chore: build: also add new files, handle github workflows

built from commit c799974038 dated 2026-04-02 18:47:00 +0200 by Stéphane Lesimple (speed47_github@speed47.net)
2026-04-03 13:47:08 +02:00 · 2026-04-02 16:48:13 +00:00
parent 33bdd0688d
commit f46c743cad
6 changed files with 149 additions and 75 deletions
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@@ -5,6 +5,9 @@ on:
  schedule:
    - cron: '42 9 * * *'
 permissions:
  pull-requests: write
 jobs:
  autoupdate:
    runs-on: ubuntu-latest
@@ -25,7 +28,6 @@ jobs:
        if: steps.diff.outputs.nbdiff != '0'
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ secrets.SMC_PR_PAT }}
          branch: autoupdate-fwdb
          commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
          title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -0,0 +1,111 @@
 name: build
 on:
  push:
    branches:
      - test
      - source
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6
      with:
        persist-credentials: true
    - name: install prerequisites
      run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
    - name: build and check
      run: |
        make build fmt-check shellcheck
        mv spectre-meltdown-checker.sh dist/
    - name: check direct execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check docker compose run execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker compose build
        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check docker run execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker build -t spectre-meltdown-checker .
        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check fwdb update (separated)
      run: |
        cd dist
        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
        if [ "$ret" != 0 ]; then
          echo "Non-zero return value: $ret"
          exit 1
        fi
        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
        if [ "$nbtmp1" != "$nbtmp2" ]; then
          echo "Left temporary files!"
          exit 1
        fi
        if ! [ -e ~/.mcedb ]; then
          echo "No .mcedb file found after updating fwdb"
          exit 1
        fi
    - name: check fwdb update (builtin)
      run: |
        cd dist
        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
        ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
        if [ "$ret" != 0 ]; then
          echo "Non-zero return value: $ret"
          exit 1
        fi
        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
        if [ "$nbtmp1" != "$nbtmp2" ]; then
          echo "Left temporary files!"
          exit 1
        fi
    - name: create a pull request to ${{ github.ref_name }}-build
      run: |
        tmpdir=$(mktemp -d)
        mv ./dist/* .github $tmpdir/
        rm -rf ./dist
        git fetch origin ${{ github.ref_name }}-build
        git checkout -f ${{ github.ref_name }}-build
        mv $tmpdir/* .
        mkdir -p .github
        rsync -vaP --delete $tmpdir/.github/ .github/
        git add --all
        echo =#=#= DIFF CACHED
        git diff --cached
        echo =#=#= STATUS
        git status
        echo =#=#= COMMIT
        git config --global user.name "github-actions[bot]"
        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
        git push
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -1,73 +0,0 @@
 name: CI
 on: [push, pull_request]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: install prerequisites
      run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool
    - name: shellcheck
      run: shellcheck -s sh spectre-meltdown-checker.sh
    - name: check indentation
      run: |
        if [ $(grep -cPv "^\t*\S|^$" spectre-meltdown-checker.sh) != 0 ]; then
          echo "Badly indented lines found:"
          grep -nPv "^\t*\S|^$" spectre-meltdown-checker.sh
          exit 1
        else
          echo "Indentation seems correct."
        fi
    - name: check direct execution
      run: |
        expected=19
        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check docker compose run execution
      run: |
        expected=19
        docker compose build
        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check docker run execution
      run: |
        expected=19
        docker build -t spectre-meltdown-checker .
        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check fwdb update
      run: |
        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
        if [ "$ret" != 0 ]; then
          echo "Non-zero return value: $ret"
          exit 1
        fi
        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
        if [ "$nbtmp1" != "$nbtmp2" ]; then
          echo "Left temporary files!"
          exit 1
        fi
        if ! [ -e ~/.mcedb ]; then
          echo "No .mcedb file found after updating fwdb"
          exit 1
        fi
--- a/.github/workflows/expected_cve_count
+++ b/.github/workflows/expected_cve_count
@@ -0,0 +1 @@
 21
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,33 @@
 name: 'Manage stale issues and PRs'
 on:
  schedule:
    - cron: '37 7 * * *'
  workflow_dispatch:
    inputs:
      action:
        description: "dry-run"
        required: true
        default: "dryrun"
        type: choice
        options:
          - dryrun
          - apply
 permissions:
  issues: write
  pull-requests: write
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@v10
        with:
          any-of-labels: 'needs-more-info,answered'
          labels-to-remove-when-unstale: 'needs-more-info,answered'
          days-before-stale: 30
          days-before-close: 7
          stale-issue-label: stale
          remove-stale-when-updated: true
          debug-only: ${{ case(inputs.action == 'apply', false, true) }}
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.21.0402693'
+VERSION='26.21.0402699'
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"