From 9497abbee2723cedc561b6b785fe01fbe965ec1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 31 Mar 2026 19:34:52 +0200 Subject: [PATCH] chore: prepare for dev-build renaming to test-build --- .github/workflows/source-build.yml | 108 ++++++++++++++++++ .../{dev-build.yml => test-build.yml} | 12 +- DEVELOPMENT.md | 23 ++-- 3 files changed, 127 insertions(+), 16 deletions(-) create mode 100644 .github/workflows/source-build.yml rename .github/workflows/{dev-build.yml => test-build.yml} (95%) diff --git a/.github/workflows/source-build.yml b/.github/workflows/source-build.yml new file mode 100644 index 0000000..a8ba56e --- /dev/null +++ b/.github/workflows/source-build.yml @@ -0,0 +1,108 @@ +name: source-build + +on: + push: + branches: + - source + +jobs: + source-build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: true + - name: install prerequisites + run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make + - name: build and check + run: | + make build fmt-check shellcheck + mv spectre-meltdown-checker.sh dist/ + - name: check direct execution + run: | + expected=$(cat .github/workflows/expected_cve_count) + cd dist + nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) + if [ "$nb" -ne "$expected" ]; then + echo "Invalid number of CVEs reported: $nb instead of $expected" + exit 1 + else + echo "OK $nb CVEs reported" + fi + - name: check docker compose run execution + run: | + expected=$(cat .github/workflows/expected_cve_count) + cd dist + docker compose build + nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) + if [ "$nb" -ne "$expected" ]; then + echo "Invalid number of CVEs reported: $nb instead of $expected" + exit 1 + else + echo "OK $nb CVEs reported" + fi + - name: check docker run execution + run: | + expected=$(cat .github/workflows/expected_cve_count) + cd dist + docker build -t spectre-meltdown-checker . + nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) + if [ "$nb" -ne "$expected" ]; then + echo "Invalid number of CVEs reported: $nb instead of $expected" + exit 1 + else + echo "OK $nb CVEs reported" + fi + - name: check fwdb update (separated) + run: | + cd dist + nbtmp1=$(find /tmp 2>/dev/null | wc -l) + ./spectre-meltdown-checker.sh --update-fwdb; ret=$? + if [ "$ret" != 0 ]; then + echo "Non-zero return value: $ret" + exit 1 + fi + nbtmp2=$(find /tmp 2>/dev/null | wc -l) + if [ "$nbtmp1" != "$nbtmp2" ]; then + echo "Left temporary files!" + exit 1 + fi + if ! [ -e ~/.mcedb ]; then + echo "No .mcedb file found after updating fwdb" + exit 1 + fi + - name: check fwdb update (builtin) + run: | + cd dist + nbtmp1=$(find /tmp 2>/dev/null | wc -l) + ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$? + if [ "$ret" != 0 ]; then + echo "Non-zero return value: $ret" + exit 1 + fi + nbtmp2=$(find /tmp 2>/dev/null | wc -l) + if [ "$nbtmp1" != "$nbtmp2" ]; then + echo "Left temporary files!" + exit 1 + fi + - name: create a pull request to source-build + run: | + tmpdir=$(mktemp -d) + mv ./dist/* $tmpdir/ + rm -rf ./dist + git fetch origin source-build + git checkout -f source-build + mv $tmpdir/* . + git add * + echo =#=#= DIFF CACHED + git diff --cached + echo =#=#= STATUS + git status + echo =#=#= COMMIT + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' + git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F - + git push diff --git a/.github/workflows/dev-build.yml b/.github/workflows/test-build.yml similarity index 95% rename from .github/workflows/dev-build.yml rename to .github/workflows/test-build.yml index 71b57a2..97bee68 100644 --- a/.github/workflows/dev-build.yml +++ b/.github/workflows/test-build.yml @@ -1,12 +1,12 @@ -name: dev-build +name: test-build on: push: branches: - - dev + - test jobs: - dev-build: + test-build: runs-on: ubuntu-latest @@ -87,13 +87,13 @@ jobs: echo "Left temporary files!" exit 1 fi - - name: push artifact to the dev-build branch + - name: push artifact to the test-build branch run: | tmpdir=$(mktemp -d) mv ./dist/* $tmpdir/ rm -rf ./dist - git fetch origin dev-build - git checkout -f dev-build + git fetch origin test-build + git checkout -f test-build mv $tmpdir/* . git add * echo =#=#= DIFF CACHED diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index e2f8009..ee27000 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -37,21 +37,24 @@ The project uses 4 branches organized in two pipelines (production and dev/test) | Branch | Contents | Pushed by | |--------|----------|-----------| +| **`test`** | Dev/test source (split files + Makefile) | Developers | +| **`test-build`** | Monolithic test script (built artifact) | CI from `test` | | **`source`** | Production source (split files + Makefile) | Developers | -| **`master`** | Monolithic production script (built artifact) | CI from `source` | -| **`dev`** | Dev/test source (split files + Makefile) | Developers | -| **`dev-build`** | Monolithic test script (built artifact) | CI from `dev` | +| **`source-build`** | Monolithic test script (built artifact) | CI from `source` | +| **`master`** | Monolithic production script (built artifact) | PR by developers from `source-build` | -- **`source`** and **`dev`** contain the split source files and the Makefile. These are the branches developers commit to. -- **`master`** and **`dev-build`** contain only the monolithic `spectre-meltdown-checker.sh` built by CI. Nobody commits to these directly. +- **`source`** and **`test`** contain the split source files and the Makefile. These are the branches developers commit to. +- **`master`**, **`source-build`** and **`test-build`** contain only the monolithic `spectre-meltdown-checker.sh` built by CI. Nobody commits to these directly. - **`master`** is the preexisting production branch that users pull from. It cannot be renamed. -- **`dev-build`** is a testing branch that users can pull from to test pre-release versions. +- **`test-build`** is a testing branch that users can pull from to test pre-release versions. +- **`source-build`** is a preprod branch to prepare the artifact before merging to **`master`**. Typical workflow: -1. Feature/fix branches are created from `dev` and merged back into `dev`. -2. CI builds the script and pushes it to `dev-build` for testing. -3. When ready for release, `dev` is merged into `source`. -4. CI builds the script and pushes it to `master` for production. +1. Feature/fix branches are created from `test` and merged back into `test`. +2. CI builds the script and pushes it to `test-build` for testing. +3. When ready for release, `test` is merged into `source`. +4. CI builds the script and pushes it to `source-build` for production. +5. Developer creates a PR from `source-build` to `master`. ## Versioning