Implement ITS/VMScape/BTI and misc enhancements (#539)

7a7408d fix: add rebleet to --variant
cccb3c0 enh: add known fixed ucode versions for CVE-2023-23583 (Reptar) and CVE-2024-45332 (BPI)
090f109 doc: add CVE-2023-31315 (SinkClose) to the unsupported list, add categories
5dc9c3c chore: reorder CVE list in README.md
a00fab1 feat: implement CVE-2025-40300 (VMScape) and CVE-2024-45332 (BTI)
e0b818f chore: stalebot: disable dryrun by default
4af1155 feat: implement CVE-2024-28956 (ITS, Indirect Target Selection) vulnerability and mitigation detection
dfed6f3 doc: add note about more unsupported CVEs
1652977 add a generated version of src/libs/003_intel_models.sh
a089ae8 fix: sys_interface_check() must set the caller's $msg var (closes #533)
cc6bbaa chore: don't include src/ generated files in build
2717b0a doc: CVE-2020-12965 unsupported (#478)

.github/workflows/build.yml

@@ -17,6 +17,8 @@ jobs:
         persist-credentials: true
     - name: install prerequisites
       run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
+    - name: update Intel model list
+      run: ./scripts/update_intel_models.sh
     - name: build and check
       run: |
         make build fmt-check shellcheck
@@ -96,6 +98,7 @@ jobs:
         git fetch origin ${{ github.ref_name }}-build
         git checkout -f ${{ github.ref_name }}-build
         mv $tmpdir/* .
+        rm -rf src/
         mkdir -p .github
         rsync -vaP --delete $tmpdir/.github/ .github/
         git add --all

.github/workflows/expected_cve_count

@@ -1 +1 @@
-21
+26

.github/workflows/stale.yml

@@ -30,4 +30,4 @@ jobs:
           days-before-close: 7
           stale-issue-label: stale
           remove-stale-when-updated: true
-          debug-only: ${{ case(inputs.action == 'apply', false, true) }}
+          debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}