chore: prepare for dev-build renaming to test-build

.github/workflows/source-build.yml

@@ -0,0 +1,108 @@
+name: source-build
+
+on:
+  push:
+    branches:
+      - source
+
+jobs:
+  source-build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: true
+    - name: install prerequisites
+      run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
+    - name: build and check
+      run: |
+        make build fmt-check shellcheck
+        mv spectre-meltdown-checker.sh dist/
+    - name: check direct execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker compose run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker compose build
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker build -t spectre-meltdown-checker .
+        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check fwdb update (separated)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+        if ! [ -e ~/.mcedb ]; then
+          echo "No .mcedb file found after updating fwdb"
+          exit 1
+        fi
+    - name: check fwdb update (builtin)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+    - name: create a pull request to source-build
+      run: |
+        tmpdir=$(mktemp -d)
+        mv ./dist/* $tmpdir/
+        rm -rf ./dist
+        git fetch origin source-build
+        git checkout -f source-build
+        mv $tmpdir/* .
+        git add *
+        echo =#=#= DIFF CACHED
+        git diff --cached
+        echo =#=#= STATUS
+        git status
+        echo =#=#= COMMIT
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
+        git push

.github/workflows/test-build.yml

@@ -1,12 +1,12 @@
-name: dev-build
+name: test-build
 
 on:
   push:
     branches:
-      - dev
+      - test
 
 jobs:
-  dev-build:
+  test-build:
 
     runs-on: ubuntu-latest
 
@@ -87,13 +87,13 @@ jobs:
           echo "Left temporary files!"
           exit 1
         fi
-    - name: push artifact to the dev-build branch
+    - name: push artifact to the test-build branch
       run: |
         tmpdir=$(mktemp -d)
         mv ./dist/* $tmpdir/
         rm -rf ./dist
-        git fetch origin dev-build
+        git fetch origin test-build
-        git checkout -f dev-build
+        git checkout -f test-build
         mv $tmpdir/* .
         git add *
         echo =#=#= DIFF CACHED

DEVELOPMENT.md

@@ -37,21 +37,24 @@ The project uses 4 branches organized in two pipelines (production and dev/test)
 
 | Branch | Contents | Pushed by |
 |--------|----------|-----------|
+| **`test`** | Dev/test source (split files + Makefile) | Developers |
+| **`test-build`** | Monolithic test script (built artifact) | CI from `test` |
 | **`source`** | Production source (split files + Makefile) | Developers |
-| **`master`** | Monolithic production script (built artifact) | CI from `source` |
+| **`source-build`** | Monolithic test script (built artifact) | CI from `source` |
-| **`dev`** | Dev/test source (split files + Makefile) | Developers |
+| **`master`** | Monolithic production script (built artifact) | PR by developers from `source-build` |
-| **`dev-build`** | Monolithic test script (built artifact) | CI from `dev` |
 
-- **`source`** and **`dev`** contain the split source files and the Makefile. These are the branches developers commit to.
+- **`source`** and **`test`** contain the split source files and the Makefile. These are the branches developers commit to.
-- **`master`** and **`dev-build`** contain only the monolithic `spectre-meltdown-checker.sh` built by CI. Nobody commits to these directly.
+- **`master`**, **`source-build`** and **`test-build`** contain only the monolithic `spectre-meltdown-checker.sh` built by CI. Nobody commits to these directly.
 - **`master`** is the preexisting production branch that users pull from. It cannot be renamed.
-- **`dev-build`** is a testing branch that users can pull from to test pre-release versions.
+- **`test-build`** is a testing branch that users can pull from to test pre-release versions.
+- **`source-build`** is a preprod branch to prepare the artifact before merging to **`master`**.
 
 Typical workflow:
-1. Feature/fix branches are created from `dev` and merged back into `dev`.
+1. Feature/fix branches are created from `test` and merged back into `test`.
-2. CI builds the script and pushes it to `dev-build` for testing.
+2. CI builds the script and pushes it to `test-build` for testing.
-3. When ready for release, `dev` is merged into `source`.
+3. When ready for release, `test` is merged into `source`.
-4. CI builds the script and pushes it to `master` for production.
+4. CI builds the script and pushes it to `source-build` for production.
+5. Developer creates a PR from `source-build` to `master`.
 
 ## Versioning