[AUTOPATCHER-kernel] Kernel CVE - branch 3.0-dev - CVE-2024-49914 CVE-2024-50067 CVE-2024-43904 CVE-2024-49906 CVE-2024-49909 CVE-2024-43835 CVE-2024-49974 CVE-2024-49891 CVE-2024-49917 CVE-2024-50027 CVE-2024-43913 CVE-2024-49897 CVE-2024-49934 CVE-2024-49915 CVE-2024-44955 CVE-2024-49926 CVE-2024-36910 CVE-2024-42252 CVE-2024-41071 CVE-2024-41080 CVE-2024-53085 CVE-2024-50221 CVE-2024-43911 CVE-2024-44950 CVE-2024-26875 CVE-2024-40965 CVE-2024-49899 CVE-2024-27011 CVE-2024-50010 CVE-2023-52920 CVE-2024-49911 CVE-2024-49898 CVE-2023-52601 CVE-2024-42156 CVE-2024-43857 CVE-2024-46841 CVE-2024-42122 CVE-2024-36972 CVE-2024-44963 #5795
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) Microsoft Corporation. | |
# Licensed under the MIT License. | |
name: Source Signature Check | |
on: | |
push: | |
branches: [3.0*] | |
pull_request: | |
branches: [3.0*] | |
jobs: | |
spec-check: | |
name: Source Signature Check | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
specs-dir: [SPECS, SPECS-EXTENDED] | |
steps: | |
# Checkout the branch of our repo that triggered this action | |
- name: Workflow trigger checkout | |
uses: actions/checkout@v4 | |
# For consistency, we use the same major/minor version of Python that Azure Linux ships | |
- name: Setup Python 3.12 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.12 | |
- name: Get Python dependencies | |
run: python3 -m pip install -r toolkit/scripts/requirements.txt | |
- name: Get base commit for PRs | |
if: ${{ github.event_name == 'pull_request' }} | |
run: | | |
git fetch origin ${{ github.base_ref }} | |
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV | |
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" | |
- name: Get base commit for Pushes | |
if: ${{ github.event_name == 'push' }} | |
run: | | |
git fetch origin ${{ github.event.before }} | |
echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV | |
echo "Merging ${{ github.sha }} into ${{ github.event.before }}" | |
- name: Get changed packages | |
run: | | |
# Find the packages that have been modified in the current PR. They will be of the form '/path/to/SPECS/<pkgname>/**/.*', and we want to extract | |
# the package's directory name (ie the folder inside ./SPECS). | |
changed_pkg_dirs=$(git diff-tree --diff-filter=d --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep -oP "(?<=^${{ matrix.specs-dir }}/)([^/]+)" || [[ $? -eq 1 ]]; } | sort -u | xargs) | |
echo "Folders with modified files in this PR:" | |
echo "${{ matrix.specs-dir }}/*: '${changed_pkg_dirs}'" | |
# For each package directory, get the names of all .spec files contained and add them to the list of SRPMS to repack. | |
# We need to filter since some directories may not contain .spec files we can rebuild, or the naming may not be 1:1. | |
changed_pkgs="" | |
for pkg in $changed_pkg_dirs; do | |
changed_pkgs="$changed_pkgs $(find ${{ matrix.specs-dir }}/$pkg -name '*.spec' -exec basename {} .spec \; | xargs)" | |
done | |
echo "Packages modified in this PR:" | |
echo "${{ matrix.specs-dir }}: '${changed_pkgs}'" | |
echo "changed_pkgs=${changed_pkgs}" >> $GITHUB_ENV | |
- name: Prepare the build environment | |
run: | | |
if [ -z "${{ env.changed_pkgs }}" ] && [ -z "${{ env.changed_pkgs_extended }}" ]; then | |
echo "No package changes detected." | |
exit 0 | |
fi | |
echo "Checking for invalid signatures..." | |
# Call this script to sync the toolchain manifests with the LKG daily build. | |
./toolkit/scripts/setuplkgtoolchain.sh | |
# Determine the LKG daily build ID. | |
LKG_BUILD_ID=$(wget -qO - https://mariner3dailydevrepo.blob.core.windows.net/lkg/lkg-3.0-dev.json | jq -r ".dailybuildid" | tr '\.' '-') | |
echo "LKG_BUILD_ID=${LKG_BUILD_ID}" >> $GITHUB_ENV | |
sudo make -C toolkit -j$(nproc) chroot-tools REBUILD_TOOLS=y DAILY_BUILD_ID=${LKG_BUILD_ID} | |
- name: Check for invalid source signatures | |
run: | | |
if [ -z "${{ env.changed_pkgs }}" ]; then | |
echo "No package changes detected in '${{ matrix.specs-dir }}''." | |
exit 0 | |
fi | |
set -x | |
if ! sudo make -C toolkit -j$(nproc) input-srpms REBUILD_TOOLS=y DAILY_BUILD_ID=${{ env.LKG_BUILD_ID }} SRPM_PACK_LIST="${{ env.changed_pkgs }}" SPECS_DIR=../${{ matrix.specs-dir }}; then | |
set +x | |
printf "\n\n******************************\n" | |
echo "Failed to check the signatures of the modified packages." | |
echo "Check the logs above for details on the mismatches files and their expected hashes." | |
echo "Consider running: sudo make -C toolkit input-srpms REBUILD_TOOLS=y SRPM_PACK_LIST='${{ env.changed_pkgs }}' SPECS_DIR=../${{ matrix.specs-dir }}" | |
printf "******************************\n\n" | |
exit 1 | |
else | |
echo "All modified packages have valid source signatures." | |
fi |