feat: blacklist some more microcodes (fixes #475) #367
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request] | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v1 | |
- name: install prerequisites | |
run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool | |
- name: shellcheck | |
run: shellcheck -s sh spectre-meltdown-checker.sh | |
- name: check indentation | |
run: | | |
if [ $(grep -cPv "^\t*\S|^$" spectre-meltdown-checker.sh) != 0 ]; then | |
echo "Badly indented lines found:" | |
grep -nPv "^\t*\S|^$" spectre-meltdown-checker.sh | |
exit 1 | |
else | |
echo "Indentation seems correct." | |
fi | |
- name: check direct execution | |
run: | | |
expected=19 | |
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l) | |
if [ "$nb" -ne "$expected" ]; then | |
echo "Invalid number of CVEs reported: $nb instead of $expected" | |
exit 1 | |
else | |
echo "OK $nb CVEs reported" | |
fi | |
- name: check docker-compose run execution | |
run: | | |
expected=19 | |
docker-compose build | |
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) | |
if [ "$nb" -ne "$expected" ]; then | |
echo "Invalid number of CVEs reported: $nb instead of $expected" | |
exit 1 | |
else | |
echo "OK $nb CVEs reported" | |
fi | |
- name: check docker run execution | |
run: | | |
expected=19 | |
docker build -t spectre-meltdown-checker . | |
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l) | |
if [ "$nb" -ne "$expected" ]; then | |
echo "Invalid number of CVEs reported: $nb instead of $expected" | |
exit 1 | |
else | |
echo "OK $nb CVEs reported" | |
fi | |
- name: check fwdb update | |
run: | | |
nbtmp1=$(find /tmp 2>/dev/null | wc -l) | |
./spectre-meltdown-checker.sh --update-fwdb; ret=$? | |
if [ "$ret" != 0 ]; then | |
echo "Non-zero return value: $ret" | |
exit 1 | |
fi | |
nbtmp2=$(find /tmp 2>/dev/null | wc -l) | |
if [ "$nbtmp1" != "$nbtmp2" ]; then | |
echo "Left temporary files!" | |
exit 1 | |
fi | |
if ! [ -e ~/.mcedb ]; then | |
echo "No .mcedb file found after updating fwdb" | |
exit 1 | |
fi |