diff --git a/.github/workflows/autoupdate.yml b/.github/workflows/autoupdate.yml index 7bebc60..290f01e 100644 --- a/.github/workflows/autoupdate.yml +++ b/.github/workflows/autoupdate.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '42 9 * * *' +permissions: + pull-requests: write + jobs: autoupdate: runs-on: ubuntu-latest @@ -25,7 +28,6 @@ jobs: if: steps.diff.outputs.nbdiff != '0' uses: peter-evans/create-pull-request@v7 with: - token: ${{ secrets.SMC_PR_PAT }} branch: autoupdate-fwdb commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes" title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..522b7f2 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,111 @@ +name: build + +on: + push: + branches: + - test + - source + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: true + - name: install prerequisites + run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make + - name: build and check + run: | + make build fmt-check shellcheck + mv spectre-meltdown-checker.sh dist/ + - name: check direct execution + run: | + expected=$(cat .github/workflows/expected_cve_count) + cd dist + nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) + if [ "$nb" -ne "$expected" ]; then + echo "Invalid number of CVEs reported: $nb instead of $expected" + exit 1 + else + echo "OK $nb CVEs reported" + fi + - name: check docker compose run execution + run: | + expected=$(cat .github/workflows/expected_cve_count) + cd dist + docker compose build + nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) + if [ "$nb" -ne "$expected" ]; then + echo "Invalid number of CVEs reported: $nb instead of $expected" + exit 1 + else + echo "OK $nb CVEs reported" + fi + - name: check docker run execution + run: | + expected=$(cat .github/workflows/expected_cve_count) + cd dist + docker build -t spectre-meltdown-checker . + nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) + if [ "$nb" -ne "$expected" ]; then + echo "Invalid number of CVEs reported: $nb instead of $expected" + exit 1 + else + echo "OK $nb CVEs reported" + fi + - name: check fwdb update (separated) + run: | + cd dist + nbtmp1=$(find /tmp 2>/dev/null | wc -l) + ./spectre-meltdown-checker.sh --update-fwdb; ret=$? + if [ "$ret" != 0 ]; then + echo "Non-zero return value: $ret" + exit 1 + fi + nbtmp2=$(find /tmp 2>/dev/null | wc -l) + if [ "$nbtmp1" != "$nbtmp2" ]; then + echo "Left temporary files!" + exit 1 + fi + if ! [ -e ~/.mcedb ]; then + echo "No .mcedb file found after updating fwdb" + exit 1 + fi + - name: check fwdb update (builtin) + run: | + cd dist + nbtmp1=$(find /tmp 2>/dev/null | wc -l) + ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$? + if [ "$ret" != 0 ]; then + echo "Non-zero return value: $ret" + exit 1 + fi + nbtmp2=$(find /tmp 2>/dev/null | wc -l) + if [ "$nbtmp1" != "$nbtmp2" ]; then + echo "Left temporary files!" + exit 1 + fi + - name: create a pull request to ${{ github.ref_name }}-build + run: | + tmpdir=$(mktemp -d) + mv ./dist/* .github $tmpdir/ + rm -rf ./dist + git fetch origin ${{ github.ref_name }}-build + git checkout -f ${{ github.ref_name }}-build + mv $tmpdir/* . + mkdir -p .github + rsync -vaP --delete $tmpdir/.github/ .github/ + git add --all + echo =#=#= DIFF CACHED + git diff --cached + echo =#=#= STATUS + git status + echo =#=#= COMMIT + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' + git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F - + git push diff --git a/.github/workflows/expected_cve_count b/.github/workflows/expected_cve_count new file mode 100644 index 0000000..aabe6ec --- /dev/null +++ b/.github/workflows/expected_cve_count @@ -0,0 +1 @@ +21 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b234f10..610d2fd 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,6 +3,16 @@ name: 'Manage stale issues and PRs' on: schedule: - cron: '37 7 * * *' + workflow_dispatch: + inputs: + action: + description: "dry-run" + required: true + default: "dryrun" + type: choice + options: + - dryrun + - apply permissions: issues: write @@ -20,4 +30,4 @@ jobs: days-before-close: 7 stale-issue-label: stale remove-stale-when-updated: true - debug-only: true + debug-only: ${{ case(inputs.action == 'apply', false, true) }} diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index a256716..863afe0 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -13,7 +13,7 @@ # # Stephane Lesimple # -VERSION='26.21.0402694' +VERSION='26.21.0402701' # --- Common paths and basedirs --- readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"