From eed358e5b2bc683c4b4484168b72ef915b1e9760 Mon Sep 17 00:00:00 2001
From: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Date: Tue, 7 Oct 2025 15:10:36 +0100
Subject: [PATCH 1/4] kconfig: Remove enable from prompt

Removes enable text from a Kconfig option

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
---
 subsys/bm_installs/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/subsys/bm_installs/Kconfig b/subsys/bm_installs/Kconfig
index c708aa6731..b39293dca2 100644
--- a/subsys/bm_installs/Kconfig
+++ b/subsys/bm_installs/Kconfig
@@ -25,7 +25,7 @@ config BM_INSTALL_ENTRIES
 	  Special field, set by sysbuild automatically, do not alter.
 
 config BM_METADATA_WRITE
-	bool "Enable metadata write functions (DO NOT ALTER)"
+	bool "Metadata write functions (DO NOT ALTER)"
 	select FLASH
 	select FLASH_MAP
 	help

From e7ac5bbdc4b42e69ec1d6385c72d718efa37cec9 Mon Sep 17 00:00:00 2001
From: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Date: Tue, 7 Oct 2025 15:10:57 +0100
Subject: [PATCH 2/4] manifest: Update sdk-nrf

Includes changes in compliance CI checks

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
---
 west.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/west.yml b/west.yml
index a8644fe182..b3fa9389e7 100644
--- a/west.yml
+++ b/west.yml
@@ -14,7 +14,7 @@ manifest:
   projects:
     - name: nrf
       repo-path: sdk-nrf
-      revision: 8f59dba71f60713358b046efade116bbc93ff141
+      revision: 9d919566c47c7c80ce9b04bf01289787c93d485c
       import:
         name-allowlist:
           - cmsis_6

From 52a0ca9f272920880059d8e0ffa77ea78dea3361 Mon Sep 17 00:00:00 2001
From: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Date: Fri, 3 Oct 2025 09:09:32 +0100
Subject: [PATCH 3/4] gitignore: Add compliance output file names

Adds files that are generated as part of compliance checks to
the .gitignore list

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
---
 .gitignore | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 501082fd10..132e2476cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,7 +24,6 @@ tags
 .xxproject
 .envrc
 .vscode
-sanity-out*
 twister-out*
 
 doc/_build
@@ -32,3 +31,33 @@ doc/*_warnings.txt
 doc/*_doc.log
 
 .west/
+
+# CI output
+compliance.xml
+
+# from check_compliance.py
+BinaryFiles.txt
+BoardYml.txt
+Checkpatch.txt
+ClangFormat.txt
+DevicetreeBindings.txt
+GitDiffCheck.txt
+Gitlint.txt
+Identity.txt
+ImageSize.txt
+Kconfig.txt
+KconfigBasic.txt
+KconfigBasicNoModules.txt
+KconfigHWMv2.txt
+KeepSorted.txt
+MaintainersFormat.txt
+ModulesMaintainers.txt
+Nits.txt
+Pylint.txt
+Ruff.txt
+SphinxLint.txt
+SysbuildKconfig.txt
+SysbuildKconfigBasic.txt
+SysbuildKconfigBasicNoModules.txt
+TextEncoding.txt
+YAMLLint.txt

From e5f5211fd564bb7b341b873bedc8c17f366bf100 Mon Sep 17 00:00:00 2001
From: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Date: Fri, 3 Oct 2025 09:10:44 +0100
Subject: [PATCH 4/4] workflow: compliance: Use additional compliance checks

Adds the compliance checks that are being used in sdk-nrf, also
reworks the compliance script to match how it works in NCS.
Unfortunately for Kconfig compliance tests to pass, some NCS-only
modules are needed due to there being usage of Kconfigs defined in
these modules in the NCS tree so the compliance job needs to patch
the manifest first so include these additional modules to allow
the compliance tests to run and pass

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
---
 .github/workflows/compliance.yml | 128 +++++++++++++------------------
 scripts/ci/ci-compliance.diff    |  17 ++++
 2 files changed, 72 insertions(+), 73 deletions(-)
 create mode 100644 scripts/ci/ci-compliance.diff

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index 53892be356..d8556bbb42 100644
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -1,133 +1,115 @@
 name: Compliance
 
-#  Controls when the workflow will run
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+on: pull_request
 
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
+permissions:
+  contents: read
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
   compliance_job:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Run compliance checks on patch series (PR)
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - name: Checkout the code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - name: Update PATH for west
+      run: |
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Checkout sources
+      uses: nrfconnect/action-checkout-west-update@main
       with:
-        path: nrf-bm
-        ref: ${{ github.event.pull_request.head.sha }}
-        fetch-depth: 0
+        git-fetch-depth: 0
+        git-ref: ${{ github.event.pull_request.head.sha }}
+        rebase: true
+        path: ncs/nrf-bm
 
