Skip to content

Rebase 3.0.20250910 3.0 v2 tmp#3

Merged
cheeyanglee merged 311 commits into3.0-devfrom
rebase-3.0.20250910-3.0-v2-tmp
Nov 25, 2025
Merged

Rebase 3.0.20250910 3.0 v2 tmp#3
cheeyanglee merged 311 commits into3.0-devfrom
rebase-3.0.20250910-3.0-v2-tmp

Conversation

@cheeyanglee
Copy link
Copy Markdown
Owner

@cheeyanglee cheeyanglee commented Oct 8, 2025

Merge Checklist

All boxes should be checked before merging the PR

  • [] The changes in the PR have been built and tested
  • [] cgmanifest file has been updated if required
  • [] Ready to merge

Description

Any Newly Introduced Dependencies

How Has This Been Tested?

jykanase and others added 30 commits June 16, 2025 21:20
@jykanase
Added cassandra-driver package to SPECS-EXTENDED (#13937)
7189967
@CBL-Mariner-Bot
[AUTOPATCHER-CORE] Upgrade postgresql to 16.9 for CVE-2025-4207 (#13825)
b088245
@sandeepkarambelkar
Upgrade wireshark to 4.4.7 and fix build issues (#14008)
e5387c7
@Kanishk-Bansal
Remove Unused rubygem Packages from Core [Bug 57244258] (#13925)
df4e13a 
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@durgajagadeesh
[MEDIUM] patch cmake for CVE-2025-4947 (#13959)
61022e4
@CBL-Mariner-Bot @kevin-b-lockwood
[AUTO-CHERRYPICK] [High] Patch libsoup for CVE-2025-4476, CVE-2025-32907
e01052f 
 - branch 3.0-dev (#14012)

Co-authored-by: Kevin Lockwood <57274670+kevin-b-lockwood@users.noreply.github.com>
@CBL-Mariner-Bot @Kanishk-Bansal
@PawelWMS @jslobodzian
[AUTO-CHERRYPICK] Patch glibc for CVE-2023-4527, CVE-2023-4806, CVE…
3d3aaed 
…-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2025-0395, CVE-2025-4802 [High] - branch 3.0-dev (#14025)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@PawelWMS @mbykhovtsev-ms
Port fasttrack PR check to PRs that target dev branches (#10850)
3131fc7 
Co-authored-by: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
@mbykhovtsev-ms
[3.0] Fixing influxdb default config, upgrading entry point script to…
dadecef 
… use new command for server configuration (#13915)
@miz060
containerd2: add updated multi-snapshotters support patch (#13881)
bc8a975
@miz060
containerd2: add updated tardev-snapshotter support patch (#13899)
4f2ad0a
@jykanase
Cassandra: adding support for aarch64 (#14039)
f629e2e
@sandeepkarambelkar
Fix fonts-rpm-macros build issue while applying the update patch (#14…
b637672 
…066)
@SumitJenaHCL
[Medium] Patch valkey for CVE-2025-27151 (#14030)
825c141
@durgajagadeesh
[Low] patch elfutils for CVE-2025-1352 (#13905)
cec561a
@jykanase
Added zix package to SPECS-EXTENDED (#12620)
15f6893
@SumitJenaHCL
Upgrade: ibus to version 1.5.31 (#12978)
3f77967
@jykanase
Upgrade: serd version to 0.32.4 (#12573)
7a84bb6
@CBL-Mariner-Bot @sameluch
[AUTO-CHERRYPICK] update network timeout to 20min by default to allow…
54b4a74 
… for larger filesi… - branch 3.0-dev (#14060)

Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com>
@CBL-Mariner-Bot @aninda-al @jslobodzian
[AUTO-CHERRYPICK] [HIGH] Patch coredns for CVE-2025-47950 - branch 3.…
435a54c 
…0-dev (#14061)

