From patchwork Fri Jan 26 16:43:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 38373 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3562C47422 for ; Fri, 26 Jan 2024 16:43:57 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.2807.1706287427743695170 for ; Fri, 26 Jan 2024 08:43:47 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 67A851FB for ; Fri, 26 Jan 2024 08:44:31 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id A1F283F762 for ; Fri, 26 Jan 2024 08:43:46 -0800 (PST) From: ross.burton@arm.com To: meta-arm@lists.yoctoproject.org Subject: [PATCH 1/2] CI: support extra kas files from environment Date: Fri, 26 Jan 2024 16:43:40 +0000 Message-Id: <20240126164341.2846181-1-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 16:43:57 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5364 From: Ross Burton Extend jobs-to-kas so the first argument is still the GitLab job name, but allow further arguments to specify extra Kas files to use in addition. Then add a variable EXTRA_KAS_FILES to the CI configuration that defaults to the empty string and pass this to jobs-to-kas. This lets specific pipeline runs add extra Kas files, for example to use experimental branches or enable extra features without touching the CI directly. Signed-off-by: Ross Burton --- .gitlab-ci.yml | 3 ++- ci/jobs-to-kas | 26 +++++++++++++++++++++----- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 22ecfd71..4c6ce14a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,6 +11,7 @@ variables: FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: 0 ACS_TEST: 0 ACS_TAG: "" + EXTRA_KAS_FILES: "" stages: - prep @@ -61,7 +62,7 @@ stages: # Catch all for everything else - if: '$KERNEL != "linux-yocto-dev"' script: - - KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME"):lockfile.yml + - KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME" $EXTRA_KAS_FILES):lockfile.yml - kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES - kas build $KASFILES - ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log diff --git a/ci/jobs-to-kas b/ci/jobs-to-kas index eea6e463..df81c2e3 100755 --- a/ci/jobs-to-kas +++ b/ci/jobs-to-kas @@ -3,17 +3,28 @@ # This script is expecting an input of machine name, optionally followed by a # colon and a list of one or more parameters separated by commas between # brackets. For example, the following are acceptable: -# corstone1000-mps3 -# fvp-base: [testimage] -# qemuarm64-secureboot: [clang, glibc, testimage] +# corstone1000-mps3 +# fvp-base: [testimage] +# qemuarm64-secureboot: [clang, glibc, testimage] +# This argument should be quoted to avoid expansion and to be handled +# as a single value. +# +# Any further arguments will be handled as further yml file basenames. # # Turn this list into a series of yml files separated by colons to pass to kas set -e -u -FILES="ci/$(echo $1 | cut -d ':' -f 1).yml" +# First, parse the GitLab CI job name (CI_JOB_NAME via $1) and accumulate a list +# of Kas files. +JOBNAME="$1" +shift + +# The base name of the job +FILES="ci/$(echo $JOBNAME | cut -d ':' -f 1).yml" -for i in $(echo $1 | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do +# The list of matrix variations +for i in $(echo $JOBNAME | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do # Given that there are no yml files for gcc or glibc, as those are the # defaults, we can simply ignore those parameters. They are necessary # to pass in so that matrix can correctly setup all of the permutations @@ -24,4 +35,9 @@ for i in $(echo $1 | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do FILES+=":ci/$i.yml" done +# Now pick up any further names +for i in $*; do + FILES+=":ci/$i.yml" +done + echo $FILES From patchwork Fri Jan 26 16:43:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 38372 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00485C47DDF for ; Fri, 26 Jan 2024 16:43:57 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.2834.1706287427904363055 for ; Fri, 26 Jan 2024 08:43:48 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 008A2FEC for ; Fri, 26 Jan 2024 08:44:32 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 33CA53F762 for ; Fri, 26 Jan 2024 08:43:47 -0800 (PST) From: ross.burton@arm.com To: meta-arm@lists.yoctoproject.org Subject: [PATCH 2/2] CI/cve.yml: add a CVE-checking Kas fragment Date: Fri, 26 Jan 2024 16:43:41 +0000 Message-Id: <20240126164341.2846181-2-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240126164341.2846181-1-ross.burton@arm.com> References: <20240126164341.2846181-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 16:43:57 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5365 From: Ross Burton Add a Kas fragment to enable the CVE checker. Disable warnings by default but show them for the layers in meta-arm, because we only care about meta-arm issues in this CI. Explicitly hide kernel warnings as the kernel typically has tens of open CVEs, and if we're carrying a kernel explicitly then it's typically an interim kernel between releases. Signed-off-by: Ross Burton --- ci/cve.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 ci/cve.yml diff --git a/ci/cve.yml b/ci/cve.yml new file mode 100644 index 00000000..381f8557 --- /dev/null +++ b/ci/cve.yml @@ -0,0 +1,16 @@ +header: + version: 14 + +local_conf_header: + cve: | + INHERIT += "cve-check" + + # Just show the warnings for our layers + CVE_CHECK_SHOW_WARNINGS = "0" + CVE_CHECK_SHOW_WARNINGS:layer-arm-toolchain = "1" + CVE_CHECK_SHOW_WARNINGS:layer-meta-arm = "1" + CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-bsp = "1" + CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-systemready = "1" + + # Ignore the kernel, we sometime carry kernels in meta-arm + CVE_CHECK_SHOW_WARNINGS:pn-linux-yocto = "0"