diff --git a/.github/workflows/autoupdate.yml b/.github/workflows/autoupdate.yml deleted file mode 100644 index 7bebc60..0000000 --- a/.github/workflows/autoupdate.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: autoupdate - -on: - workflow_dispatch: - schedule: - - cron: '42 9 * * *' - -jobs: - autoupdate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Install prerequisites - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip - - name: Update microcode versions - run: ./spectre-meltdown-checker.sh --update-builtin-fwdb - - name: Check git diff - id: diff - run: | - echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT" - echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT" - git diff - cat "$GITHUB_OUTPUT" - - name: Create Pull Request if needed - if: steps.diff.outputs.nbdiff != '0' - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ secrets.SMC_PR_PAT }} - branch: autoupdate-fwdb - commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes" - title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}" - body: | - Automated PR to update fwdb from ${{ steps.diff.outputs.change }} - Detected ${{ steps.diff.outputs.nbdiff }} microcode changes diff --git a/.github/workflows/check.yml b/.github/workflows/dev-build.yml similarity index 60% rename from .github/workflows/check.yml rename to .github/workflows/dev-build.yml index 0e151b9..879e5d2 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/dev-build.yml @@ -1,30 +1,26 @@ -name: CI +name: dev-build -on: [push, pull_request] +on: + push: + branches: + - dev jobs: - build: + dev-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v6 + with: + persist-credentials: true - name: install prerequisites - run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool - - name: shellcheck - run: shellcheck -s sh spectre-meltdown-checker.sh - - name: check indentation - run: | - if [ $(grep -cPv "^\t*\S|^$" spectre-meltdown-checker.sh) != 0 ]; then - echo "Badly indented lines found:" - grep -nPv "^\t*\S|^$" spectre-meltdown-checker.sh - exit 1 - else - echo "Indentation seems correct." - fi + run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make + - name: build and check + run: make build fmt-check shellcheck - name: check direct execution run: | - expected=19 + expected=$(cat .github/workflows/expected_cve_count) nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) if [ "$nb" -ne "$expected" ]; then echo "Invalid number of CVEs reported: $nb instead of $expected" @@ -34,7 +30,7 @@ jobs: fi - name: check docker compose run execution run: | - expected=19 + expected=$(cat .github/workflows/expected_cve_count) docker compose build nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) if [ "$nb" -ne "$expected" ]; then @@ -45,7 +41,7 @@ jobs: fi - name: check docker run execution run: | - expected=19 + expected=$(cat .github/workflows/expected_cve_count) docker build -t spectre-meltdown-checker . nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) if [ "$nb" -ne "$expected" ]; then @@ -54,7 +50,7 @@ jobs: else echo "OK $nb CVEs reported" fi - - name: check fwdb update + - name: check fwdb update (separated) run: | nbtmp1=$(find /tmp 2>/dev/null | wc -l) ./spectre-meltdown-checker.sh --update-fwdb; ret=$? @@ -71,3 +67,28 @@ jobs: echo "No .mcedb file found after updating fwdb" exit 1 fi + - name: check fwdb update (builtin) + run: | + nbtmp1=$(find /tmp 2>/dev/null | wc -l) + ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$? + if [ "$ret" != 0 ]; then + echo "Non-zero return value: $ret" + exit 1 + fi + nbtmp2=$(find /tmp 2>/dev/null | wc -l) + if [ "$nbtmp1" != "$nbtmp2" ]; then + echo "Left temporary files!" + exit 1 + fi + - name: push artifact to the dev-build branch + run: | + tmpdir=$(mktemp -d) + cp ./spectre-meltdown-checker.sh $tmpdir/ + cp -va ./dist/* $tmpdir/ + if ! git checkout -f dev-build; then + git checkout -B dev-build; + fi + mv $tmpdir/* . + git add * + git status + git branch diff --git a/.github/workflows/expected_cve_count b/.github/workflows/expected_cve_count new file mode 100644 index 0000000..d6b2404 --- /dev/null +++ b/.github/workflows/expected_cve_count @@ -0,0 +1 @@ +19 diff --git a/Makefile b/Makefile index 7a93ed2..100fc49 100644 --- a/Makefile +++ b/Makefile @@ -9,13 +9,15 @@ SRC_FILES := $(shell find src -name '*.sh' -type f) build.sh all: build shellcheck fmt-check build: - ./build.sh $(OUTPUT) + @./build.sh $(OUTPUT) shellcheck: $(OUTPUT) - shellcheck $(OUTPUT) + @echo Running shellcheck... + @shellcheck $(OUTPUT) fmt: $(SHFMT) -w $(SHFMT_OPTS) $(SRC_FILES) fmt-check: - $(SHFMT) -d $(SHFMT_OPTS) $(SRC_FILES) + @echo Checking formatting... + @$(SHFMT) -d $(SHFMT_OPTS) $(SRC_FILES)