Co-authored-by: Aninda Pradhan <v-anipradhan@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
@CBL-Mariner-Bot @Kanishk-Bansal
[AUTO-CHERRYPICK] Patch frr for CVE-2024-55553 [High] - branch 3.0-…
23c2ed4 
…dev (#14062)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
@jykanase
Upgrade sord to version 0.16.18 (#12621)
bfcefb1
@KavyaSree2610
Patch rust for CVE-2025-4574 [Medium] (#13985)
10be9fa 
Co-authored-by: Kavya Sree Kaitepalli <kkaitepalli@microsoft.com>
@jykanase
[Medium] patch python-requests for CVE-2024-47081 (#14019)
efbb633
@kevin-b-lockwood @kgodara912
[Medium] Upgrade erlang to fix CVE-2025-4748 (#14053)
0396730 
Co-authored-by: kgodara912 <kshigodara@outlook.com>
@mayankfz
Patch mariadb for CVE-2023-52971[Medium] and Bug 51837515: Fix mariad…
0b15d03 
…b package installation broken and import spec from Fedora (#13271)

Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>
@sameluch
Update Precacher to No Longer Fatally Error by Default (#14013)
8432094
@flora-taagen @nicogbg
@frhuelsz @anphel31 @alejandro-microsoft @CBL-Mariner-Bot @SeanDougherty @hbeberman @henryli001 @0xba1a @mfrw @suresh-thelkar @ddstreetmicrosoft @mandeepsplaha @jslobodzian @gmileka @kimoantiqe @osamaesmailmsft @tobiasb-ms @abadawi591 @mbykhovtsev-ms @sindhu-karri @xordux @ddstreet @liunan-ms @neha170 @aditjha-msft @ypanch @trungams @rakshaa2000 @dmcilvaney @cwize1 @Camelron @PawelWMS @Adub17030MS @sameluch @himaja-kesari @sprt @liulanze @manuelh-dev @kanikanema @corvus-callidus @rikenm1 @rlmenge @pebenito @Xiaohong-Deng @hideyukn88 @amritakohli @Redent0r @binujp @udsmicrosoft @christopherco @sidchintamaneni
Update README.md (#13949)
47f1430 
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Signed-off-by: Chris Co <chrco@microsoft.com>
Co-authored-by: nicolas guibourge <nicogbg@gmail.com>
Co-authored-by: Paco Huelsz <frhuelsz@microsoft.com>
Co-authored-by: Andrew Phelps <anphel31@users.noreply.github.com>
Co-authored-by: alejandro-microsoft <128648451+alejandro-microsoft@users.noreply.github.com>
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
Co-authored-by: SeanDougherty <sdougherty@microsoft.com>
Co-authored-by: Henry Beberman <henry.beberman@microsoft.com>
Co-authored-by: Henry Li <69694695+henryli001@users.noreply.github.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Bala <kumaran.4353@gmail.com>
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Co-authored-by: suresh-thelkar <suresh.thelkar@yahoo.com>
Co-authored-by: Dan Streetman <ddstreet@microsoft.com>
Co-authored-by: Mandeep Plaha <99760213+mandeepsplaha@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
Co-authored-by: George Mileka <gmileka@users.noreply.github.com>
Co-authored-by: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com>
Co-authored-by: lanzeliu <lanzeliu@microsoft.com>
Co-authored-by: Karim Eldegwy <kimoantiqe@hotmail.com>
Co-authored-by: osamaesmailmsft <110202916+osamaesmailmsft@users.noreply.github.com>
Co-authored-by: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com>
Co-authored-by: abadawi-msft <108105696+abadawi591@users.noreply.github.com>
Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com>
Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com>
Co-authored-by: Rohit Rawat <rohitrawat@microsoft.com>
Co-authored-by: Dan Streetman <ddstreet@ieee.org>
Co-authored-by: Nan Liu <108544011+liunan-ms@users.noreply.github.com>
Co-authored-by: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Co-authored-by: Adit Jha <aditjha@microsoft.com>
Co-authored-by: Nan Liu <liunan@microsoft.com>
Co-authored-by: ypanch <yashpanchal@microsoft.com>
Co-authored-by: Trung <tvuong@microsoft.com>
Co-authored-by: Rakshaa Viswanathan <rviswanathan@microsoft.com>
Co-authored-by: Rakshaa Viswanathan <46165429+rakshaa2000@users.noreply.github.com>
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Chris Gunn <chrisgun@microsoft.com>
Co-authored-by: Cameron E Baird <cameronbaird@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Adub17030MS <110563293+Adub17030MS@users.noreply.github.com>
Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com>
Co-authored-by: Sam Meluch <samemluch@microsoft.com>
Co-authored-by: himaja-kesari <123194058+himaja-kesari@users.noreply.github.com>
Co-authored-by: Aurélien Bombo <abombo@microsoft.com>
Co-authored-by: Lanze Liu <86434077+liulanze@users.noreply.github.com>
Co-authored-by: ms-mahuber <60939654+ms-mahuber@users.noreply.github.com>
Co-authored-by: Kanika Nema <kanikanema@microsoft.com>
Co-authored-by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com>
Co-authored-by: Riken Maharjan <106988478+rikenm1@users.noreply.github.com>
Co-authored-by: Sam Meluch <sam.meluch@microsoft.com>
Co-authored-by: Rachel Menge <rachelmenge@microsoft.com>
Co-authored-by: Sam Meluch <sammeluch@microsoft.com>
Co-authored-by: Andrew Phelps <anphel@microsoft.com>
Co-authored-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Co-authored-by: xiaohong <Xiaohong-Deng@users.noreply.github.com>
Co-authored-by: xiaohongdeng <“worldsky86rough@gmail.com”>
Co-authored-by: Hideyuki Nagase <hideyukn@microsoft.com>
Co-authored-by: amritakohli <56371098+amritakohli@users.noreply.github.com>
Co-authored-by: Saul Paredes <30801614+Redent0r@users.noreply.github.com>
Co-authored-by: binujp <binujp@gmail.com>
Co-authored-by: Binu Jose Philip <bphilip@microsoft.com>
Co-authored-by: udsmicrosoft <136555787+udsmicrosoft@users.noreply.github.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
Co-authored-by: Siddharth Chintamaneni <63337643+sidchintamaneni@users.noreply.github.com>
@vinceaperri
Add minimal-os image config for arm64 (#14001)
3b81565
@vinceaperri @dallasd1
Add Image Customizer configuration for linuxguard, baremetal, hyperv-…
a4141a6 
…guest, qemu-guest, marketplace-gen1, and marketplace-gen2 images (#13251)

