workflows: Create workflow to stale issues based on date

The standard stale/action is intended to be run regularly with
a date offset, but we want to have one we can run against a specific
date in order to run the stale bot against issues created since a particular
release milestone, so calculate the offset in one step and use it in the next.

At the moment we want to run this to stale issues before 9th October 2022 when Kata 3.0 was release, so default to this.

Note the stale action only processes a few issues at a time to avoid rate limiting, so why we want a cron job to it can get through
the backlog, but also to stale/unstale issues that are commented on.

.github/workflows/stale_issues.yaml

@@ -0,0 +1,41 @@
+name: 'Stale issues with activity before a fixed date'
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+    inputs:
+      date:
+        description: "Date of stale cut-off. All issues not updated since this date will be marked as stale. Format: YYYY-MM-DD e.g. 2022-10-09"
+        default: "2022-10-09"
+        required: false
+        type: string
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  stale:
+    name: stale
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write # Needed to manage caches for state persistence across runs
+      issues: write # Needed to add/remove labels, post comments, or close issues
+    steps:
+      - name: Calculate the age to stale
+        run: |
+          echo AGE=$(( ( $(date +%s) - $(date -d "${DATE:-2022-10-09}" +%s) ) / 86400 )) >> "$GITHUB_ENV"
+        env:
+          DATE: ${{ inputs.date }}
+
+
+      - name: Run the stale action
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          stale-pr-message: 'This issue has had no activity for at least ${AGE} days. Please comment on the issue, or it will be closed in 30 days'
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          days-before-issue-stale: ${AGE}
+          days-before-issue-close: 30

src/dragonball/dbs_arch/src/x86_64/cpuid/brand_string.rs

@@ -103,7 +103,7 @@ impl BrandString {
     /// of the host CPU.
     fn from_host_cpuid() -> Result<Self, Error> {
         let mut this = Self::new();
-        let mut cpuid_regs = host_cpuid(0x8000_0000);
+        let mut cpuid_regs = unsafe { host_cpuid(0x8000_0000) };
 
         if cpuid_regs.eax < 0x8000_0004 {
             // Brand string not supported by the host CPU
@@ -111,7 +111,7 @@ impl BrandString {
         }
 
         for leaf in 0x8000_0002..=0x8000_0004 {
-            cpuid_regs = host_cpuid(leaf);
+            cpuid_regs = unsafe { host_cpuid(leaf) };
             this.set_reg_for_leaf(leaf, Reg::Eax, cpuid_regs.eax);
             this.set_reg_for_leaf(leaf, Reg::Ebx, cpuid_regs.ebx);
             this.set_reg_for_leaf(leaf, Reg::Ecx, cpuid_regs.ecx);
@@ -393,7 +393,7 @@ mod tests {
         match BrandString::from_host_cpuid() {
             Ok(bstr) => {
                 for leaf in 0x8000_0002..=0x8000_0004_u32 {
-                    let host_regs = host_cpuid(leaf);
+                    let host_regs = unsafe { host_cpuid(leaf) };
                     assert_eq!(bstr.get_reg_for_leaf(leaf, Reg::Eax), host_regs.eax);
                     assert_eq!(bstr.get_reg_for_leaf(leaf, Reg::Ebx), host_regs.ebx);
                     assert_eq!(bstr.get_reg_for_leaf(leaf, Reg::Ecx), host_regs.ecx);
@@ -403,7 +403,7 @@ mod tests {
             Err(Error::NotSupported) => {
                 // from_host_cpuid() should only fail if the host CPU doesn't support
                 // CPUID leaves up to 0x80000004, so let's make sure that's what happened.
-                let host_regs = host_cpuid(0x8000_0000);
+                let host_regs = unsafe { host_cpuid(0x8000_0000) };
                 assert!(host_regs.eax < 0x8000_0004);
             }
             _ => panic!("This function should not return another type of error"),

