From 7551c734b04875957cec6b6a18eab4dc132342c8 Mon Sep 17 00:00:00 2001
From: Srikanth Muppandam <smuppand@qti.qualcomm.com>
Date: Wed, 4 Jun 2025 12:46:31 +0530
Subject: [PATCH] ci: Add check-executable-permissions workflow to catch
 misconfigured file modes

Adds a GitHub Actions workflow to validate that only explicitly intended files (like run.sh or executable binaries) have executable permissions.
This helps prevent accidental commits of files with incorrect modes (e.g., *.md, *.txt marked as executable).

The check runs on each PR and fails the job if any suspicious file permission is detected, improving repo hygiene and review quality.

Exemptions (e.g., run.sh) can be controlled by editing the allowlist.

Signed-off-by: Srikanth Muppandam <smuppand@qti.qualcomm.com>
---
 .../check-executable-permissions.yml          | 42 +++++++++++++++++++
 .../workflows/preflight-checker-workflow.yml  |  2 +-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/check-executable-permissions.yml

diff --git a/.github/workflows/check-executable-permissions.yml b/.github/workflows/check-executable-permissions.yml
new file mode 100644
index 00000000..9e9b68d7
--- /dev/null
+++ b/.github/workflows/check-executable-permissions.yml
@@ -0,0 +1,42 @@
+name: Enforce Script Executable Permissions
+
+on:
+  pull_request:
+    paths:
+      - '**/run.sh'
+      - '**/*.sh'
+
+jobs:
+  permissions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Detect missing executable permissions on shell scripts
+        run: |
+          # Find all .sh and run.sh scripts without +x
+          BAD=$(find . -type f -name 'run.sh' -o -name '*.sh' ! -perm -u=x)
+          if [ -n "$BAD" ]; then
+            echo "::error file=run.sh,line=1::❌ Some shell scripts are missing executable permissions. This can break CI and LAVA. Please fix before merging."
+            echo "::error file=run.sh,line=2::To fix, run: find . -name '*.sh' -o -name 'run.sh' | xargs chmod +x && git add . && git commit -m 'Fix: restore executable bits on scripts' && git push"
+            echo ""
+            echo "The following scripts need 'chmod +x':"
+            echo "$BAD"
+            # Output a PR annotation for each file
+            echo "$BAD" | while read -r file; do
+              echo "::error file=$file,line=1::$file is not executable. Please run: chmod +x $file && git add $file"
+            done
+            exit 1
+          else
+            echo "✅ All shell scripts have correct executable permissions."
+          fi
+
+      - name: Detect accidental executables on non-shell files (optional, warning only)
+        run: |
+          # (Advanced/optional) Warn if any non-.sh file has +x (customize as needed)
+          OTHER_EXEC=$(find . -type f ! -name '*.sh' ! -name 'run.sh' -perm -u=x)
+          if [ -n "$OTHER_EXEC" ]; then
+            echo "::warning file=run.sh,line=1::Warning: Non-shell files with executable permissions detected. Review if needed."
+            echo "$OTHER_EXEC"
+          fi
diff --git a/.github/workflows/preflight-checker-workflow.yml b/.github/workflows/preflight-checker-workflow.yml
index ce507f0a..7c3460c6 100644
--- a/.github/workflows/preflight-checker-workflow.yml
+++ b/.github/workflows/preflight-checker-workflow.yml
@@ -11,7 +11,7 @@ jobs:
     uses: qualcomm-linux/qli-actions/.github/workflows/multi-checker.yml@main
     with:
         repolinter: true # default: true
-        semgrep: false # default: true
+        semgrep: true # default: true
         copyright-license-detector: true # default: true
         pr-check-emails: true # default: true