From 5e2af29e6a989831b3493350521e9b2ab5fbc2ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Thu, 2 Apr 2026 18:36:43 +0200 Subject: [PATCH] chore: conditional workflows on all branches --- .github/workflows/autoupdate.yml | 36 ++++++ .../workflows/{source-build.yml => build.yml} | 11 +- .github/workflows/stale.yml | 12 +- .github/workflows/test-build.yml | 108 ------------------ 4 files changed, 53 insertions(+), 114 deletions(-) create mode 100644 .github/workflows/autoupdate.yml rename .github/workflows/{source-build.yml => build.yml} (94%) delete mode 100644 .github/workflows/test-build.yml diff --git a/.github/workflows/autoupdate.yml b/.github/workflows/autoupdate.yml new file mode 100644 index 0000000..290f01e --- /dev/null +++ b/.github/workflows/autoupdate.yml @@ -0,0 +1,36 @@ +name: autoupdate + +on: + workflow_dispatch: + schedule: + - cron: '42 9 * * *' + +permissions: + pull-requests: write + +jobs: + autoupdate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install prerequisites + run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip + - name: Update microcode versions + run: ./spectre-meltdown-checker.sh --update-builtin-fwdb + - name: Check git diff + id: diff + run: | + echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT" + echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT" + git diff + cat "$GITHUB_OUTPUT" + - name: Create Pull Request if needed + if: steps.diff.outputs.nbdiff != '0' + uses: peter-evans/create-pull-request@v7 + with: + branch: autoupdate-fwdb + commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes" + title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}" + body: | + Automated PR to update fwdb from ${{ steps.diff.outputs.change }} + Detected ${{ steps.diff.outputs.nbdiff }} microcode changes diff --git a/.github/workflows/source-build.yml b/.github/workflows/build.yml similarity index 94% rename from .github/workflows/source-build.yml rename to .github/workflows/build.yml index a8ba56e..8c4d7aa 100644 --- a/.github/workflows/source-build.yml +++ b/.github/workflows/build.yml @@ -1,12 +1,13 @@ -name: source-build +name: build on: push: branches: + - test - source jobs: - source-build: + build: runs-on: ubuntu-latest @@ -87,13 +88,13 @@ jobs: echo "Left temporary files!" exit 1 fi - - name: create a pull request to source-build + - name: create a pull request to ${{ github.ref_name }}-build run: | tmpdir=$(mktemp -d) mv ./dist/* $tmpdir/ rm -rf ./dist - git fetch origin source-build - git checkout -f source-build + git fetch origin ${{ github.ref_name }}-build + git checkout -f ${{ github.ref_name }}-build mv $tmpdir/* . git add * echo =#=#= DIFF CACHED diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b234f10..610d2fd 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,6 +3,16 @@ name: 'Manage stale issues and PRs' on: schedule: - cron: '37 7 * * *' + workflow_dispatch: + inputs: + action: + description: "dry-run" + required: true + default: "dryrun" + type: choice + options: + - dryrun + - apply permissions: issues: write @@ -20,4 +30,4 @@ jobs: days-before-close: 7 stale-issue-label: stale remove-stale-when-updated: true - debug-only: true + debug-only: ${{ case(inputs.action == 'apply', false, true) }} diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml deleted file mode 100644 index 97bee68..0000000 --- a/.github/workflows/test-build.yml +++ /dev/null @@ -1,108 +0,0 @@ -name: test-build - -on: - push: - branches: - - test - -jobs: - test-build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v6 - with: - persist-credentials: true - - name: install prerequisites - run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make - - name: build and check - run: | - make build fmt-check shellcheck - mv spectre-meltdown-checker.sh dist/ - - name: check direct execution - run: | - expected=$(cat .github/workflows/expected_cve_count) - cd dist - nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) - if [ "$nb" -ne "$expected" ]; then - echo "Invalid number of CVEs reported: $nb instead of $expected" - exit 1 - else - echo "OK $nb CVEs reported" - fi - - name: check docker compose run execution - run: | - expected=$(cat .github/workflows/expected_cve_count) - cd dist - docker compose build - nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) - if [ "$nb" -ne "$expected" ]; then - echo "Invalid number of CVEs reported: $nb instead of $expected" - exit 1 - else - echo "OK $nb CVEs reported" - fi - - name: check docker run execution - run: | - expected=$(cat .github/workflows/expected_cve_count) - cd dist - docker build -t spectre-meltdown-checker . - nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) - if [ "$nb" -ne "$expected" ]; then - echo "Invalid number of CVEs reported: $nb instead of $expected" - exit 1 - else - echo "OK $nb CVEs reported" - fi - - name: check fwdb update (separated) - run: | - cd dist - nbtmp1=$(find /tmp 2>/dev/null | wc -l) - ./spectre-meltdown-checker.sh --update-fwdb; ret=$? - if [ "$ret" != 0 ]; then - echo "Non-zero return value: $ret" - exit 1 - fi - nbtmp2=$(find /tmp 2>/dev/null | wc -l) - if [ "$nbtmp1" != "$nbtmp2" ]; then - echo "Left temporary files!" - exit 1 - fi - if ! [ -e ~/.mcedb ]; then - echo "No .mcedb file found after updating fwdb" - exit 1 - fi - - name: check fwdb update (builtin) - run: | - cd dist - nbtmp1=$(find /tmp 2>/dev/null | wc -l) - ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$? - if [ "$ret" != 0 ]; then - echo "Non-zero return value: $ret" - exit 1 - fi - nbtmp2=$(find /tmp 2>/dev/null | wc -l) - if [ "$nbtmp1" != "$nbtmp2" ]; then - echo "Left temporary files!" - exit 1 - fi - - name: push artifact to the test-build branch - run: | - tmpdir=$(mktemp -d) - mv ./dist/* $tmpdir/ - rm -rf ./dist - git fetch origin test-build - git checkout -f test-build - mv $tmpdir/* . - git add * - echo =#=#= DIFF CACHED - git diff --cached - echo =#=#= STATUS - git status - echo =#=#= COMMIT - git config --global user.name "github-actions[bot]" - git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' - git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F - - git push