mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-03 12:34:19 +00:00
a7747e8670
Currently the check fails due to the following error: warning: Not a git repository. Use --no-index to compare two paths outside a working tree usage: git diff --no-index [<options>] <path> <path> Thats likely caused by commit1cb8cdbf07
("ci: use new buildbot worker images with Debian 11") which contains a patched Git version with CVE security fixes introduced in DLA-3239-2: Multiple issues were found in Git, a distributed revision control system. An attacker may cause other local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell. Note: Due to new security checks, access to repositories owned and accessed by different local users may now be rejected by Git; in case changing ownership is not practical, git displays a way to bypass these checks using the new "safe.directory" configuration entry. So lets opt-out of this new behavior by setting `safe.directory=*` and thus force Git to consider all Git repositories as safe regardless of their owner, since we need to trust those sources anyway and it should be likely more robust solution, then fiddling with filesystem permissions. Fixes:1cb8cdbf07
("ci: use new buildbot worker images with Debian 11") References: https://www.debian.org/lts/security/2022/dla-3239-2 Signed-off-by: Petr Štetiar <ynezz@true.cz>
163 lines
5.7 KiB
YAML
163 lines
5.7 KiB
YAML
name: Refresh kernel for target
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
target:
|
|
required: true
|
|
type: string
|
|
testing:
|
|
type: boolean
|
|
use_openwrt_container:
|
|
type: boolean
|
|
default: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
setup_build:
|
|
name: Setup build
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
owner_lc: ${{ steps.lower_owner.outputs.owner_lc }}
|
|
container_tag: ${{ steps.determine_tools_container.outputs.container_tag }}
|
|
|
|
steps:
|
|
- name: Set lower case owner name
|
|
id: lower_owner
|
|
run: |
|
|
OWNER_LC=$(echo "${{ github.repository_owner }}" \
|
|
| tr '[:upper:]' '[:lower:]')
|
|
|
|
if [ ${{ inputs.use_openwrt_container }} == "true" ]; then
|
|
OWNER_LC=openwrt
|
|
fi
|
|
|
|
echo "owner_lc=$OWNER_LC" >> $GITHUB_OUTPUT
|
|
|
|
# Per branch tools container tag
|
|
# By default stick to latest
|
|
# For official test targetting openwrt stable branch
|
|
# Get the branch or parse the tag and push dedicated tools containers
|
|
# For local test to use the correct container for stable release testing
|
|
# you need to use for the branch name a prefix of openwrt-[0-9][0-9].[0-9][0-9]-
|
|
- name: Determine tools container tag
|
|
id: determine_tools_container
|
|
run: |
|
|
CONTAINER_TAG=latest
|
|
if [ -n "${{ github.base_ref }}" ]; then
|
|
if echo "${{ github.base_ref }}" | grep -q -E '^openwrt-[0-9][0-9]\.[0-9][0-9]$'; then
|
|
CONTAINER_TAG="${{ github.base_ref }}"
|
|
fi
|
|
elif [ ${{ github.ref_type }} == "branch" ]; then
|
|
if echo "${{ github.ref_name }}" | grep -q -E '^openwrt-[0-9][0-9]\.[0-9][0-9]$'; then
|
|
CONTAINER_TAG=${{ github.ref_name }}
|
|
elif echo "${{ github.ref_name }}" | grep -q -E '^openwrt-[0-9][0-9]\.[0-9][0-9]-'; then
|
|
CONTAINER_TAG="$(echo ${{ github.ref_name }} | sed 's/^\(openwrt-[0-9][0-9]\.[0-9][0-9]\)-.*/\1/')"
|
|
fi
|
|
elif [ ${{ github.ref_type }} == "tag" ]; then
|
|
if echo "${{ github.ref_name }}" | grep -q -E '^v[0-9][0-9]\.[0-9][0-9]\..+'; then