     - name: cache-pip
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-doc-pip
 
-    - name: Install python prerequisites
-      working-directory: nrf-bm
-      run: |
-        export PATH="$HOME/.local/bin:$PATH"
-        pip3 install -U -r scripts/requirements.txt
-        pip3 show -f west
-
-    - name: West init and update
-      env:
-        BASE_REF: ${{ github.base_ref }}
-      working-directory: nrf-bm
-      run: |
-        git config --global user.email "you@example.com"
-        git config --global user.name "Your Name"
-        git remote -v
-        # Ensure there's no merge commits in the PR
-        #[[ "$(git rev-list --merges --count origin/${BASE_REF}..)" == "0" ]] || \
-        #(echo "::error ::Merge commits not allowed, rebase instead";false)
-        git rebase origin/${BASE_REF}
-        # debug
-        git log  --pretty=oneline | head -n 10
-        west init -l . || true
-        west config manifest.group-filter -- +ci,-optional
-        west update -o=--depth=1 -n 2>&1 1> west.update.log || west update -o=--depth=1 -n 2>&1 1> west.update2.log
-
     - name: Install python dependencies
-      working-directory: nrf
+      working-directory: ncs/nrf
       run: |
         pip3 install -U pip
         pip3 install -U wheel
         grep -E "^setuptools" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
-        grep -E "^python-magic=|^junitparser|^lxml|^gitlint|^pylint|^python-dotenv|^tabulate|^pykwalify|^yamllint|^unidiff" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
+        grep -E "^python-magic=|^junitparser|^lxml|^gitlint|^pylint|^pykwalify|^yamllint|^unidiff|^vermin|^python-dotenv|^tabulate" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
         grep -E "^west" scripts/requirements-fixed.txt | cut -d ' ' -f '1' | xargs pip3 install -U
         pip3 show -f west
 
+    - name: Run merge commits test
+      env:
+        BASE_REF: ${{ github.base_ref }}
+      working-directory: ncs/nrf-bm
+      run: |
+        # Ensure there's no merge commits in the PR
+        [[ "$(git rev-list --merges --count origin/${BASE_REF}..)" == "0" ]] || \
+        (echo "::error ::Merge commits not allowed, rebase instead";false)
+
     - name: Run CODEOWNERS test
       id: codeowners
       env:
         BASE_REF: ${{ github.base_ref }}
-      working-directory: nrf-bm
+      working-directory: ncs/nrf-bm
       if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       run: |
         ../nrf/scripts/ci/codeowners.py -c origin/${BASE_REF}..
 
+    - name: Get NCS modules needed for compliance tests to run
+      working-directory: ncs/nrf-bm
+      run: |
+        patch -p1 < scripts/ci/ci-compliance.diff
+        west update
+
     - name: Run Compliance Tests
       continue-on-error: true
       id: compliance
       env:
         BASE_REF: ${{ github.base_ref }}
-      working-directory: nrf-bm
+      working-directory: ncs/nrf-bm
       if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
-        export PATH="$HOME/bin:$PATH"
         export ZEPHYR_BASE="$(dirname "$(pwd)")/zephyr"
         # debug
         ls -la
         git log --pretty=oneline | head -n 10
-        exec 2> compliance_errors.txt
-        $ZEPHYR_BASE/scripts/ci/check_compliance.py -m Codeowners -m Devicetree -m Identity -m Nits -m Gitlint -m pylint -c origin/${BASE_REF}..
-        if [[ $? -ne 0 ]]; then
-          echo "$?" >&2
-        fi
+        $ZEPHYR_BASE/scripts/ci/check_compliance.py --annotate \
+        -e KconfigBasicNoModules -e ClangFormat \
+        -e SysbuildKconfigBasicNoModules \
+        -c origin/${BASE_REF}..
 
     - name: upload-results
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      continue-on-error: True
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
+      continue-on-error: true
       if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       with:
         name: compliance.xml
-        path: nrf-bm/compliance.xml
+        path: ncs/nrf-bm/compliance.xml
+        overwrite: true
 
     - name: check-warns
-      working-directory: nrf-bm
+      working-directory: ncs/nrf-bm
+      if: contains(github.event.pull_request.user.login, 'dependabot[bot]') != true
       run: |
-        if [[ -s 'compliance_errors.txt' ]]; then
-         echo "ERRORS FOUND! Exiting"
-         echo "$(<compliance_errors.txt )"
-         exit 1;
+        export ZEPHYR_BASE="$(dirname "$(pwd)")/zephyr"
+        if [[ ! -s "compliance.xml" ]]; then
+          exit 1;
         fi
 
-    - name: check-warns
-      working-directory: nrf-bm
-      run: |
-        for file in Codeowners.txt Devicetree.txt Gitlint.txt Identity.txt Nits.txt pylint.txt
-        do
-          if [[ -s $file ]]; then
-            errors=$(cat $file)
+        files=($($ZEPHYR_BASE/scripts/ci/check_compliance.py -l))
+        for file in "${files[@]}"; do
+          f="${file}.txt"
+          if [[ -s $f ]]; then
+            errors=$(cat $f)
             errors="${errors//'%'/'%25'}"
             errors="${errors//$'\n'/'%0A'}"
             errors="${errors//$'\r'/'%0D'}"
-            echo "::error file=${file}::$errors"
+            echo "::error file=${f}::$errors"
             exit=1
           fi
         done
 
-        if [[ $exit == 1 ]]; then
-          exit 1
+        if [ "${exit}" == "1" ]; then
+          exit 1;
         fi
diff --git a/scripts/ci/ci-compliance.diff b/scripts/ci/ci-compliance.diff
new file mode 100644
index 0000000000..932d98b72b
--- /dev/null
+++ b/scripts/ci/ci-compliance.diff
@@ -0,0 +1,17 @@
+diff --git a/west.yml b/west.yml
+index 14a19d9..156cee6 100644
+--- a/west.yml
++++ b/west.yml
+@@ -32,6 +32,13 @@ manifest:
+           - zephyr
+           - cmock
+           - zcbor
++          # For compliance CI testing only
++          - matter
++          - openthread
++          - azure-sdk-for-c
++          - trusted-firmware-m
++          - memfault-firmware-sdk
++          - cjson
+     - name: sdk-nrf-bm-internal
+       path: nrf-bm-internal