Merge branch 'main' into 2.0

microsoft · Sep 4, 2023 · ad650f8 · ad650f8
2 parents f3fee7c + 8d37324
commit ad650f8
Show file tree

Hide file tree

Showing 167 changed files with 7,872 additions and 650 deletions.
diff --git a/.github/workflows/check-clean-stage.yml b/.github/workflows/check-clean-stage.yml
@@ -5,9 +5,9 @@ name: Spec %clean stage check
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   spec-clean-stage-check:

diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml
@@ -8,9 +8,9 @@ name: Spec Entanglement Mismatch Check
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   check:

diff --git a/.github/workflows/check-kernel-config.yml b/.github/workflows/check-kernel-config.yml
@@ -8,11 +8,11 @@ name: Kernel Required Configs Check
 
 on:
   push:
-    branches: [main, 1.0*, 2.0*]
+    branches: [main, 1.0*, 2.0*, fasttrack/*]
     paths:
       - 'SPECS/kernel*/config*'
   pull_request:
-    branches: [main, 1.0*, 2.0*]
+    branches: [main, 1.0*, 2.0*, fasttrack/*]
     paths:
       - 'SPECS/kernel*/config*'
 

diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml
@@ -7,9 +7,9 @@ name: Spec License Map Check
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   check:

diff --git a/.github/workflows/check-livepatches.yml b/.github/workflows/check-livepatches.yml
@@ -5,9 +5,9 @@ name: Livepatch specs check
 
 on:
   push:
-    branches: [2.0]
+    branches: [2.0, fasttrack/*]
   pull_request:
-    branches: [2.0]
+    branches: [2.0, fasttrack/*]
 
 jobs:
   spec-check:

diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml
@@ -5,9 +5,9 @@ name: Check Manifests
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   build:

diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml
@@ -5,9 +5,9 @@ name: Check Package CGManifests
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
 

diff --git a/.github/workflows/check-spec.yml b/.github/workflows/check-spec.yml
@@ -5,9 +5,9 @@ name: Spec files check
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   spec-check:

diff --git a/.github/workflows/check-static-glibc.yml b/.github/workflows/check-static-glibc.yml
@@ -6,9 +6,9 @@ name: Static glibc version check
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   spec-check:

diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
@@ -0,0 +1,129 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# This action cherry-picks CVE fix commits from fast-track branches to corresponding
+# development branches for each version of Mariner. By default, the workflow is run
+# whenever a CVE fix PR to a fast-track branch is merged. Additional target branches
+# for cherry-pick can be specified by adding a comment to the original PR with the
+# following syntax:
+#   /cherry-pick <target-branch-1> <target-branch-2>
+# Note the list of target branches is space-separated, and the commenter must be a
+# member or owner of the repository for the action to work.
+# After cherry-pick succeeds for a branch, a new PR will be created to merge the commit
+# to that target branch, and a label will be added to the original PR to indicate that
+# the commit has been cherry-picked to that branch.
+name: Cherry pick commits from PR
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - 'fasttrack/*'
+
+permissions:
+  contents: read
+  pull-requests: read
+defaults:
+  run:
+    shell: bash
+
+env:
+  CHERRY_PICK_BRANCH_MAPPING: '{"fasttrack/2.0": "main"}'
+
+jobs:
+  # Scans the PR for cherry pick comments, in addition to the default cherry pick target
+  collect_target_branches:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    name: Collect target branches from Pull Request
+    outputs:
+      cherry_pick_target_branches: ${{ steps.target_branches.outputs.cherry_pick_target_branches }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      # Collect target branches in a list. The list includes:
+      # - default target branch
+      # - any branch specified in PR comments with the syntax
+      #     /cherry-pick <branch-1> <branch-2>
+      # The final list will only contain unique branches.
+      # The jq filter does the following from a JSON list of comments
+      #     [{"author": "a", "authorAssociation": "MEMBER", "body": "hello"},
+      #      {"author": "c", "authorAssociation": "CONTRIBUTOR", "body": "hi"},
+      #      {"author": "a", "authorAssociation": "MEMBER", "body": "/cherry-pick a b c"},
+      #      {"author": "b", "authorAssociation": "MEMBER", "body": "/cherry-pick a b"}]
+      # - Select only comments where the author is a member or owner of the repository
+      # - Collect all comments body to a list of string
+      # - Select only comments that starts with "/cherry-pick "
+      # - Remove the "/cherry-pick " prefix from each comment
+      #     ["a b c", "a b"]
+      # - Split the remaining content of each comment by whitespace into a list
+      #     [["a", "b", "c"], ["a", "b"]]
+      # - Flatten the list
+      #     ["a", "b", "c", "a", "b"]
+      # - Add the default target branch to the list
+      #     ["a", "b", "c", "a", "b", "default-target"]
+      # - Remove all duplicate values
+      #     ["a", "b", "c", "default-target"]
+      - name: Create list of target branches
+        id: target_branches
+        run: |
+          cherry_pick_branches_json=$(gh pr view ${{ github.event.number }} \
+                                       --repo ${{ github.repository }} \
+                                       --json comments \
+                                       --jq '.comments
+                                              | map(select(.authorAssociation == "MEMBER" or .authorAssociation == "OWNER")
+                                                    | .body
+                                                    | select(startswith("/cherry-pick "))
+                                                    | ltrimstr("/cherry-pick ")
+                                                    | split(" "))
+                                              | flatten
+                                              | . += ["${{ fromJSON(env.CHERRY_PICK_BRANCH_MAPPING)[github.base_ref] }}"]
+                                              | unique')
+          branches_list=$(echo $cherry_pick_branches_json | jq -r @sh | tr -d "'")
+          echo "cherry_pick_target_branches=$branches_list" >> $GITHUB_OUTPUT
+
+  # Actual cherry-pick work for each target branch
+  cherry_pick_commit:
+    needs: collect_target_branches
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    name: Cherry pick
+    steps:
+      - name: Workflow trigger checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.base_ref }}
+          fetch-depth: 0
+
+      - name: Configure local git repo
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "CBL-Mariner Servicing Account"
+
+      # Run cherry-pick for each target branch and create new PR for it. If cherry-pick fails,
+      # output conflicts to the action logs and notify in the original PR. We want to run the
+      # cherry-pick script for all target branch, even if one fails. This step will succeed if
+      # all cherry-picks succeed.
+      - name: Run cherry-pick action
+        run: |
+          cp toolkit/scripts/cherry_pick.sh ${{ runner.temp }}/cherry_pick.sh
+
+          for target_branch in ${{ needs.collect_target_branches.outputs.cherry_pick_target_branches }}; do
+            if ! ${{ runner.temp }}/cherry_pick.sh \
+                -r "${{ github.repository }}" \
+                -p "${{ github.event.pull_request.number }}" \
+                -t "$target_branch" \
+                -w $RUN_URL; then
+              failed=1
+            fi
+            echo "================================================================================"
+          done
+          if [[ $failed == 1 ]]; then
+            echo "Cherry-pick failed for at least 1 target branch"
+            exit 1
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml
@@ -5,9 +5,9 @@ name: Go Test Coverage
 
 on:
   push:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
 

diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml
@@ -7,11 +7,11 @@ on:
   push:
     paths:
       - '**.spec'
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
   pull_request:
     paths:
       - '**.spec'
-    branches: [main, dev, 1.0*, 2.0*]
+    branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
 jobs:
   spec-lint:

diff --git a/.github/workflows/validate-cg-manifest.sh b/.github/workflows/validate-cg-manifest.sh
@@ -226,7 +226,7 @@ do
       # Parsing output instead of using error codes because 'wget' returns code 8 for FTP, even if the file exists.
       # Sample HTTP(S) output:  Remote file exists.
       # Sample FTP output:      File ‘time-1.9.tar.gz’ exists.
-      if ! wget --spider --timeout=2 --tries=10 "${manifesturl}" 2>&1 | grep -qP "^(Remote file|File ‘.*’) exists.*"
+      if ! wget --secure-protocol=TLSv1_2 --spider --timeout=2 --tries=10 "${manifesturl}" 2>&1 | grep -qP "^(Remote file|File ‘.*’) exists.*"
       then
         echo "Registration for $name:$version has invalid URL '$manifesturl' (could not download)"  >> bad_registrations.txt
       fi