Co-authored-by: Dallas Delaney <dadelan@microsoft.com>
archana25-ms and others added 6 commits September 10, 2025 12:32
@archana25-ms
xpp3: Fixed Build (#13140)
61cb085
@archana25-ms
Upgrade: resource-agents version to 4.16.0 (#13297)
712c3f6
@mayankfz
Upgrade: tbb version to 2021.13.0 (#12568)
fe02130 
Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>
@Redent0r @rlmenge @CBL-Mariner-Bot
kata: Upgrade to GA bits (#14643)
bed9353 
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Co-authored-by: Rachel Menge <rachelmenge@microsoft.com>
Co-authored-by: Manuel Huber <mahuber@microsoft.com>
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
@anphel31
Merge branch '3.0-dev' into anphel/3-sep-2025-release-snap
ca2c71d
@anphel31
Merge changes for 3.0 Sep 2025 monthly release (#14646)
ef7f9eb
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 8, 2025
View reviewed changes
.github/workflows/check-files.yml
Comment on lines +15 to +140
name: Check Disallowed Files
runs-on: ubuntu-latest
steps:

- name: Check out code
uses: actions/checkout@v4

- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
run: |
git fetch origin ${{ github.event.before }}
echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.event.before }}"

- name: Get the changed files
run: |
echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'"
changed_files=$(git diff-tree --diff-filter=AM --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})
echo "Files to validate: '${changed_files}'"
echo "changed-files<<EOF" >> $GITHUB_ENV
echo "${changed_files}" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV

- name: Check for disallowed file types
run: |
if [[ -z "${{ env.changed-files }}" ]]; then
echo "No files to validate. Exiting."
exit 0
fi

echo "Checking files..."
error_found=0

# Read disallowed extensions from the configuration file
if [[ ! -f ".github/workflows/disallowed-extensions.txt" ]]; then
echo "Configuration file '.github/workflows/disallowed-extensions.txt' not found. Skipping check."
exit 0
fi

