Merge pull request #566 from speed47/test

built from commit 3e2b6cc734 dated 2026-04-20 11:02:38 +0000 by Stéphane Lesimple (speed47_github@speed47.net) Prepare release v26.33.0420xxx
2026-04-27 11:03:20 +02:00 · 2026-04-20 11:04:05 +00:00
parent 73b67b4a80
commit fe0d3f49f4
12 changed files with 5714 additions and 1170 deletions
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@@ -1,36 +0,0 @@
-name: autoupdate
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '42 9 * * *'
-
-permissions:
-  pull-requests: write
-
-jobs:
-  autoupdate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install prerequisites
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
-      - name: Update microcode versions
-        run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
-      - name: Check git diff
-        id: diff
-        run: |
-          echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
-          echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT"
-          git diff
-          cat "$GITHUB_OUTPUT"
-      - name: Create Pull Request if needed
-        if: steps.diff.outputs.nbdiff != '0'
-        uses: peter-evans/create-pull-request@v7
-        with:
-          branch: autoupdate-fwdb
-          commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
-          title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
-          body: |
-            Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
-            Detected ${{ steps.diff.outputs.nbdiff }} microcode changes
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,21 +25,81 @@ jobs:
        mv spectre-meltdown-checker.sh dist/
    - name: check direct execution
      run: |
+        set -x
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
-        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
+
+        json=$(sudo ./spectre-meltdown-checker.sh --batch json || true)
+
+        # Validate JSON is well-formed (and show it if not)
+        echo "$json" | jq . >/dev/null || {
+          echo "Invalid JSON produced by spectre-meltdown-checker.sh"
+          echo "$json"
+          exit 1
+        }
+
+        # Validate required keys exist
+        for key in meta system cpu cpu_microcode vulnerabilities; do
+          echo "$json" | jq -e ".$key" >/dev/null || {
+            echo "Missing top-level key: $key"
+            echo "$json" | jq .
+            exit 1
+          }
+        done
+
+        # Use -r to get raw scalars (no quotes)
+        fmtver=$(echo "$json" | jq -r '.meta.format_version // empty')
+        if [ "$fmtver" != "1" ]; then
+          echo "Unexpected format_version: $fmtver"
+          echo "$json" | jq .
+          exit 1
+        fi
+
+        run_as_root=$(echo "$json" | jq -r '.meta.run_as_root // empty')
+        if [ "$run_as_root" != "true" ]; then
+          echo "Expected run_as_root=true, got: $run_as_root"
+          echo "$json" | jq .
+          exit 1
+        fi
+
+        mocked=$(echo "$json" | jq -r '.meta.mocked // "false"')
+        if [ "$mocked" = "true" ]; then
+          echo "mocked=true must never appear in production"
+          echo "$json" | jq .
+          exit 1
+        fi
+
+        # Count CVEs robustly (as a number)
+        nb=$(echo "$json" | jq -r '[.vulnerabilities[].cve] | length')
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          echo "$json" | jq '.vulnerabilities[].cve'
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
+
+        # Validate json-terse backward compatibility
+        nb_terse=$(sudo ./spectre-meltdown-checker.sh --batch json-terse | jq -r 'map(.CVE) | length')
+        if [ "$nb_terse" -ne "$expected" ]; then
+          echo "json-terse backward compat broken: $nb_terse CVEs instead of $expected"
+          exit 1
+        else
+          echo "OK json-terse backward compat: $nb_terse CVEs"
+        fi
    - name: check docker compose run execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker compose build
-        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        json=$(docker compose run --rm spectre-meltdown-checker --batch json || true)
+        echo "$json" | jq . > /dev/null
+        fmtver=$(echo "$json" | jq '.meta.format_version')
+        if [ "$fmtver" != "1" ]; then
+          echo "Unexpected format_version: $fmtver"
+          exit 1
+        fi
+        nb=$(echo "$json" | jq '.vulnerabilities[].cve' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
@@ -51,7 +111,14 @@ jobs:
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker build -t spectre-meltdown-checker .
-        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        json=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json || true)
+        echo "$json" | jq . > /dev/null
+        fmtver=$(echo "$json" | jq '.meta.format_version')
+        if [ "$fmtver" != "1" ]; then
+          echo "Unexpected format_version: $fmtver"
+          exit 1
+        fi
+        nb=$(echo "$json" | jq '.vulnerabilities[].cve' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
@@ -92,15 +159,19 @@ jobs:
        fi
    - name: create a pull request to ${{ github.ref_name }}-build
      run: |
+        # all the files in dist/* and .github/* must be moved as is to the -build branch root, move them out for now:
        tmpdir=$(mktemp -d)
        mv ./dist/* .github $tmpdir/
        rm -rf ./dist
+
        git fetch origin ${{ github.ref_name }}-build
        git checkout -f ${{ github.ref_name }}-build
+        rm -rf doc/
        mv $tmpdir/* .
-        rm -rf src/
+        rm -rf src/ scripts/ img/
        mkdir -p .github
        rsync -vaP --delete $tmpdir/.github/ .github/
+
        git add --all
        echo =#=#= DIFF CACHED
        git diff --cached
--- a/.github/workflows/expected_cve_count
+++ b/.github/workflows/expected_cve_count
@@ -1 +1 @@
-26
+32
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,33 +0,0 @@
-name: 'Manage stale issues and PRs'
-
-on:
-  schedule:
-    - cron: '37 7 * * *'
-  workflow_dispatch:
-    inputs:
-      action:
-        description: "dry-run"
-        required: true
-        default: "dryrun"
-        type: choice
-        options:
-          - dryrun
-          - apply
-
-permissions:
-  issues: write
-  pull-requests: write
-
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@v10
-        with:
-          any-of-labels: 'needs-more-info,answered'
-          labels-to-remove-when-unstale: 'needs-more-info,answered'
-          days-before-stale: 30
-          days-before-close: 7
-          stale-issue-label: stale
-          remove-stale-when-updated: true
-          debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}