From 7b42f735f7910aef9b7ee71d93fd21c8aba8d520 Mon Sep 17 00:00:00 2001 From: "Christian A. Ehrhardt" Date: Wed, 26 Nov 2025 12:24:41 +0100 Subject: [PATCH 1/6] ci: Add cheri riscv build configuration Build a cheri purecap kernel for riscv in the ci workflow. This uses the llvm-18 compiler as published in the cheri alliance repo. Signed-off-by: Christian A. Ehrhardt --- .github/workflows/build.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 87d67bc7d5c695..047e55e71775f3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,12 +41,18 @@ jobs: arch: [ riscv64, aarch64 ] compiler: [ llvm-18, gcc ] config: [ defconfig ] + install_compiler: [ true ] include: - arch: morello compiler: llvm-morello config: morello_pcuabi_defconfig container: docker.io/ctsrd/morello-sdk:latest - + install_compiler: false + - arch: riscv64cheri + compiler: llvm-cheri + config: qemu_riscv64cheripc_defconfig + container: docker.io/chrehrhardt/riscvcheri-ubuntu-llvm18:latest + install_compiler: false steps: # Install node.js in the docker container to allow testing this action with `gh act` locally. # This is not needed in real GitHub action runs, so limit this to env.ACT being set. @@ -72,7 +78,7 @@ jobs: if [[ "${{ matrix.compiler }}" == llvm* ]]; then VER=${{ matrix.compiler }} VER=${VER#llvm-} - if [[ "${{ matrix.compiler }}" != llvm-morello ]]; then + if [[ "${{ matrix.install_compiler }}" == "true" ]]; then packages+=(clang-$VER lld-$VER llvm-$VER) fi elif [ "${{ matrix.compiler }}" == "gcc" ]; then @@ -131,6 +137,7 @@ jobs: # Set pipefail to fail if make fails, otherwise any error is squashed set -o pipefail ARGS="" + LLVM_DIR= if [ "${{ matrix.arch }}" = "aarch64" ]; then ARGS="$ARGS ARCH=arm64" CROSS="aarch64-linux-gnu-" @@ -139,6 +146,8 @@ jobs: CROSS="riscv64-linux-gnu-" elif [ "${{ matrix.arch }}" = "morello" ]; then ARGS="$ARGS ARCH=arm64" + elif [ "${{ matrix.arch }}" = "riscv64cheri" ]; then + ARGS="$ARGS ARCH=riscv" fi if [[ "${{ matrix.compiler }}" == "llvm-morello" ]]; then From 63ad40d0d0d4418b3c5b094ac3d9dd6242e75b68 Mon Sep 17 00:00:00 2001 From: "Christian A. Ehrhardt" Date: Wed, 26 Nov 2025 15:57:03 +0100 Subject: [PATCH 2/6] ci: Run the PtrToIntCast clang-tidy check When building the cheri riscv kernel also run the PtrToIntCast clang tidy check to warn about dubious capability conversions. Signed-off-by: Christian A. Ehrhardt --- .github/workflows/build.yml | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 047e55e71775f3..1426994c6480b6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -138,6 +138,7 @@ jobs: set -o pipefail ARGS="" LLVM_DIR= + TARGETS="all" if [ "${{ matrix.arch }}" = "aarch64" ]; then ARGS="$ARGS ARCH=arm64" CROSS="aarch64-linux-gnu-" @@ -148,6 +149,7 @@ jobs: ARGS="$ARGS ARCH=arm64" elif [ "${{ matrix.arch }}" = "riscv64cheri" ]; then ARGS="$ARGS ARCH=riscv" + TARGETS="${TARGETS} compile_commands.json" fi if [[ "${{ matrix.compiler }}" == "llvm-morello" ]]; then @@ -160,7 +162,25 @@ jobs: fi make $ARGS O=build ${{ matrix.config }} # Pipe output to tee so we can see it and save it for counting warnings - make $ARGS O=build -j$(nproc) 2>&1 | tee build.log + make $ARGS O=build -j$(nproc) ${TARGETS} 2>&1 | tee build.log + + - name: Run clang-tidy + if: matrix.compiler == 'llvm-cheri' + shell: bash + run: | + set -o pipefail + grep "file.:.*\.c.$" build/compile_commands.json | \ + sed 's/.*file.:..//; s/.$//' | \ + xargs -n $(nproc) -P 12 -- /usr/lib/llvm-cheri/bin/clang-tidy \ + --checks='-*,cheri-PtrToIntCast' \ + --header-filter='.*' \ + --system-headers \ + -p build 2>&1 | tee tidy.log + echo "CHECKING clang-tidy messages" + if egrep "(warning|error):" tidy.log; then + echo "ERROR: Unexpected clang-tidy warnings" + false # Fail + fi - name: Process Logs (Errors & Warnings) if: always() @@ -169,15 +189,16 @@ jobs: GH_TOKEN: ${{ github.token }} JOB_NAME: "Build ${{ matrix.arch }} ${{ matrix.compiler }} ${{ matrix.config }}" run: | + touch tidy.log echo "::group::📝 Build Issues (Errors & Warnings)" - if grep -iE "warning:|error:" build.log; then + if grep -iE "warning:|error:" build.log tidy.log; then echo "--------------------------------------------------" echo "Full list above." else echo "🎉 Clean build - No warnings or errors found." fi echo "::endgroup::" - COUNT=$(grep -c -i "warning:" build.log || true) + COUNT=$(grep -c -i "warning:" build.log tidy.log || true) OUTCOME="${{ steps.kbuild.outcome }}" FULL_LINK="${{ steps.job-link.outputs.url }}#step:${{ steps.job-link.outputs.build_step_num }}:1" COUNT_CLEAN=$(echo $COUNT | xargs) From 19b15ac685f7f6c993c554826523234dc1455039 Mon Sep 17 00:00:00 2001 From: "Christian A. Ehrhardt" Date: Wed, 26 Nov 2025 20:15:25 +0100 Subject: [PATCH 3/6] ci: Actually use ccache When building the kernel setup "CC" to actually use ccache. The inherited ccache action should ensure that the cache survives between ci runs. Signed-off-by: Christian A. Ehrhardt --- .github/workflows/build.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1426994c6480b6..ff0576f2a020cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,7 +74,7 @@ jobs: shell: bash run: | sudo apt-get update - packages=(build-essential bc bison flex libelf-dev libssl-dev) + packages=(build-essential bc bison flex libelf-dev libssl-dev ccache) if [[ "${{ matrix.compiler }}" == llvm* ]]; then VER=${{ matrix.compiler }} VER=${VER#llvm-} @@ -137,8 +137,8 @@ jobs: # Set pipefail to fail if make fails, otherwise any error is squashed set -o pipefail ARGS="" - LLVM_DIR= TARGETS="all" + CCACHE="" if [ "${{ matrix.arch }}" = "aarch64" ]; then ARGS="$ARGS ARCH=arm64" CROSS="aarch64-linux-gnu-" @@ -154,15 +154,21 @@ jobs: if [[ "${{ matrix.compiler }}" == "llvm-morello" ]]; then # The docker image does not have gcc installed, use Morello clang as the host compiler. - ARGS="$ARGS LLVM=$(dirname $(which clang))/ HOSTCC=clang HOSTCXX=clang++" + + LLVM="$(dirname $(which clang))" + CCACHE="ccache $LLVM/clang" + ARGS="$ARGS LLVM=$LLVM/ HOSTCC=clang HOSTCXX=clang++" elif [[ "${{ matrix.compiler }}" == llvm* ]]; then - ARGS="$ARGS LLVM=/usr/lib/${{ matrix.compiler }}/bin/ CROSS_COMPILE=$CROSS" + LLVM=/usr/lib/${{ matrix.compiler }}/bin + CCACHE="ccache $LLVM/clang" + ARGS="$ARGS LLVM=$LLVM/ CROSS_COMPILE=$CROSS" else ARGS="$ARGS CROSS_COMPILE=$CROSS" + CCACHE="ccache ${CROSS}gcc" fi make $ARGS O=build ${{ matrix.config }} # Pipe output to tee so we can see it and save it for counting warnings - make $ARGS O=build -j$(nproc) ${TARGETS} 2>&1 | tee build.log + make $ARGS CC="$CCACHE" O=build -j$(nproc) ${TARGETS} 2>&1 | tee build.log - name: Run clang-tidy if: matrix.compiler == 'llvm-cheri' From e4c4e5e6ce30595b477d42f8a62ef8a1de480a8a Mon Sep 17 00:00:00 2001 From: "Christian A. Ehrhardt" Date: Wed, 26 Nov 2025 23:19:35 +0100 Subject: [PATCH 4/6] ci: Increase ccache size Increase the size limit of ccache to 2G. Otherwise the larger compiles will not take advantage of the cache. Signed-off-by: Christian A. Ehrhardt --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ff0576f2a020cb..147865318b8068 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -127,6 +127,7 @@ jobs: uses: hendrikmuhs/ccache-action@v1.2 with: key: kbuild-${{ matrix.arch }}-${{ matrix.compiler }} + max-size: 2G - name: Build Kernel shell: bash From 6786c26a2bac818d00eb3621023712901d387ae8 Mon Sep 17 00:00:00 2001 From: "Christian A. Ehrhardt" Date: Wed, 26 Nov 2025 22:17:05 +0100 Subject: [PATCH 5/6] ci: Add one 32-bit build (i386) Add a 32-bit build. This catches issues with u64 