# Create array of disallowed extensions
mapfile -t disallowed_extensions < .github/workflows/disallowed-extensions.txt
if [[ $? -ne 0 ]]; then
echo "Error occurred while reading disallowed extensions. Exiting."
exit 1
fi

# Check each changed file
while IFS= read -r file; do
if [[ -z "$file" ]]; then
continue
fi

echo "Checking file: $file"

# Get file extension (convert to lowercase for comparison)
extension=$(echo "${file##*.}" | tr '[:upper:]' '[:lower:]')
filename=$(basename "$file")

# Check if file should be in blob store
should_be_in_blob_store=false

# Check against disallowed extensions
for disallowed_ext in "${disallowed_extensions[@]}"; do
# Remove any whitespace and comments
clean_ext=$(echo "$disallowed_ext" | sed 's/#.*//' | xargs)
if [[ -z "$clean_ext" ]]; then
continue
fi

if [[ "$extension" == "$clean_ext" ]]; then
should_be_in_blob_store=true
break
fi
done

# Additional checks for binary files and large files
if [[ -f "$file" ]]; then
# Check if file is binary (but allow .sh files even if executable)
if file "$file" | grep -q "binary\|archive\|compressed"; then
should_be_in_blob_store=true
fi

# Check file size (files > 1MB should be in blob store)
file_size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null || echo 0)
if [[ $file_size -gt 1048576 ]]; then # 1MB
should_be_in_blob_store=true
fi
fi

if [[ "$should_be_in_blob_store" == "true" ]]; then
1>&2 echo "**** ERROR ****"
1>&2 echo "File '$file' should be stored in blob store, not in git repository."
1>&2 echo "Reason: Images, Large files, binaries, tarballs, and non-text files slow down git operations"
1>&2 echo "and cannot be efficiently diffed. Please upload to blob store instead."
1>&2 echo "**** ERROR ****"
error_found=1
fi
done <<< "${{ env.changed-files }}"

if [[ $error_found -eq 1 ]]; then
echo ""
echo "=========================================="
echo "FILES THAT SHOULD BE IN BLOB STORE DETECTED"
echo "=========================================="
echo "The following file types should be stored in blob store:"
echo "- Source tarballs (.tar.gz, .tar.xz, .zip, etc.)"
echo "- Binary files (.bin, .exe, .so, .dll, etc.)"
echo "- Images (.gif, .bmp, etc.)"
echo "- Archives (.rar, .7z, .tar, etc.)"
echo "- Large files (> 1MB)"
echo "- Any non-text files that cannot be efficiently diffed"
echo ""
echo "Please upload these files to the blob store and reference them"
echo "in your spec files or configuration instead of checking them into git."
echo "=========================================="
exit 1
fi

echo "All files are appropriate for git storage." No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

The correct way to fix this problem is to add an explicit permissions field limiting the workflow’s access. Since the job only checks and lists files, and does not require any write access or advanced APIs, the minimum needed is contents: read. This can be accomplished by adding the following block near the top of the file, either at the workflow root (applies to all jobs) or at the individual job level. In this case, it's clearer and more maintainable to add it at the workflow level, directly after the name field and before the on: trigger, so that any future jobs are similarly restricted by default.

No imports, method definitions, or further modifications are needed—only the YAML file is changed.

Suggested changeset 1
.github/workflows/check-files.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml
--- a/.github/workflows/check-files.yml
+++ b/.github/workflows/check-files.yml
@@ -2,6 +2,8 @@
 # Licensed under the MIT License.
 
 name: Check Disallowed Files
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -2,6 +2,8 @@
# Licensed under the MIT License.

name: Check Disallowed Files
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/check-package-builds.yml
Comment on lines +33 to +165
name: ${{ matrix.check-name }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- check-name: "Simple package build succeeds"
package-type: "REGULAR_PKG"
extra-args: ""

- check-name: "Simple package build fails"
package-type: "REGULAR_PKG"
error-pattern: "Number of failed SRPMs:\\s+1\\s*$"
extra-args: ""
build-prep: |
# Adding an invalid command to the '%prep' section will cause the build to fail.
sed -i '/%prep/a this-command-should-fail-because-its-not-a-command-at-all' "$REGULAR_PKG_SPEC_PATH"

