peter/spectre-meltdown-checker
1
0
Fork 0
mirror of https://github.com/speed47/spectre-meltdown-checker.git synced 2026-04-01 12:47:07 +02:00
Code Issues Projects Releases Wiki Activity

dev-build workflow

Browse Source
This commit is contained in:
Stéphane Lesimple
2026-03-30 21:04:21 +02:00
parent 994608a90a
commit c2542e9940
4 changed files with 47 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
.github/workflows/autoupdate.yml vendored
View File

@@ -1,34 +0,0 @@
name: autoupdate
on:
workflow_dispatch:
schedule:
- cron: '42 9 * * *'
jobs:
autoupdate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install prerequisites
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
- name: Update microcode versions
run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
- name: Check git diff
id: diff
run: |
echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT"
git diff
cat "$GITHUB_OUTPUT"
- name: Create Pull Request if needed
if: steps.diff.outputs.nbdiff != '0'
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.SMC_PR_PAT }}
branch: autoupdate-fwdb
commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
body: |
Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
Detected ${{ steps.diff.outputs.nbdiff }} microcode changes

61
.github/workflows/check.yml → .github/workflows/dev-build.yml vendored
View File

@@ -1,30 +1,26 @@
name: CI name: dev-build
on: [push, pull_request] on:
push:
branches:
- dev
jobs: jobs:
build: dev-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@v6
with:
persist-credentials: true
- name: install prerequisites - name: install prerequisites
run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
- name: shellcheck - name: build and check
run: shellcheck -s sh spectre-meltdown-checker.sh run: make build fmt-check shellcheck
- name: check indentation
run: |
if [ $(grep -cPv "^\t*\S|^$" spectre-meltdown-checker.sh) != 0 ]; then
echo "Badly indented lines found:"
grep -nPv "^\t*\S|^$" spectre-meltdown-checker.sh
exit 1
else
echo "Indentation seems correct."
fi
- name: check direct execution - name: check direct execution
run: | run: |
expected=19 expected=$(cat .github/workflows/expected_cve_count)
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
echo "Invalid number of CVEs reported: $nb instead of $expected" echo "Invalid number of CVEs reported: $nb instead of $expected"
@@ -34,7 +30,7 @@ jobs:
fi fi
- name: check docker compose run execution - name: check docker compose run execution
run: | run: |
expected=19 expected=$(cat .github/workflows/expected_cve_count)
docker compose build docker compose build
nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
@@ -45,7 +41,7 @@ jobs:
fi fi
- name: check docker run execution - name: check docker run execution
run: | run: |
expected=19 expected=$(cat .github/workflows/expected_cve_count)
docker build -t spectre-meltdown-checker . docker build -t spectre-meltdown-checker .
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
if [ "$nb" -ne "$expected" ]; then if [ "$nb" -ne "$expected" ]; then
@@ -54,7 +50,7 @@ jobs:
else else
echo "OK $nb CVEs reported" echo "OK $nb CVEs reported"
fi fi
- name: check fwdb update - name: check fwdb update (separated)
run: | run: |
nbtmp1=$(find /tmp 2>/dev/null | wc -l) nbtmp1=$(find /tmp 2>/dev/null | wc -l)
./spectre-meltdown-checker.sh --update-fwdb; ret=$? ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
@@ -71,3 +67,28 @@ jobs:
echo "No .mcedb file found after updating fwdb" echo "No .mcedb file found after updating fwdb"
exit 1 exit 1
fi fi
- name: check fwdb update (builtin)
run: |
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
if [ "$ret" != 0 ]; then
echo "Non-zero return value: $ret"
exit 1
fi
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
if [ "$nbtmp1" != "$nbtmp2" ]; then
echo "Left temporary files!"
exit 1
fi
- name: push artifact to the dev-build branch
run: |
tmpdir=$(mktemp -d)
cp ./spectre-meltdown-checker.sh $tmpdir/
cp -va ./dist/* $tmpdir/
if ! git checkout -f dev-build; then
git checkout -B dev-build;
fi
mv $tmpdir/* .
git add *
git status
git branch

1
.github/workflows/expected_cve_count vendored Normal file
View File

@@ -0,0 +1 @@
19

8
Makefile
View File

@@ -9,13 +9,15 @@ SRC_FILES := $(shell find src -name '*.sh' -type f) build.sh
all: build shellcheck fmt-check all: build shellcheck fmt-check
build: build:
./build.sh $(OUTPUT) @./build.sh $(OUTPUT)
shellcheck: $(OUTPUT) shellcheck: $(OUTPUT)
shellcheck $(OUTPUT) @echo Running shellcheck...
@shellcheck $(OUTPUT)
fmt: fmt:
$(SHFMT) -w $(SHFMT_OPTS) $(SRC_FILES) $(SHFMT) -w $(SHFMT_OPTS) $(SRC_FILES)
fmt-check: fmt-check:
$(SHFMT) -d $(SHFMT_OPTS) $(SRC_FILES) @echo Checking formatting...
@$(SHFMT) -d $(SHFMT_OPTS) $(SRC_FILES)