workflows: yocto-build-deploy: add PKI signing key ID #542
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is an approximate example of a single Yocto device-type workflow | |
# as it would exist in a device repo. | |
# It will be duplicated across all device repos with only minor changes | |
# to the inputs and the defaults. | |
# TODO: We need a system to keep these inputs aligned across all device repos | |
name: Generic x86_64 (legacy MBR) | |
on: | |
# With these triggers the Yocto jobs will run | |
# in parallel with the Flowzone jobs, which is fine for now | |
# and allows us to better control what we want to test and when. | |
# It is expected that Flowzone could fail, but yocto jobs will run. | |
pull_request: | |
branches: | |
- "main" | |
- "master" | |
pull_request_target: | |
branches: | |
- "main" | |
- "master" | |
# Enable this push trigger on device repos | |
# push: | |
# tags: | |
# - v[0-9]+.[0-9]+.[0-9]+\+?r?e?v?* | |
# - v20[0-9][0-9].[0-1]?[1470].[0-9]+ | |
# Enable this push trigger on device repos | |
# workflow_dispatch: | |
permissions: | |
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token | |
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass | |
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. | |
packages: read | |
contents: read | |
jobs: | |
yocto: | |
name: Yocto | |
uses: ./.github/workflows/yocto-build-deploy.yml | |
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. | |
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. | |
# This condition will prevent the workflow from running twice for the same pull request while | |
# still allowing it to run for all other event types. | |
# - internal PR (true == true) ok | |
# - internal PRT (true != false) skip | |
# - fork PR (false != true) skip | |
# - fork PRT (false == false) ok | |
# - push (false == false) ok | |
# - workflow_dispatch (false == false) ok | |
# - any trigger other than PR/PRT (false == false) ok | |
if: (github.event.pull_request.head.repo.full_name == github.repository) == (github.event_name == 'pull_request') | |
secrets: inherit | |
with: | |
machine: genericx86-64-ext | |
deploy-environment: balena-staging.com | |
# device-repo and device-repo-ref inputs should not be provided on device repos | |
device-repo: balena-os/balena-intel | |
device-repo-ref: master | |
# Use qemu workers for testing | |
test_matrix: > | |
{ | |
"test_suite": ["os","cloud","hup"], | |
"environment": ["balena-cloud.com"], | |
"worker_type": ["qemu"], | |
"runs_on": [["self-hosted", "X64", "kvm"]] | |
} |