- check-name: "Toolchain package rebuild succeeds"
package-type: "TOOLCHAIN_PKG"
extra-args: "ALLOW_TOOLCHAIN_REBUILDS=y"

- check-name: "Toolchain package rebuild fails"
package-type: "TOOLCHAIN_PKG"
error-pattern: "Number of toolchain SRPM conflicts:\\s+1\\s*$"
extra-args: "ALLOW_TOOLCHAIN_REBUILDS=n"
build-prep: ""

- check-name: "None license check does not break the build"
package-type: "REGULAR_PKG"
extra-args: "LICENSE_CHECK_MODE=none"
build-prep: |
license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH")
if [[ -z "$license_file_name" ]]; then
echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH"
exit 1
fi
# Tagging a license file as a documentation file will not fail the license check on the 'none' level.
sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH"

- check-name: "Warning-only license check does not break the build"
package-type: "REGULAR_PKG"
extra-args: "LICENSE_CHECK_MODE=warn"
build-prep: |
license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH")
if [[ -z "$license_file_name" ]]; then
echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH"
exit 1
fi
# Tagging a license file as a documentation file will not fail the license check on the 'warn' level.
sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH"

- check-name: "Fatal license check succeeds on duplicated license as documentation"
package-type: "REGULAR_PKG"
extra-args: "LICENSE_CHECK_MODE=fatal"
build-prep: |
license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH")
if [[ -z "$license_file_name" ]]; then
echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH"
exit 1
fi
# Tagging a license file as a documentation file will not fail the license check on the 'fatal' level.
sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH"

- check-name: "Fatal license check fails"
package-type: "REGULAR_PKG"
error-pattern: "Number of SRPMs with license errors:\\s+1\\s*$"
extra-args: "LICENSE_CHECK_MODE=fatal"
build-prep: |
if ! grep -q '^%license' "$REGULAR_PKG_SPEC_PATH"; then
echo "ERROR: no '%license' macro found in the spec $REGULAR_PKG_SPEC_PATH"
exit 1
fi
# Tagging a license file as a documentation file will cause the license check to fail.
sed -i "s/^%license/%doc/" "$REGULAR_PKG_SPEC_PATH"

- check-name: "Pedantic license check fails"
package-type: "REGULAR_PKG"
error-pattern: "Number of SRPMs with license errors:\\s+1\\s*$"
extra-args: "LICENSE_CHECK_MODE=pedantic"
build-prep: |
license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH")
if [[ -z "$license_file_name" ]]; then
echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH"
exit 1
fi
sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH"

steps:
- uses: actions/checkout@v4

- name: Checkout a stable version of the specs
uses: ./.github/actions/checkout-with-stable-pkgs

- name: Prepare the build environment
if: ${{ matrix.build-prep != '' }}
run: |
set -euo pipefail

${{ matrix.build-prep }}

- name: Run the build
run: |
set -euo pipefail

if sudo make -C toolkit -j$(nproc) build-packages \
PACKAGE_REBUILD_LIST="${{ env[matrix.package-type] }}" \
REBUILD_TOOLS=y \
SRPM_PACK_LIST="${{ env[matrix.package-type] }}" \
${{ matrix.extra-args }} 2>&1 | tee build.log; then
touch build.succeeded
fi

- name: Check the results
run: |
set -euo pipefail

if [[ -z "${{ matrix.error-pattern }}" ]]; then
if [[ ! -f build.succeeded ]]; then
echo "Build failed, but it was expected to succeed."
exit 1
fi
else
if [[ -f build.succeeded ]]; then
echo "Build succeeded, but it was expected to fail."
exit 1
fi

if ! grep -qP '${{ matrix.error-pattern }}' build.log; then
echo "Build failed, but not with the expected error message."
exit 1
fi
fi

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the problem, you should explicitly specify the minimum permissions required by the workflow at the root level or the job level (in this case, the job is called package-checks). The minimal required permission for most workflows that only check out code and perform CI checks is contents: read. If you know that the workflow does not require any additional permissions (e.g., no issue, PR, or repository write operations), use this minimal setting.

The best way to implement the fix is to add a permissions: block just above the jobs: key so that all jobs in the workflow inherit this minimum level. Adjusting the permissions will not affect any of the workflow's existing functionality as long as all steps only require reading repository contents.

