Commit Graph

9 Commits

Author SHA1 Message Date
Christian Marangi
bf82648bf7 CI: check-kernel-patches: use buildbot user on git diff check
Use buildbot user on git diff check instead of using git config
safe directory.

This should accomplish the same result but should be a better approach
following safe practice enforced by git.

Fixes: a7747e8670 ("ci: fix check kernel patches job")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 6c80a578a4)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-05-24 19:26:02 +01:00
Petr Štetiar
a7747e8670 ci: fix check kernel patches job
Currently the check fails due to the following error:

 warning: Not a git repository. Use --no-index to compare two paths outside a working tree
 usage: git diff --no-index [<options>] <path> <path>

Thats likely caused by commit 1cb8cdbf07 ("ci: use new buildbot worker
images with Debian 11") which contains a patched Git version with CVE
security fixes introduced in DLA-3239-2:

 Multiple issues were found in Git, a distributed revision control
 system. An attacker may cause other local users into executing arbitrary
 commands, leak information from the local filesystem, and bypass
 restricted shell.

 Note: Due to new security checks, access to repositories owned and
 accessed by different local users may now be rejected by Git; in case
 changing ownership is not practical, git displays a way to bypass these
 checks using the new "safe.directory" configuration entry.

So lets opt-out of this new behavior by setting `safe.directory=*` and
thus force Git to consider all Git repositories as safe regardless of
their owner, since we need to trust those sources anyway and it should
be likely more robust solution, then fiddling with filesystem
permissions.

Fixes: 1cb8cdbf07 ("ci: use new buildbot worker images with Debian 11")
References: https://www.debian.org/lts/security/2022/dla-3239-2
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-05-18 08:19:17 +02:00
Christian Marangi
7643d95bb3
CI: check-kernel-patches: upload proposed refreshed patches
Upload proposed refreshed patches if the check fails.
This should help devs refresh the patches if they don't have access to a
buildroot.

Devs should ALWAYS refresh the patches before submitting and merging
commits.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-04-22 17:19:18 +02:00
Christian Marangi
6f89a0ca20
CI: use openwrt official tools container by default
Use openwrt official tools container by default.
Fork will use openwrt tools container by default.

This can be disabled by setting the option use_openwrt_container to
false for the build.yml and check-kernel-patches.yml.

The push-containers workflow is disabled on forks. The workflow can be
reenabled by commenting the condition in push-containers.yml.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-01-31 16:36:57 +01:00
Christian Marangi
d40f59825a
CI: tools: directly copy prebuilt tools in container
Directly copy prebuilt tools in container instead of creating an
archieve and extracting it later in other workflows.

Update build workflow to support this new implementation.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-01-23 19:18:06 +01:00
Christian Marangi
65c3d19c4b
CI: fix matching for openwrt release branch for container selection
The current match logic doesn't handle test for push events related to
stable release (example openwrt-22.03) but only fork with the related
prefix (example openwrt-22.03-fixup)

Fix wrong matching and while at it also add extra checks to other
matching (check if the branch name actually start with the requested
prefix)

Fixes: abe8a48242 ("CI: build: add support for per branch tools container")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2022-12-04 20:37:58 +01:00
Christian Marangi
abe8a48242
CI: build: add support for per branch tools container
Add support in build shared workflow for per branch tools container.

With pr the target branch is parsed and the right container is used.

To use the stable container for local testing the branch needs to have
the prefix openwrt-[0-9][0-9].[0-9][0-9]- (example openwrt-21.02-fixup)

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2022-12-04 16:03:23 +01:00
Hauke Mehrtens
cf361b8509 CI: Build all boards and testing kernel
This adds options to build all boards of a selected target and an
additional option to build the testing kernel instead of the normal
kernel. This can be used by other trigger work flows.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-03 03:10:10 +01:00
Hauke Mehrtens
7c406a5f08 CI: Extract the OpenWrt building to own sub workflow
Extract the building of OpenWrt into an own workflow which is then
triggered by the kernel.yml and packages.yml workflow with different
inputs. This allows us to share much of the code of the workflow.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-03 03:10:03 +01:00