src/dragonball/dbs_arch/src/x86_64/cpuid/common.rs

@@ -25,7 +25,7 @@ pub fn get_cpuid(function: u32, count: u32) -> Result<CpuidResult, Error> {
     // TODO: replace with validation based on `has_cpuid()` when it becomes stable:
     //  https://doc.rust-lang.org/core/arch/x86/fn.has_cpuid.html
     // this is safe because the host supports the `cpuid` instruction
-    let max_function = __get_cpuid_max(function & leaf_0x80000000::LEAF_NUM).0;
+    let max_function = unsafe { __get_cpuid_max(function & leaf_0x80000000::LEAF_NUM).0 };
     if function > max_function {
         return Err(Error::InvalidParameters(format!(
             "Function not supported: 0x{function:x}",
@@ -33,7 +33,7 @@ pub fn get_cpuid(function: u32, count: u32) -> Result<CpuidResult, Error> {
     }
 
     // this is safe because the host supports the `cpuid` instruction
-    let entry = __cpuid_count(function, count);
+    let entry = unsafe { __cpuid_count(function, count) };
     if entry.eax == 0 && entry.ebx == 0 && entry.ecx == 0 && entry.edx == 0 {
         return Err(Error::InvalidParameters(format!("Invalid count: {count}")));
     }

src/libs/kata-sys-util/src/mount.rs

@@ -225,7 +225,7 @@ pub fn create_mount_destination<S: AsRef<Path>, D: AsRef<Path>, R: AsRef<Path>>(
 /// Caller needs to ensure safety of the `dst` to avoid possible file path based attacks.
 pub fn bind_remount<P: AsRef<Path>>(dst: P, readonly: bool) -> Result<()> {
     let dst = dst.as_ref();
-    if NixPath::is_empty(dst) {
+    if dst.is_empty() {
         return Err(Error::NullMountPointPath);
     }
     let dst = dst
@@ -262,10 +262,10 @@ pub fn bind_mount_unchecked<S: AsRef<Path>, D: AsRef<Path>>(
 
     let src = src.as_ref();
     let dst = dst.as_ref();
-    if NixPath::is_empty(src) {
+    if src.is_empty() {
         return Err(Error::NullMountPointPath);
     }
-    if NixPath::is_empty(dst) {
+    if dst.is_empty() {
         return Err(Error::NullMountPointPath);
     }
     let abs_src = src
@@ -760,7 +760,7 @@ pub fn umount_timeout<P: AsRef<Path>>(path: P, timeout: u64) -> Result<()> {
 /// # Safety
 /// Caller needs to ensure safety of the `path` to avoid possible file path based attacks.
 pub fn umount_all<P: AsRef<Path>>(mountpoint: P, lazy_umount: bool) -> Result<()> {
-    if NixPath::is_empty(mountpoint.as_ref()) || !mountpoint.as_ref().exists() {
+    if mountpoint.as_ref().is_empty() || !mountpoint.as_ref().exists() {
         return Ok(());
     }
 

src/libs/kata-sys-util/src/protection.rs

@@ -126,7 +126,7 @@ pub fn arch_guest_protection(
         // shouldn't hurt to double-check and have better logging if anything
         // goes wrong.
 
-        let fn0 = x86_64::__cpuid(0);
+        let fn0 = unsafe { x86_64::__cpuid(0) };
         // The values in [ ebx, edx, ecx ] spell out "AuthenticAMD" when
         // interpreted byte-wise as ASCII.  No need to bother here with an
         // actual conversion to string though.
@@ -139,7 +139,7 @@ pub fn arch_guest_protection(
         }
 
         // AMD64 Architecture Prgrammer's Manual Fn8000_001f docs on pg. 640
-        let fn8000_001f = x86_64::__cpuid(0x8000_001f);
+        let fn8000_001f = unsafe { x86_64::__cpuid(0x8000_001f) };
         if fn8000_001f.eax & 0x10 == 0 {
             return Err(ProtectionError::CheckFailed("SEV not supported".to_owned()));
         }