|
|
CONTAINER_TAG=openwrt-"$(echo ${{ github.ref_name }} | sed 's/^v\([0-9][0-9]\.[0-9][0-9]\)\..\+/\1/')"
|
|
fi
|
|
fi
|
|
echo "Tools container to use tools:$CONTAINER_TAG"
|
|
echo "container_tag=$CONTAINER_TAG" >> $GITHUB_OUTPUT
|
|
|
|
check-patch:
|
|
name: Check Kernel patches
|
|
needs: setup_build
|
|
runs-on: ubuntu-latest
|
|
|
|
container: ghcr.io/${{ needs.setup_build.outputs.owner_lc }}/tools:${{ needs.setup_build.outputs.container_tag }}
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: read
|
|
|
|
steps:
|
|
- name: Checkout master directory
|
|
uses: actions/checkout@v3
|
|
with:
|
|
path: openwrt
|
|
|
|
- name: Fix permission
|
|
run: |
|
|
chown -R buildbot:buildbot openwrt
|
|
|
|
- name: Opt-out from Git stricter repository ownership checks
|
|
run: |
|
|
git config --global --add safe.directory '*'
|
|
|
|
- name: Initialization environment
|
|
run: |
|
|
TARGET=$(echo ${{ inputs.target }} | cut -d "/" -f 1)
|
|
SUBTARGET=$(echo ${{ inputs.target }} | cut -d "/" -f 2)
|
|
echo "TARGET=$TARGET" >> "$GITHUB_ENV"
|
|
echo "SUBTARGET=$SUBTARGET" >> "$GITHUB_ENV"
|
|
|
|
- name: Prepare prebuilt tools
|
|
shell: su buildbot -c "sh -e {0}"
|
|
working-directory: openwrt
|
|
run: |
|
|
mkdir -p staging_dir build_dir
|
|
ln -sf /prebuilt_tools/staging_dir/host staging_dir/host
|
|
ln -sf /prebuilt_tools/build_dir/host build_dir/host
|
|
|
|
./scripts/ext-tools.sh --refresh
|
|
|
|
- name: Configure testing kernel
|
|
if: inputs.testing == true
|
|
shell: su buildbot -c "sh -e {0}"
|
|
working-directory: openwrt
|
|
run: |
|
|
echo CONFIG_TESTING_KERNEL=y >> .config
|
|
|
|
- name: Configure system
|
|
shell: su buildbot -c "sh -e {0}"
|
|
working-directory: openwrt
|
|
run: |
|
|
echo CONFIG_ALL_KMODS=y >> .config
|
|
echo CONFIG_DEVEL=y >> .config
|
|
echo CONFIG_AUTOREMOVE=y >> .config
|
|
echo CONFIG_CCACHE=y >> .config
|
|
|
|
echo "CONFIG_TARGET_${{ env.TARGET }}=y" >> .config
|
|
echo "CONFIG_TARGET_${{ env.TARGET }}_${{ env.SUBTARGET }}=y" >> .config
|
|
|
|
make defconfig
|
|
|
|
- name: Build tools
|
|
shell: su buildbot -c "sh -e {0}"
|
|
working-directory: openwrt
|
|
run: make tools/quilt/compile -j$(nproc) BUILD_LOG=1 || ret=$? .github/workflows/scripts/show_build_failures.sh
|
|
|
|
- name: Refresh Kernel patches
|
|
shell: su buildbot -c "sh -e {0}"
|
|
working-directory: openwrt
|
|
run: make target/linux/refresh V=s
|
|
|
|
- name: Validate Refreshed Kernel Patches
|
|
working-directory: openwrt
|
|
run: |
|
|
. .github/workflows/scripts/ci_helpers.sh
|
|
|
|
if git diff --name-only --exit-code; then
|
|
success "Kernel patches for ${{ env.TARGET }}/${{ env.SUBTARGET }} seems ok"
|
|
else
|
|
err "Kernel patches for ${{ env.TARGET }}/${{ env.SUBTARGET }} require refresh. (run 'make target/linux/refresh' and force push this pr)"
|
|
err "You can also check the provided artifacts with the refreshed patch from this CI run."
|
|
mkdir ${{ env.TARGET }}-${{ env.SUBTARGET }}-refreshed
|
|
for f in $(git diff --name-only); do
|
|
cp --parents $f ${{ env.TARGET }}-${{ env.SUBTARGET }}-refreshed/
|
|
done
|
|
exit 1
|
|
fi
|
|
|
|
- name: Upload Refreshed Patches
|
|
if: failure()
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: ${{ env.TARGET }}-${{ env.SUBTARGET }}-refreshed
|
|
path: openwrt/${{ env.TARGET }}-${{ env.SUBTARGET }}-refreshed
|