# Copyright (c) 2025, Zededa, Inc.

# SPDX-License-Identifier: Apache-2.0

#

---

name: Apache Yetus

on: # yamllint disable-line rule:truthy

pull_request:

branches:

- "master"

- "[0-9]+.[0-9]+"

- "[0-9]+.[0-9]+-stable"

- "feature/*"

jobs:

yetus:

runs-on: ubuntu-24.04

steps:

- name: Checkout

uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

with:

path: src

fetch-depth: 0

- name: Generate patch locally

working-directory: src

run: |

# Add upstream and fetch the base branch

git remote add upstream ${{ github.server_url }}/${{ github.repository }}.git

git fetch upstream ${{ github.base_ref }}

# Now diff against the correct base

git diff upstream/${{ github.base_ref }}...HEAD > ${{ github.workspace }}/pr.patch

# Get back to upstream master so patch can be applied

git checkout upstream/master

- name: Yetus

run: |

docker run --rm \

-v ${{ github.workspace }}:/workspace \

lfedge/eve-yetus:0.15.1-eve-2 \

test-patch \

--basedir=/workspace/src \

--patch-dir=/workspace/out \

--build-tool=nobuild \

--continuous-improvement=true \

--buf-basedir=/workspace/src/evetest \

--user-plugins=/workspace/src/.yetus/plugins.d \

--plugins='all,-asflicense,-author,-findbugs,-gitlab,-jira,-shelldocs' \

--revive-config=.revive.toml \

--brief-report-file=/workspace/out/brief.txt \

--console-report-file=/workspace/out/console.txt \

--html-report-file=/workspace/out/report.html \

--junit-report-xml=/workspace/out/junit-report.xml \

--pylint-requirements=true \

--report-unknown-options=false \

/workspace/pr.patch

- name: Store Yetus artifacts

if: ${{ always() }}

uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0

with:

name: 'yetus-scan'

path: ${{ github.workspace }}/out

- name: Annotate errors from Yetus

if: ${{ always() }}

run: |

set +e

# Yetus writes patch-<plugin>.txt files for each plugin that found issues.

# Each line is in the format: filename:line:message

if [ -z "$(ls ${{ github.workspace }}/out/patch-*-result.txt 2> /dev/null || true)" ]; then

echo "No result files to annotate."

exit 0

fi

for patch_file in ${{ github.workspace }}/out/patch-*-result.txt; do

plugin=$(basename "$patch_file" | sed "s/patch-\(.*\)-result.txt/\1/")

while read -r line; do

# Skip empty lines and header lines

[ -z "$line" ] && continue

# Parse filename:linenum:message

file=$(echo "$line" | awk -F: '{print $1}')

lineno=$(echo "$line" | awk -F: '{print $2}' | grep "^[0-9].*" || true)

message=$(echo "$line" | awk -F: '{start=($3~/^[0-9]+$/)?4:3; for(i=start;i<=NF;i++) printf "%s%s",(i>start?":":""),$i; print ""}')

# Only annotate if we got a valid file and line number

if [ -n "$file" ] && [ -n "$lineno" ]; then

echo "::error file=${file},line=${lineno},title=Yetus [${plugin}]::${message}"

else

# No file/line info, just print for visibility

echo "${line}"

fi

done < "$patch_file"

done