chore: readme: add a second table one about impact/mitigation #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test-build | |
| on: | |
| push: | |
| branches: | |
| - test | |
| jobs: | |
| test-build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: true | |
| - name: install prerequisites | |
| run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make | |
| - name: build and check | |
| run: | | |
| make build fmt-check shellcheck | |
| mv spectre-meltdown-checker.sh dist/ | |
| - name: check direct execution | |
| run: | | |
| expected=$(cat .github/workflows/expected_cve_count) | |
| cd dist | |
| nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) | |
| if [ "$nb" -ne "$expected" ]; then | |
| echo "Invalid number of CVEs reported: $nb instead of $expected" | |
| exit 1 | |
| else | |
| echo "OK $nb CVEs reported" | |
| fi | |
| - name: check docker compose run execution | |
| run: | | |
| expected=$(cat .github/workflows/expected_cve_count) | |
| cd dist | |
| docker compose build | |
| nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) | |
| if [ "$nb" -ne "$expected" ]; then | |
| echo "Invalid number of CVEs reported: $nb instead of $expected" | |
| exit 1 | |
| else | |
| echo "OK $nb CVEs reported" | |
| fi | |
| - name: check docker run execution | |
| run: | | |
| expected=$(cat .github/workflows/expected_cve_count) | |
| cd dist | |
| docker build -t spectre-meltdown-checker . | |
| nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) | |
| if [ "$nb" -ne "$expected" ]; then | |
| echo "Invalid number of CVEs reported: $nb instead of $expected" | |
| exit 1 | |
| else | |
| echo "OK $nb CVEs reported" | |
| fi | |
| - name: check fwdb update (separated) | |
| run: | | |
| cd dist | |
| nbtmp1=$(find /tmp 2>/dev/null | wc -l) | |
| ./spectre-meltdown-checker.sh --update-fwdb; ret=$? | |
| if [ "$ret" != 0 ]; then | |
| echo "Non-zero return value: $ret" | |
| exit 1 | |
| fi | |
| nbtmp2=$(find /tmp 2>/dev/null | wc -l) | |
| if [ "$nbtmp1" != "$nbtmp2" ]; then | |
| echo "Left temporary files!" | |
| exit 1 | |
| fi | |
| if ! [ -e ~/.mcedb ]; then | |
| echo "No .mcedb file found after updating fwdb" | |
| exit 1 | |
| fi | |
| - name: check fwdb update (builtin) | |
| run: | | |
| cd dist | |
| nbtmp1=$(find /tmp 2>/dev/null | wc -l) | |
| ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$? | |
| if [ "$ret" != 0 ]; then | |
| echo "Non-zero return value: $ret" | |
| exit 1 | |
| fi | |
| nbtmp2=$(find /tmp 2>/dev/null | wc -l) | |
| if [ "$nbtmp1" != "$nbtmp2" ]; then | |
| echo "Left temporary files!" | |
| exit 1 | |
| fi | |
| - name: push artifact to the test-build branch | |
| run: | | |
| tmpdir=$(mktemp -d) | |
| mv ./dist/* $tmpdir/ | |
| rm -rf ./dist | |
| git fetch origin test-build | |
| git checkout -f test-build | |
| mv $tmpdir/* . | |
| git add * | |
| echo =#=#= DIFF CACHED | |
| git diff --cached | |
| echo =#=#= STATUS | |
| git status | |
| echo =#=#= COMMIT | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | |
| git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F - | |
| git push |