[AUTOPATCHER-kernel] Kernel CVE - branch 3.0-dev - CVE-2024-43835 CVE-2024-36910 CVE-2024-36972 CVE-2023-52601 CVE-2024-26875 CVE-2024-41071 #5291
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) Microsoft Corporation. | |
# Licensed under the MIT License. | |
name: Source Signature Check | |
on: | |
push: | |
branches: [3.0*] | |
pull_request: | |
branches: [3.0*] | |
jobs: | |
spec-check: | |
name: Source Signature Check | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
specs-dir: [SPECS, SPECS-EXTENDED] | |
steps: | |
# Checkout the branch of our repo that triggered this action | |
- name: Workflow trigger checkout | |
uses: actions/checkout@v4 | |
# For consistency, we use the same major/minor version of Python that Azure Linux ships | |
- name: Setup Python 3.12 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.12 | |
- name: Get Python dependencies | |
run: python3 -m pip install -r toolkit/scripts/requirements.txt | |
- name: Get base commit for PRs | |
if: ${{ github.event_name == 'pull_request' }} | |
run: | | |
git fetch origin ${{ github.base_ref }} | |
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV | |
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" | |
- name: Get base commit for Pushes | |
if: ${{ github.event_name == 'push' }} | |
run: | | |
git fetch origin ${{ github.event.before }} | |
echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV | |
echo "Merging ${{ github.sha }} into ${{ github.event.before }}" | |
- name: Get changed packages | |
run: | | |
# Find the packages that have been modified in the current PR. They will be of the form '/path/to/SPECS/<pkgname>/**/.*', and we want to extract | |
# the package's directory name (ie the folder inside ./SPECS). | |
changed_pkg_dirs=$(git diff-tree --diff-filter=d --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep -oP "(?<=^${{ matrix.specs-dir }}/)([^/]+)" || [[ $? -eq 1 ]]; } | sort -u | xargs) | |
echo "Folders with modified files in this PR:" | |
echo "${{ matrix.specs-dir }}/*: '${changed_pkg_dirs}'" | |
# For each package directory, get the names of all .spec files contained and add them to the list of SRPMS to repack. | |
# We need to filter since some directories may not contain .spec files we can rebuild, or the naming may not be 1:1. | |
changed_pkgs="" | |
for pkg in $changed_pkg_dirs; do | |
changed_pkgs="$changed_pkgs $(find ${{ matrix.specs-dir }}/$pkg -name '*.spec' -exec basename {} .spec \; | xargs)" | |
done | |
echo "Packages modified in this PR:" | |
echo "${{ matrix.specs-dir }}: '${changed_pkgs}'" | |
echo "changed_pkgs=${changed_pkgs}" >> $GITHUB_ENV | |
- name: Prepare the build environment | |
run: | | |
if [ -z "${{ env.changed_pkgs }}" ] && [ -z "${{ env.changed_pkgs_extended }}" ]; then | |
echo "No package changes detected." | |
exit 0 | |
fi | |
echo "Checking for invalid signatures..." | |
# Call this script to sync the toolchain manifests with the LKG daily build. | |
./toolkit/scripts/setuplkgtoolchain.sh | |
# Determine the LKG daily build ID. | |
LKG_BUILD_ID=$(wget -qO - https://mariner3dailydevrepo.blob.core.windows.net/lkg/lkg-3.0-dev.json | jq -r ".dailybuildid" | tr '\.' '-') | |
echo "LKG_BUILD_ID=${LKG_BUILD_ID}" >> $GITHUB_ENV | |
sudo make -C toolkit -j$(nproc) chroot-tools REBUILD_TOOLS=y DAILY_BUILD_ID=${LKG_BUILD_ID} | |
- name: Check for invalid source signatures | |
run: | | |
if [ -z "${{ env.changed_pkgs }}" ]; then | |
echo "No package changes detected in '${{ matrix.specs-dir }}''." | |
exit 0 | |
fi | |
set -x | |
if ! sudo make -C toolkit -j$(nproc) input-srpms REBUILD_TOOLS=y DAILY_BUILD_ID=${{ env.LKG_BUILD_ID }} SRPM_PACK_LIST="${{ env.changed_pkgs }}" SPECS_DIR=../${{ matrix.specs-dir }}; then | |
set +x | |
printf "\n\n******************************\n" | |
echo "Failed to check the signatures of the modified packages." | |
echo "Check the logs above for details on the mismatches files and their expected hashes." | |
echo "Consider running: sudo make -C toolkit input-srpms REBUILD_TOOLS=y SRPM_PACK_LIST='${{ env.changed_pkgs }}' SPECS_DIR=../${{ matrix.specs-dir }}" | |
printf "******************************\n\n" | |
exit 1 | |
else | |
echo "All modified packages have valid source signatures." | |
fi |