casts to pointers. Signed-off-by: Christian A. Ehrhardt --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 147865318b8068..5918777c60a7f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -53,6 +53,10 @@ jobs: config: qemu_riscv64cheripc_defconfig container: docker.io/chrehrhardt/riscvcheri-ubuntu-llvm18:latest install_compiler: false + - arch: x86_32 + compiler: gcc + config: i386_defconfig + install_compiler: true steps: # Install node.js in the docker container to allow testing this action with `gh act` locally. # This is not needed in real GitHub action runs, so limit this to env.ACT being set. From af362386fcf66f0faf6f472a5077cf42f95c0ebd Mon Sep 17 00:00:00 2001 From: "Christian A. Ehrhardt" Date: Thu, 27 Nov 2025 07:52:47 +0100 Subject: [PATCH 6/6] ci: Remove comments on pull requests Remove the steps that add comments with warnings etc. to pull request. These require write access to the repo and the current configuration does not permit this. Signed-off-by: Christian A. Ehrhardt --- .github/workflows/build.yml | 62 +------------------------------------ 1 file changed, 1 insertion(+), 61 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5918777c60a7f7..952cba7caa9a1b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,22 +13,8 @@ permissions: actions: read jobs: - init-comment: - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - steps: - - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: kernel-warnings - message: | - ### 🚀 Kernel Build Started - _Builds are running... detailed status below:_ - | Job | Status | - | :--- | :--- | - build: - needs: init-comment - if: always() && (needs.init-comment.result == 'success' || needs.init-comment.result == 'skipped') + if: always() name: Build ${{ matrix.arch }} ${{ matrix.compiler }} ${{ matrix.config }} runs-on: ubuntu-latest container: @@ -119,14 +105,6 @@ jobs: echo "url=$JOB_URL" >> "$GITHUB_OUTPUT" echo "build_step_num=$BUILD_STEP_NUM" >> "$GITHUB_OUTPUT" - - name: Notify Job Start - if: github.event_name == 'pull_request' - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: kernel-warnings - append: true - message: "| ${{ matrix.arch }} ${{ matrix.compiler }} | ⏳ [In Progress](${{ steps.job-link.outputs.url }}) |" - - name: Setup Ccache uses: hendrikmuhs/ccache-action@v1.2 with: @@ -229,41 +207,3 @@ jobs: name: warnings-${{ matrix.arch }}-${{ matrix.compiler }}-${{ matrix.config }} path: "warnings-${{ matrix.arch }}-${{ matrix.compiler }}.txt" - report-warnings: - needs: build - if: always() && github.event_name == 'pull_request' - runs-on: ubuntu-latest - permissions: - pull-requests: write - steps: - - name: Download Warning Artifacts - uses: actions/download-artifact@v4 - with: - pattern: warnings-* - merge-multiple: true - path: warnings - - - name: Generate Summary Markdown - run: | - echo "### 🛡️ Kernel Build Warnings Report" > comment.md - echo "" >> comment.md - echo "| Arch | Compiler | Warnings | Status |" >> comment.md - echo "| :--- | :--- | :---: | :---: |" >> comment.md - # Sort by Arch (col 2), then Compiler Version (col 3) - # -k 2,2b : sort 2nd column, ignore leading whitespace - # -k 3,3Vb: sort 3rd column, Version sort, ignore whitespace - cat warnings/*.txt | sort -t '|' -k 2,2b -k 3,3Vb >> comment.md - if grep -q "❌" warnings/*.txt; then - echo "" >> comment.md - echo "❌ **One or more builds failed.**" >> comment.md - fi - # Use awk to find '[**NUMBER**]' and sum up the values (m[1]) - TOTAL=$(awk -F'|' 'match($4, /\[\*\*([0-9]+)\*\*\]/, m) { sum += m[1] } END { print sum+0 }' warnings/*.txt) - echo "" >> comment.md - echo "**Total Warnings: $TOTAL**" >> comment.md - - - name: Post Sticky Comment - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: kernel-warnings - path: comment.md