name: Kernel Hardening Analysis
run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")'

# -----------------------------------------------------------------------------
# This workflow analyzes Linux kernel configuration files to check for 
# security hardening options using the kernel-hardening-checker tool.
#
# ⚠️ Important: 
# Modifying security parameters may impact system performance and 
# functionality of userspace software.
#
# More info:
# https://github.com/a13xp0p0v/kernel-hardening-checker
#
# Triggers:
# - Manually via workflow_dispatch
# - On pull request events: ready_for_review, opened, reopened, or synchronized
#
# Features:
# - Runs only for PRs targeting the 'Armbian' repository
# - Validates kernel `.config` files for security best practices
# - Skips RISC-V configurations due to known compatibility issues
# - Provides a formatted security report in GitHub Actions summary
# -----------------------------------------------------------------------------

on:
  workflow_dispatch:

  pull_request:
    types: [ready_for_review, opened, reopened, synchronize]

permissions:
  contents: read

concurrency:
  group: pipeline-security-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  Analysis:
    name: Check kernel security options
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'Armbian' }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get changed files
        id: files
        uses: UplandJacob/retrieve-changed-files@v4

      - name: Checkout kernel-hardening-checker
        uses: actions/checkout@v4
        with:
          repository: a13xp0p0v/kconfig-hardened-check
          path: kconfig-hardened-check

      - name: Run kernel security analysis
        run: |
          for file in ${{ steps.files.outputs.all }}; do
              # Process only kernel configuration files and skip RISC-V configs
              if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then
                  # Run security checks and format output for GitHub Actions summary
                  kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file \
                      | sed 's/^/     /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' \
                      >> $GITHUB_STEP_SUMMARY
              fi
          done