+
+on:
+  pull_request:
+    paths:
+      - '**/run.sh'
+      - '**/*.sh'
+
+jobs:
+  permissions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Detect missing executable permissions on shell scripts
+        run: |
+          # Find all .sh and run.sh scripts without +x
+          BAD=$(find . -type f -name 'run.sh' -o -name '*.sh' ! -perm -u=x)
+          if [ -n "$BAD" ]; then
+            echo "::error file=run.sh,line=1::❌ Some shell scripts are missing executable permissions. This can break CI and LAVA. Please fix before merging."
+            echo "::error file=run.sh,line=2::To fix, run: find . -name '*.sh' -o -name 'run.sh' | xargs chmod +x && git add . && git commit -m 'Fix: restore executable bits on scripts' && git push"
+            echo ""
+            echo "The following scripts need 'chmod +x':"
+            echo "$BAD"
+            # Output a PR annotation for each file
+            echo "$BAD" | while read -r file; do
+              echo "::error file=$file,line=1::$file is not executable. Please run: chmod +x $file && git add $file"
+            done
+            exit 1
+          else
+            echo "✅ All shell scripts have correct executable permissions."
+          fi
+
+      - name: Detect accidental executables on non-shell files (optional, warning only)
+        run: |
+          # (Advanced/optional) Warn if any non-.sh file has +x (customize as needed)
+          OTHER_EXEC=$(find . -type f ! -name '*.sh' ! -name 'run.sh' -perm -u=x)
+          if [ -n "$OTHER_EXEC" ]; then
+            echo "::warning file=run.sh,line=1::Warning: Non-shell files with executable permissions detected. Review if needed."
+            echo "$OTHER_EXEC"
+          fi
diff --git a/.github/workflows/preflight-checker-workflow.yml b/.github/workflows/preflight-checker-workflow.yml
@@ -11,7 +11,7 @@ jobs:
     uses: qualcomm-linux/qli-actions/.github/workflows/multi-checker.yml@main
     with:
         repolinter: true # default: true
-        semgrep: false # default: true
+        semgrep: true # default: true
         copyright-license-detector: true # default: true
         pr-check-emails: true # default: true
 