diff --git a/.pipelines/livepatching/DeployLivepatch.yml b/.pipelines/livepatching/DeployLivepatch.yml
@@ -1,3 +1,6 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 trigger: none
 
 variables:

diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml
@@ -1,3 +1,6 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 # Since we're boosting our builds by using a private, pre-compiled raw toolchain
 # the pipeline requires defining the following variables outside of the YAML:
 # - rawToolchainCacheURL_AMD64
@@ -15,22 +18,10 @@ parameters:
         agentPool: "$(agentPool_AMD64)"
         rawToolchainCacheURL: "$(rawToolchainCacheURL_AMD64)"
         rawToolchainExpectedHash: "f56df34b90915c93f772d3961bf5e9eeb8c1233db43dd92070214e4ce6b72894"
-        packageBuildJobs:
-          - scenario1:
-            name: Build
-            runCheck: false
-          - scenario2:
-            name: Test
-            runCheck: true
       - name: "ARM64"
         agentPool: "$(agentPool_ARM64)"
         rawToolchainCacheURL: "$(rawToolchainCacheURL_ARM64)"
         rawToolchainExpectedHash: "65de43b3bdcfdaac71df1f11fd1f830a8109b1eb9d7cb6cbc2e2d0e929d0ef76"
-        packageBuildJobs:
-          - name: Build
-            runCheck: false
-          - name: Test
-            runCheck: true
 
 resources:
   repositories:
@@ -88,29 +79,26 @@ extends:
           - stage: RPMs_${{ configuration.name }}
             dependsOn: Toolchain_${{ configuration.name }}
             jobs:
-              # Using configuration object instead of the matrix strategy because the 'isCheckBuild' parameter must be set
-              # during YAML parsing and the matrix strategy arguments are available later during run-time.
-              - ${{ each packageBuildJob in configuration.packageBuildJobs }}:
-                  - job: ${{ packageBuildJob.name }}
-                    pool:
-                      type: linux
-                      isCustom: true
-                      name: ${{ configuration.agentPool }}
-                    variables:
-                      ob_artifactBaseName: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}_${{ packageBuildJob.name }}
-                      ob_outputDirectory: $(Build.ArtifactStagingDirectory)
-                    steps:
-                      - template: .pipelines/templates/PackageBuild.yml@self
-                        parameters:
-                          customToolchainArtifactName: $(toolchainArtifactNameBase)_${{ configuration.name }}
-                          isCheckBuild: ${{ packageBuildJob.runCheck }}
-                          isDeltaBuild: true
-                          outputArtifactsFolder: $(ob_outputDirectory)
-                          selfRepoName: self
+              - job: BuildAndTest
+                pool:
+                  type: linux
+                  isCustom: true
+                  name: ${{ configuration.agentPool }}
+                variables:
+                  ob_artifactBaseName: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}
+                  ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+                steps:
+                  - template: .pipelines/templates/PackageBuild.yml@self
+                    parameters:
+                      customToolchainArtifactName: $(toolchainArtifactNameBase)_${{ configuration.name }}
+                      isCheckBuild: true
+                      isQuickRebuildPackages: true
+                      outputArtifactsFolder: $(ob_outputDirectory)
+                      selfRepoName: self
 
-                      - task: PublishPipelineArtifact@1
-                        inputs:
-                          artifact: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}_${{ packageBuildJob.name }}
-                          targetPath: $(ob_outputDirectory)
-                        condition: always()
-                        displayName: "Publish packages build artifacts"
+                  - task: PublishPipelineArtifact@1
+                    inputs:
+                      artifact: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}
+                      targetPath: $(ob_outputDirectory)
+                    condition: always()
+                    displayName: "Publish packages build artifacts"