mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-04-03 13:47:08 +02:00
chore: conditional workflows on all branches
This commit is contained in:
Stéphane Lesimple
36
.github/workflows/autoupdate.yml
vendored
Normal file
36
.github/workflows/autoupdate.yml
vendored
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
name: autoupdate
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
- cron: '42 9 * * *'
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
pull-requests: write
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
autoupdate:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Install prerequisites
|
||||||
|
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
|
||||||
|
- name: Update microcode versions
|
||||||
|
run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
|
||||||
|
- name: Check git diff
|
||||||
|
id: diff
|
||||||
|
run: |
|
||||||
|
echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
|
||||||
|
echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT"
|
||||||
|
git diff
|
||||||
|
cat "$GITHUB_OUTPUT"
|
||||||
|
- name: Create Pull Request if needed
|
||||||
|
if: steps.diff.outputs.nbdiff != '0'
|
||||||
|
uses: peter-evans/create-pull-request@v7
|
||||||
|
with:
|
||||||
|
branch: autoupdate-fwdb
|
||||||
|
commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
|
||||||
|
title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
|
||||||
|
body: |
|
||||||
|
Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
|
||||||
|
Detected ${{ steps.diff.outputs.nbdiff }} microcode changes
|
||||||
@@ -1,12 +1,13 @@
|
|||||||
name: source-build
|
name: build
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
|
- test
|
||||||
- source
|
- source
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
source-build:
|
build:
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
@@ -87,13 +88,13 @@ jobs:
|
|||||||
echo "Left temporary files!"
|
echo "Left temporary files!"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
- name: create a pull request to source-build
|
- name: create a pull request to ${{ github.ref_name }}-build
|
||||||
run: |
|
run: |
|
||||||
tmpdir=$(mktemp -d)
|
tmpdir=$(mktemp -d)
|
||||||
mv ./dist/* $tmpdir/
|
mv ./dist/* $tmpdir/
|
||||||
rm -rf ./dist
|
rm -rf ./dist
|
||||||
git fetch origin source-build
|
git fetch origin ${{ github.ref_name }}-build
|
||||||
git checkout -f source-build
|
git checkout -f ${{ github.ref_name }}-build
|
||||||
mv $tmpdir/* .
|
mv $tmpdir/* .
|
||||||
git add *
|
git add *
|
||||||
echo =#=#= DIFF CACHED
|
echo =#=#= DIFF CACHED
|
||||||
12
.github/workflows/stale.yml
vendored
12
.github/workflows/stale.yml
vendored
@@ -3,6 +3,16 @@ name: 'Manage stale issues and PRs'
|
|||||||
on:
|
on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '37 7 * * *'
|
- cron: '37 7 * * *'
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
action:
|
||||||
|
description: "dry-run"
|
||||||
|
required: true
|
||||||
|
default: "dryrun"
|
||||||
|
type: choice
|
||||||
|
options:
|
||||||
|
- dryrun
|
||||||
|
- apply
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
issues: write
|
issues: write
|
||||||
@@ -20,4 +30,4 @@ jobs:
|
|||||||
days-before-close: 7
|
days-before-close: 7
|
||||||
stale-issue-label: stale
|
stale-issue-label: stale
|
||||||
remove-stale-when-updated: true
|
remove-stale-when-updated: true
|
||||||
debug-only: true
|
debug-only: ${{ case(inputs.action == 'apply', false, true) }}
|
||||||
|
|||||||
108
.github/workflows/test-build.yml
vendored
108
.github/workflows/test-build.yml
vendored
@@ -1,108 +0,0 @@
|
|||||||
name: test-build
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- test
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
test-build:
|
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v6
|
|
||||||
with:
|
|
||||||
persist-credentials: true
|
|
||||||
- name: install prerequisites
|
|
||||||
run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
|
|
||||||
- name: build and check
|
|
||||||
run: |
|
|
||||||
make build fmt-check shellcheck
|
|
||||||
mv spectre-meltdown-checker.sh dist/
|
|
||||||
- name: check direct execution
|
|
||||||
run: |
|
|
||||||
expected=$(cat .github/workflows/expected_cve_count)
|
|
||||||
cd dist
|
|
||||||
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
|
||||||
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
echo "OK $nb CVEs reported"
|
|
||||||
fi
|
|
||||||
- name: check docker compose run execution
|
|
||||||
run: |
|
|
||||||
expected=$(cat .github/workflows/expected_cve_count)
|
|
||||||
cd dist
|
|
||||||
docker compose build
|
|
||||||
nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
|
||||||
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
echo "OK $nb CVEs reported"
|
|
||||||
fi
|
|
||||||
- name: check docker run execution
|
|
||||||
run: |
|
|
||||||
expected=$(cat .github/workflows/expected_cve_count)
|
|
||||||
cd dist
|
|
||||||
docker build -t spectre-meltdown-checker .
|
|
||||||
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
|
||||||
if [ "$nb" -ne "$expected" ]; then
|
|
||||||
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
echo "OK $nb CVEs reported"
|
|
||||||
fi
|
|
||||||
- name: check fwdb update (separated)
|
|
||||||
run: |
|
|
||||||
cd dist
|
|
||||||
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
|
|
||||||
./spectre-meltdown-checker.sh --update-fwdb; ret=$?
|
|
||||||
if [ "$ret" != 0 ]; then
|
|
||||||
echo "Non-zero return value: $ret"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
|
|
||||||
if [ "$nbtmp1" != "$nbtmp2" ]; then
|
|
||||||
echo "Left temporary files!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
if ! [ -e ~/.mcedb ]; then
|
|
||||||
echo "No .mcedb file found after updating fwdb"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
- name: check fwdb update (builtin)
|
|
||||||
run: |
|
|
||||||
cd dist
|
|
||||||
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
|
|
||||||
./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
|
|
||||||
if [ "$ret" != 0 ]; then
|
|
||||||
echo "Non-zero return value: $ret"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
|
|
||||||
if [ "$nbtmp1" != "$nbtmp2" ]; then
|
|
||||||
echo "Left temporary files!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
- name: push artifact to the test-build branch
|
|
||||||
run: |
|
|
||||||
tmpdir=$(mktemp -d)
|
|
||||||
mv ./dist/* $tmpdir/
|
|
||||||
rm -rf ./dist
|
|
||||||
git fetch origin test-build
|
|
||||||
git checkout -f test-build
|
|
||||||
mv $tmpdir/* .
|
|
||||||
git add *
|
|
||||||
echo =#=#= DIFF CACHED
|
|
||||||
git diff --cached
|
|
||||||
echo =#=#= STATUS
|
|
||||||
git status
|
|
||||||
echo =#=#= COMMIT
|
|
||||||
git config --global user.name "github-actions[bot]"
|
|
||||||
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
||||||
git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
|
|
||||||
git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
|
|
||||||
git push
|
|
||||||
Reference in New Issue
Block a user