File/region to change:

  • You need to edit .github/workflows/check-package-builds.yml
  • Insert right above line 31 (jobs:):
permissions:
  contents: read

No further imports or code changes are needed.

Suggested changeset 1
.github/workflows/check-package-builds.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-package-builds.yml b/.github/workflows/check-package-builds.yml
--- a/.github/workflows/check-package-builds.yml
+++ b/.github/workflows/check-package-builds.yml
@@ -28,6 +28,9 @@
       - "toolkit/scripts/*"
       - "toolkit/tools/*"
 
+permissions:
+  contents: read
+
 jobs:
   package-checks:
     name: ${{ matrix.check-name }}
EOF
@@ -28,6 +28,9 @@
- "toolkit/scripts/*"
- "toolkit/tools/*"

permissions:
contents: read

jobs:
package-checks:
name: ${{ matrix.check-name }}
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/verify-osguard-imageconfigs.yml
Comment on lines +9 to +29
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'

- name: Install Python dependencies for merge_yaml
run: |
python -m pip install --upgrade pip
pip install pyyaml

- name: Run osguard imageconfigs test
working-directory: toolkit/scripts
shell: bash
run: |
set -euo pipefail
./generate-osguard-imageconfigs.sh test

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

The best way to fix this problem is to add an explicit permissions block at the workflow level, placing it immediately after the workflow name and on blocks, but before the jobs block. This will apply the permission set to all jobs in the workflow unless overridden within individual jobs. The workflow only needs contents: read permission for its steps (checking out code, running scripts, reading files), so that should be set. No additional permissions (such as for issues or pull requests) are required based on the current steps shown. Only the .github/workflows/verify-osguard-imageconfigs.yml file needs to be edited, adding the following block:

permissions:
  contents: read
Suggested changeset 1
.github/workflows/verify-osguard-imageconfigs.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/verify-osguard-imageconfigs.yml b/.github/workflows/verify-osguard-imageconfigs.yml
--- a/.github/workflows/verify-osguard-imageconfigs.yml
+++ b/.github/workflows/verify-osguard-imageconfigs.yml
@@ -4,6 +4,8 @@
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
 jobs:
   verify-osguard-imageconfigs:
     runs-on: ubuntu-latest
EOF
@@ -4,6 +4,8 @@
pull_request:
workflow_dispatch:

permissions:
contents: read
jobs:
verify-osguard-imageconfigs:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
@cheeyanglee cheeyanglee force-pushed the rebase-3.0.20250910-3.0-v2-tmp branch 6 times, most recently from 1e07668 to abc3f26 Compare October 10, 2025 05:52
liulis-sg and others added 2 commits October 13, 2025 16:32
@liulis-sg
Fix ISO mouse detection and non-kernel cmdline params (open-edge-plat…
22168b7 
…form#513)

Kernel config change for 6.12.44
- Mouse detection during ISO installation
- kernel parameter should not be set in non-rt kernel

Signed-off-by: Liu Lishan <lishan.liu@intel.com>
@sfonn
Import and upgrade gstreamer1 package (open-edge-platform#511)
175494a 
Import gstreamer1 package from AzureLinux SPECS-EXTENDED and
upgrade to version 1.26.5 with patch for latest platform
support.

Upgrade toolchain meson package to 1.8.5 to meet build dep.

Signed-off-by: Swee Yee Fonn <swee.yee.fonn@intel.com>
@cheeyanglee cheeyanglee force-pushed the rebase-3.0.20250910-3.0-v2-tmp branch 2 times, most recently from 163e2da to 2f19d1e Compare October 17, 2025 08:24
liulis-sg and others added 3 commits October 23, 2025 23:29
@liulis-sg
Revert both kernel and rt-kernel config (open-edge-platform#530)
b4456e9 
Revert both to 6.12.39 kernel config
@polmoorx
Update to use system-installed cjson (open-edge-platform#515)
7e1b97b 
Modified the build to use the cjson-devel package already available
in the system. This reduces duplication and ensures consistent cjson
updates across the system

Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com>
@bunnichx
Add override.conf file for systemd-journald service file. (open-edge-…
0b8b79c 
…platform#446)

- During shutdown, there was conflict between journald and
- umount.target resulting error logs on console. so added a
- config file to stop journal-flush when unmounting starts.

Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com>
@cheeyanglee cheeyanglee force-pushed the rebase-3.0.20250910-3.0-v2-tmp branch from 2f19d1e to dea7952 Compare October 27, 2025 08:32
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 27, 2025
View reviewed changes
.github/workflows/check-files.yml
Comment on lines +14 to +140
build:
name: Check Disallowed Files
runs-on: ubuntu-latest
steps:

- name: Check out code
uses: actions/checkout@v4

- name: Get base commit for PRs
if: ${{ github.event_name == 'pull_request' }}
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"

- name: Get base commit for Pushes
if: ${{ github.event_name == 'push' }}
run: |
git fetch origin ${{ github.event.before }}
echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.event.before }}"

- name: Get the changed files
run: |
echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'"
changed_files=$(git diff-tree --diff-filter=AM --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})
echo "Files to validate: '${changed_files}'"
echo "changed-files<<EOF" >> $GITHUB_ENV
echo "${changed_files}" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV

- name: Check for disallowed file types
run: |
if [[ -z "${{ env.changed-files }}" ]]; then
echo "No files to validate. Exiting."
exit 0
fi

echo "Checking files..."
error_found=0

# Read disallowed extensions from the configuration file
if [[ ! -f ".github/workflows/disallowed-extensions.txt" ]]; then
echo "Configuration file '.github/workflows/disallowed-extensions.txt' not found. Skipping check."
exit 0
fi

# Create array of disallowed extensions
mapfile -t disallowed_extensions < .github/workflows/disallowed-extensions.txt
if [[ $? -ne 0 ]]; then
echo "Error occurred while reading disallowed extensions. Exiting."
exit 1
fi

# Check each changed file
while IFS= read -r file; do
if [[ -z "$file" ]]; then
continue
fi

echo "Checking file: $file"

# Get file extension (convert to lowercase for comparison)
extension=$(echo "${file##*.}" | tr '[:upper:]' '[:lower:]')
filename=$(basename "$file")

# Check if file should be in blob store
should_be_in_blob_store=false

# Check against disallowed extensions
for disallowed_ext in "${disallowed_extensions[@]}"; do
# Remove any whitespace and comments
clean_ext=$(echo "$disallowed_ext" | sed 's/#.*//' | xargs)
if [[ -z "$clean_ext" ]]; then
continue
fi

if [[ "$extension" == "$clean_ext" ]]; then
should_be_in_blob_store=true
break
fi
done

# Additional checks for binary files and large files
if [[ -f "$file" ]]; then
# Check if file is binary (but allow .sh files even if executable)
if file "$file" | grep -q "binary\|archive\|compressed"; then
should_be_in_blob_store=true
fi

# Check file size (files > 1MB should be in blob store)
file_size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null || echo 0)
if [[ $file_size -gt 1048576 ]]; then # 1MB
should_be_in_blob_store=true
fi
fi

if [[ "$should_be_in_blob_store" == "true" ]]; then
1>&2 echo "**** ERROR ****"
1>&2 echo "File '$file' should be stored in blob store, not in git repository."
1>&2 echo "Reason: Images, Large files, binaries, tarballs, and non-text files slow down git operations"
1>&2 echo "and cannot be efficiently diffed. Please upload to blob store instead."
1>&2 echo "**** ERROR ****"
error_found=1
fi
done <<< "${{ env.changed-files }}"

if [[ $error_found -eq 1 ]]; then
echo ""
echo "=========================================="
echo "FILES THAT SHOULD BE IN BLOB STORE DETECTED"
echo "=========================================="
echo "The following file types should be stored in blob store:"
echo "- Source tarballs (.tar.gz, .tar.xz, .zip, etc.)"
echo "- Binary files (.bin, .exe, .so, .dll, etc.)"
echo "- Images (.gif, .bmp, etc.)"
echo "- Archives (.rar, .7z, .tar, etc.)"
echo "- Large files (> 1MB)"
echo "- Any non-text files that cannot be efficiently diffed"
echo ""
echo "Please upload these files to the blob store and reference them"
echo "in your spec files or configuration instead of checking them into git."
echo "=========================================="
exit 1
fi

echo "All files are appropriate for git storage." No newline at end of file

Check warning

Code scanning / zizmor

default permissions used due to no permissions: block Warning

default permissions used due to no permissions: block
.github/workflows/check-files.yml
Comment on lines +19 to +20
- name: Check out code
uses: actions/checkout@v4

