spectre-meltdown-checker/.github/workflows/build.yml

name: build

on:
  push:
    branches:
      - test
      - source

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v6
      with:
        persist-credentials: true
    - name: install prerequisites
      run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
    - name: update Intel model list
      run: ./scripts/update_intel_models.sh
    - name: build and check
      run: |
        make build fmt-check shellcheck
        mv spectre-meltdown-checker.sh dist/
    - name: check direct execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check docker compose run execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker compose build
        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check docker run execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker build -t spectre-meltdown-checker .
        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
    - name: check fwdb update (separated)
      run: |
        cd dist
        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
        if [ "$ret" != 0 ]; then
          echo "Non-zero return value: $ret"
          exit 1
        fi
        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
        if [ "$nbtmp1" != "$nbtmp2" ]; then
          echo "Left temporary files!"
          exit 1
        fi
        if ! [ -e ~/.mcedb ]; then
          echo "No .mcedb file found after updating fwdb"
          exit 1
        fi
    - name: check fwdb update (builtin)
      run: |
        cd dist
        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
        ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
        if [ "$ret" != 0 ]; then
          echo "Non-zero return value: $ret"
          exit 1
        fi
        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
        if [ "$nbtmp1" != "$nbtmp2" ]; then
          echo "Left temporary files!"
          exit 1
        fi
    - name: create a pull request to ${{ github.ref_name }}-build
      run: |
        tmpdir=$(mktemp -d)
        mv ./dist/* .github $tmpdir/
        rm -rf ./dist
        git fetch origin ${{ github.ref_name }}-build
        git checkout -f ${{ github.ref_name }}-build
        mv $tmpdir/* .
        rm -rf src/
        mkdir -p .github
        rsync -vaP --delete $tmpdir/.github/ .github/
        git add --all
        echo =#=#= DIFF CACHED
        git diff --cached
        echo =#=#= STATUS
        git status
        echo =#=#= COMMIT
        git config --global user.name "github-actions[bot]"
        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
        git push