erebion/coreboot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coreboot/util/release/build-release
Martin Roth 2739c4b773 SBOM: Change makefile to get versions from build.h 
Builds using SBOM were failing in the release because we don't have a
git tree to get information from. We can't assume that the coreboot
source will always be in a git tree, so it needs to be updated. This
updates build.h to contain all the data that the SBOM wants and changes
the SBOM makefile to get its information from build.h which can generate
the required data in a number of different ways.

Change-Id: I59fba349d95cb0dcff7a31d335f4acb4f11c89c7
Signed-off-by: Martin Roth <gaumless@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88236
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Matt DeVillier <matt.devillier@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
2025-07-04 13:17:38 +00:00

117 lines
4.1 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-2.0-only
# ${VERSION_NAME}: new version name
# ${COMMIT_ID}: commit id for new version
# ${USERNAME}: username (if not default to https)
# ${GPG_KEY_ID}: gpg key id (if not don't sign)
VERSION_NAME=$1
COMMIT_ID=$2
USERNAME=$3
GPG_KEY_ID=$4
set -e
TIME_FILE="$(mktemp -d)/.coreboot-time"
COREBOOT_RELEASE_NAME=coreboot-${VERSION_NAME}
COREBOOT_TARBALL="${COREBOOT_RELEASE_NAME}.tar.xz"
COREBOOT_BLOBS_TARBALL="coreboot-blobs-${VERSION_NAME}.tar.xz"
if [ -z "$GPG_TTY" ]; then
GPG_TTY=$(tty)
export GPG_TTY
fi
# set local + tz to be reproducible
LC_ALL=C
LANG=C
TZ=UTC0
export LC_ALL LANG TZ
if [ -z "${VERSION_NAME}" ] || [ "${VERSION_NAME}" = "--help" ] || [ -z "${COMMIT_ID}" ]; then
echo "usage: $0 <version> <commit id> [username] [gpg key id]"
echo "Tags a new coreboot version and creates a tar archive"
echo
echo "version: New version name to tag the tree with"
echo "commit id: check out this commit-id after cloning the coreboot tree"
echo "username: clone the tree using ssh://USERNAME - defaults to https://"
echo "gpg key id: used to tag the version, and generate a gpg signature"
exit 1
fi
pause() {
local text=$1
echo
if [ -n "$text" ]; then
echo "$text"
fi
read -r -p "Press [Enter] key to continue..."
}
# Verify that tar supports --sort
if ! tar --sort=name -cf /dev/null /dev/null 2>/dev/null ; then
echo "Error: The installed version of tar does not support --sort"
echo " GNU tar version 1.28 or greater is required. Exiting."
exit 1
fi
# Clone new copy of repo if needed
if [ ! -d "${COREBOOT_RELEASE_NAME}/.git" ]; then
rm -rf "${COREBOOT_RELEASE_NAME}"
declare -a GIT_REF_OPTS
if [ -d .git ]; then
GIT_REF_OPTS=("--reference" "." "--dissociate")
elif [ -d ../../.git ]; then
GIT_REF_OPTS=("--reference" "../.." "--dissociate")
fi
if [ -n "${USERNAME}" ]; then
git clone "${GIT_REF_OPTS[@]}" "ssh://${USERNAME}@review.coreboot.org:29418/coreboot.git" "${COREBOOT_RELEASE_NAME}" --
else
git clone "${GIT_REF_OPTS[@]}" https://review.coreboot.org/coreboot.git "${COREBOOT_RELEASE_NAME}" --
fi
fi
# Handle everything that needs to be done from inside the new coreboot
# directory. Use requested version, update submodules, and get ready to
# run from outside a git repository, and create a signed tag to push.
(
cd "${COREBOOT_RELEASE_NAME}" || exit 1
git reset --hard "${COMMIT_ID}"
util/crossgcc/buildgcc -W > .crossgcc-version
if [ -n "${GPG_KEY_ID}" ]; then
pause "The next step will need your PGP key's passphrase, so be ready."
git tag -a -s -u "$GPG_KEY_ID" --force "${VERSION_NAME}" -m "coreboot version ${VERSION_NAME}" --
else
git tag -a --force "${VERSION_NAME}" -m "coreboot version ${VERSION_NAME}" --
fi
git submodule update --init --checkout
printf "%s-%s-%s\n" "$VERSION_NAME" "$(git log --pretty=%h -1)" "$(git log --pretty=%t -1)" > .coreboot-version
printf "%s\n" "$(git log --pretty=format:%ci -1)" > "${TIME_FILE}"
)
tstamp=$(cat "${TIME_FILE}" | sed 's/ +0000//')
# Create the two tarballs, source and blobs.
exclude_paths="3rdparty/blobs 3rdparty/fsp 3rdparty/intel-microcode 3rdparty/amd_blobs 3rdparty/qc_blobs"
declare -a blobs_paths
declare -a exclude_opts
for i in ${exclude_paths}; do
blobs_paths+=("${COREBOOT_RELEASE_NAME}/${i}")
exclude_opts+=("--exclude=${COREBOOT_RELEASE_NAME}/${i}")
done
tar --sort=name --mtime="${tstamp}" --owner=coreboot:1000 --group=coreboot:1000 --exclude=*/.git --exclude=*/.gitignore --exclude=*/.gitreview --exclude=*/.mailmap --exclude=*/.gitmodules "${exclude_opts[@]}" -cvf - "${COREBOOT_RELEASE_NAME}" |xz -9 > "${COREBOOT_TARBALL}"
tar --sort=name --mtime="${tstamp}" --owner=coreboot:1000 --group=coreboot:1000 --exclude=*/.git --exclude=*/.gitignore --exclude=*/.gitreview --exclude=*/.mailmap --exclude=*/.gitmodules -cvf - "${blobs_paths[@]}" |xz -9 > "${COREBOOT_BLOBS_TARBALL}"
# Sign the tarballs
if [ -n "${GPG_KEY_ID}" ]; then
gpg --armor --local-user "$GPG_KEY_ID" --output "${COREBOOT_TARBALL}.sig" --detach-sig "${COREBOOT_TARBALL}"
gpg --armor --local-user "$GPG_KEY_ID" --output "${COREBOOT_BLOBS_TARBALL}.sig" --detach-sig "${COREBOOT_BLOBS_TARBALL}"
fi
# Clean up
rm -f "${TIME_FILE}"
Reference in a new issue View git blame Copy permalink