Check warning

Code scanning / zizmor

does not set persist-credentials: false Warning

does not set persist-credentials: false
.github/workflows/check-files.yml
Comment on lines +24 to +27
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"

Check failure

Code scanning / zizmor

github.base_ref may expand into attacker-controllable code Error

github.base_ref may expand into attacker-controllable code
.github/workflows/check-files.yml
Comment on lines +24 to +27
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"

Check failure

Code scanning / zizmor

github.base_ref may expand into attacker-controllable code Error

github.base_ref may expand into attacker-controllable code
.github/workflows/check-files.yml
Comment on lines +24 to +27
run: |
git fetch origin ${{ github.base_ref }}
echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"

Check failure

Code scanning / zizmor

github.base_ref may expand into attacker-controllable code Error

github.base_ref may expand into attacker-controllable code
.github/workflows/check-package-builds.yml
sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH"

steps:
- uses: actions/checkout@v4

Check warning

Code scanning / zizmor

does not set persist-credentials: false Warning

does not set persist-credentials: false
.github/workflows/verify-osguard-imageconfigs.yml
Comment on lines +11 to +12
- name: Checkout repository
uses: actions/checkout@v4

Check warning

Code scanning / zizmor

does not set persist-credentials: false Warning

does not set persist-credentials: false
sgolebiewski-intel and others added 5 commits October 28, 2025 11:01
@sgolebiewski-intel
[DOCS] Enabling X11 Desktop UI and GDB Debugging (open-edge-platform#539
d329fd7 
)
@sgolebiewski-intel
Architecture overview porting changes from 3.0 (open-edge-platform#540)
b5b1887 
* [DOCS] Update Architecture Overview - porting open-edge-platform#506

* [DOCS] Update kernel commands - porting # 525

* [DOCS] Updating README - porting # 504

* [DOCS] Updating Get Started - porting open-edge-platform#505

* Fix references
@sgolebiewski-intel
[DOCS] Fixing heading level in tutorials (open-edge-platform#542)
2e81675
@yangliang-intel
Fix DHCP address assignment issue (open-edge-platform#532)
a15e3ab 
Fix DHCP address assignment issue on edge node by
including 'dhcp-identifier: mac'

Signed-off-by: yangliang-intel <liang1.yang@intel.com>
@cheeyanglee
Merge tag '3.0.20250910-3.0' into 3.0-dev
a958d84 
build tag "3.0.20250910-3.0"

rebase on Azure linux tag "3.0.20250910-3.0"

included changes:
Sync specfile changelog and release verison for :-
SPECS/cri-tools/cri-tools.spec
SPECS/docker-buildx/docker-buildx.spec
SPECS/flannel/flannel.spec
SPECS/influxdb/influxdb.spec
SPECS/kata-containers-cc/kata-containers-cc.spec
SPECS/kata-containers/kata-containers.spec
SPECS/kubernetes/kubernetes.spec
SPECS/kubevirt/kubevirt.spec
SPECS/libguestfs/libguestfs.spec
SPECS/libnvidia-container/libnvidia-container.spec
SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec

drop caddy, no longer depend on caddy.

update all Agents to build with golang < 1.25 as Microsoft go 1.25 crypto
backend changes break the build.
https://devblogs.microsoft.com/go/microsoft-go-defaults-to-system-crypto/

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
@cheeyanglee cheeyanglee force-pushed the rebase-3.0.20250910-3.0-v2-tmp branch from dea7952 to a958d84 Compare October 29, 2025 06:30
@cheeyanglee cheeyanglee merged commit a958d84 into 3.0-dev Nov 25, 2025
21 of 35 checks passed
@cheeyanglee cheeyanglee deleted the rebase-3.0.20250910-3.0-v2-tmp branch January 9, 2026 07:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.