diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 820377401..ca3762a88 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -110,6 +110,16 @@ jobs: should_deploy: ${{ steps.check.outputs.should_deploy }} deployment_type: ${{ steps.check.outputs.deployment_type }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Check PR labels and determine deployment type id: check env: diff --git a/.github/workflows/check-rust-stable-version.yml b/.github/workflows/check-rust-stable-version.yml index 9c3f70b8c..87c225b8d 100644 --- a/.github/workflows/check-rust-stable-version.yml +++ b/.github/workflows/check-rust-stable-version.yml @@ -12,6 +12,16 @@ jobs: name: check-rust-stable-version/check runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/ci_lint.yml b/.github/workflows/ci_lint.yml index 06f5208bc..89860a449 100644 --- a/.github/workflows/ci_lint.yml +++ b/.github/workflows/ci_lint.yml @@ -22,6 +22,16 @@ jobs: name: ci_lint/lint-check (bpr) runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -45,6 +55,16 @@ jobs: contents: read # Required to checkout repository code runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6dfca11df..a5aac9dc3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -52,6 +52,16 @@ jobs: # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/common-nitro-enclave.yml b/.github/workflows/common-nitro-enclave.yml index 0ca75c86e..91b5a0c96 100644 --- a/.github/workflows/common-nitro-enclave.yml +++ b/.github/workflows/common-nitro-enclave.yml @@ -68,6 +68,16 @@ jobs: outputs: docker_tag: ${{ steps.set-tag.outputs.tag }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -104,6 +114,16 @@ jobs: name: common-nitro-enclave/build-and-push-enclave runs-on: 'ubuntu-latest' steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -258,6 +278,16 @@ jobs: name: common-nitro-enclave/sign-image runs-on: 'ubuntu-latest' steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + # docker-login below is a local composite action under .github/actions/, # so the repo must be on disk before it is referenced. - name: Checkout Project diff --git a/.github/workflows/common-release-workspace-cargo.yml b/.github/workflows/common-release-workspace-cargo.yml index 6f4a5b600..65d367508 100644 --- a/.github/workflows/common-release-workspace-cargo.yml +++ b/.github/workflows/common-release-workspace-cargo.yml @@ -17,6 +17,16 @@ jobs: name: common-release-workspace-cargo/cargo-workspaces-release runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/common-update-argocd.yml b/.github/workflows/common-update-argocd.yml index 084558bb8..f0e3962df 100644 --- a/.github/workflows/common-update-argocd.yml +++ b/.github/workflows/common-update-argocd.yml @@ -42,6 +42,16 @@ jobs: name: common-update-argocd/update-argocd-image-tag runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/dependencies_analysis.yml b/.github/workflows/dependencies_analysis.yml index ec6f6405c..db19fadfb 100644 --- a/.github/workflows/dependencies_analysis.yml +++ b/.github/workflows/dependencies_analysis.yml @@ -21,6 +21,16 @@ jobs: name: dependencies_analysis/dependencies-check (bpr) runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index dd0e85114..3afd13d0f 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -100,6 +100,16 @@ jobs: golden_tag: ${{ steps.compute.outputs.golden_tag }} cache_hit: ${{ steps.lookup.outputs.cache_hit }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -229,6 +239,16 @@ jobs: permissions: packages: write # Required to update the latest tag in GHCR steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: diff --git a/.github/workflows/docker-check-build.yml b/.github/workflows/docker-check-build.yml index 7ac1f3221..670f3ec81 100644 --- a/.github/workflows/docker-check-build.yml +++ b/.github/workflows/docker-check-build.yml @@ -24,6 +24,16 @@ jobs: - 'docker/core-client/Dockerfile' steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml index 06fafa71c..1cbfb54f8 100644 --- a/.github/workflows/docker-scan.yml +++ b/.github/workflows/docker-scan.yml @@ -19,6 +19,16 @@ jobs: changed-dockerfile: ${{ steps.filter.outputs.dockerfile_files }} changed: ${{ steps.filter.outputs.dockerfile }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: true @@ -45,6 +55,16 @@ jobs: matrix: dockerfile: ${{fromJson(needs.check-changes.outputs.changed-dockerfile)}} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/helm-lint.yml b/.github/workflows/helm-lint.yml index f5904b95d..a4ec7a0bd 100644 --- a/.github/workflows/helm-lint.yml +++ b/.github/workflows/helm-lint.yml @@ -11,6 +11,16 @@ jobs: name: helm-lint/lint (bpr) runs-on: 'ubuntu-latest' steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 621983ba5..cae82de97 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -21,6 +21,16 @@ jobs: runs-on: ubuntu-latest environment: main steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index 47d112d0f..f5a89bb24 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -14,6 +14,16 @@ jobs: name: helm-test/helm-test (bpr) runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/kind-testing.yml b/.github/workflows/kind-testing.yml index 169c9c8c1..148d11c1d 100644 --- a/.github/workflows/kind-testing.yml +++ b/.github/workflows/kind-testing.yml @@ -400,6 +400,16 @@ jobs: permissions: packages: write # Required to delete GitHub packages/container registry steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Clean up build env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a65f21890..723e369c8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,6 +52,16 @@ jobs: changes-docs: ${{ steps.filter.outputs.docs }} changes-helm-chart: ${{ steps.filter.outputs.helm-chart }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: true @@ -215,6 +225,16 @@ jobs: container: image: python:3.10.17-bullseye@sha256:0b9be13617fed7d883b30e31a47371a8bdd60a4bb5e45fcda63cb4a3846f6d98 steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -245,6 +265,16 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + # PR matrix has two disjoint entries: # threshold : threshold-named tests (skip full_gen_tests, nightly, # k8s_, centralized, isolated_test_example, and the @@ -520,6 +550,16 @@ jobs: env: EVENT_NAME: ${{ github.event_name }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + # TODO(dp): this is very problematic. We can't live with this manual feature-juggling # long-term. We need a cleaner split that is maintainable long term. The below split # is the outcome of custom-tooling running `cargo nextest list` for all jobs in the pipeline diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml index 1435206c8..d7f69148e 100644 --- a/.github/workflows/npm-release.yml +++ b/.github/workflows/npm-release.yml @@ -20,6 +20,16 @@ jobs: contents: read # Required to checkout repository code id-token: write # "write" access to the "id-token" to access the container registry steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 529b076fb..a8fdd5f2d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,6 +19,16 @@ jobs: outputs: version: ${{ steps.sem-release.outputs.new_release_version }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/sync-on-push.yml b/.github/workflows/sync-on-push.yml index ef1cb5a70..dde534453 100644 --- a/.github/workflows/sync-on-push.yml +++ b/.github/workflows/sync-on-push.yml @@ -15,6 +15,16 @@ jobs: if: ${{ github.repository == 'zama-ai/kms' }} runs-on: ubuntu-latest steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: git-sync env: SOURCE_REPO: "zama-ai/kms" diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml index 799c70c07..fee49f92e 100644 --- a/.github/workflows/test-reporter.yml +++ b/.github/workflows/test-reporter.yml @@ -32,6 +32,16 @@ jobs: if: ${{ !cancelled() }} steps: + # TODO: remove once GitHub runner images ship the CVE-2026-31431 kernel fix + - name: Workaround CVE-2026-31431 (copy.fail) + run: | + echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf + if lsmod | grep -q algif_aead; then + sudo rmmod algif_aead || echo "WARNING: rmmod failed - module may be in use" + elif modinfo algif_aead 2>/dev/null | grep -q builtin; then + echo "WARNING: algif_aead built-in - modprobe.d blacklist has no effect" + fi + - name: Checkout Project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: