yocto-build-deploy.yml

name: "Yocto Build-Test-Deploy"

on:
  workflow_call:
    secrets:
      # BALENA_API_DEPLOY_KEY is a secret that should be specific to the runtime environment
      # It requires permissions to deploy hostApp releases, and fetch supervisor release images (via yocto recipes)
      BALENA_API_DEPLOY_KEY:
        description: balena API key for the deploy environment, used for deploying hostApps and fetching supervisor releases
        required: false
      # BALENA_API_TEST_KEY is a secret that should be specific to the runtime environment
      # It requires permissions to manage autokit workers, and create test fleets
      BALENA_API_TEST_KEY:
        description: balena API key for the test environment, used for finding autokit workers and creating test fleets
        required: false
      # Dockerhub secrets are used only for pulling the helper image for "Prepare files for S3" step - if we simplify this to not use the
      # helper image, these secrets can be removed
      DOCKERHUB_USER:
        description: Dockerhub user for pulling private helper images
        required: false
      DOCKERHUB_TOKEN:
        description: Dockerhub token for pulling private helper images
        required: false
      SIGN_KMOD_KEY_APPEND:
        description: Base64-encoded public key of a kernel module signing keypair
        required: false
      # SIGN_API_KEY is a secret that should be specific to the runtime environment
      # It requires permissions to access the image signing server
      SIGN_API_KEY:
        description: balena API key that provides access to the signing server
        required: false
      BALENAOS_CI_APP_PRIVATE_KEY:
        description: "GPG Private Key for GitHub App to generate ephemeral tokens (used with vars.BALENAOS_CI_APP_ID)"
        required: false
      PBDKF2_PASSPHRASE:
        description: "Passphrase used to encrypt/decrypt balenaOS assets at rest in GitHub."
        required: false
      YOCTO_CACHE_SECRET_KEY:
        description: "Self-hosted runner S3 secret key for the yocto-svcacct user."
        required: false
      YOCTO_SSH_PRIVATE_KEY_B64:
        description: "SSH key to access balena-os private repositories."
        required: false

    inputs:
      build-runs-on:
        description: The runner labels to use for the build job(s)
        required: false
        type: string
        default: >
          [
            "self-hosted",
            "X64",
            "yocto"
          ]
      device-repo:
        description: balenaOS device repository (owner/repo)
        required: false
        type: string
        default: ${{ github.repository }}
      device-repo-ref:
        description: balenaOS device repository tag, branch, or commit to build
        required: false
        type: string
        default: ${{ github.ref }}
      meta-balena-ref:
        description: meta-balena ref if not the currently pinned version
        required: false
        type: string
      yocto-scripts-ref:
        description: balena-yocto-scripts ref if not the currently pinned version
        required: false
        type: string
      machine:
        description: yocto board name
        required: true
        type: string
      slug:
        description: Device type slug to deploy to - defaults to machine name
        required: false
        type: string
      deploy-environment:
        description: The balena environment to use for hostApp deployment - includes the related vars and secrets
        required: false
        type: string
        default: balena-cloud.com
      signing-environment:
        description: The signing environment to use for the bitbake build - includes the related vars and secrets
        required: false
        type: string
        default: ''
      source-mirror-environment:
        description: The AWS environment to use for the S3 source mirror - includes related vars and OIDC role(s)
        required: false
        type: string
        # default: balena-production.us-east-1
      # This input exists because we want the option to not auto-finalise for some device types, even if they have tests and those tests pass - for example some custom device types, the customer doesn't want new releases published until they green light it
      finalize-on-push-if-tests-passed:
        description: Whether to finalize a hostApp container image to a balena environment, if tests pass.
        required: false
        type: boolean
        default: true # Default behaviour is auto-finalise if tests pass, unless opted out by customer
      # For use when we need to force deploy a release, for example after manual testing (negates finalize-on-push-if-tests-pass)
      force-finalize:
        description: Force deploy a finalized release
        required: false
        type: boolean
        default: false
      deploy-ami:
        description: Whether to deploy an AMI to AWS
        required: false
        type: boolean
        default: false # This only works currently for generic-amd64, so default to false, and enable only in the caller workflow for that DT
      sign-image:
        description: Whether to sign image for secure boot
        required: false
        type: boolean
        default: false # Always false by default, override on specific device types which this is relevant in the device repo
      build-args:
        description: Extra barys build arguments
        required: false
        type: string
      # Supported fields for the test matrix:
      # - test_suite: (required) The test suite to run. The valid test suites are `os`, `hup`, and `cloud`
      # - environment: (required) The balenaCloud environment to use for testing, e.g. `bm.balena-dev.com` or `balena-cloud.com`
      # - worker_type: The worker type to use for testing. The valid worker types are `qemu` and `testbot`. The default worker type is `testbot`
      # - worker_fleets: The testbot fleets for finding available Leviathan workers. Not used for QEMU workers. Can accept a list of apps separated by commas, no spaces in between
      # - test_org: The organization to use for testing cloud functionality. This default org is `testbot`
      # - runs_on: A JSON array of runner labels to use for the test job(s). For qemu workers use the labels `["self-hosted", "X64", "kvm"]`.
      # - secure_boot: (truthy) Enable secure boot testing flags QEMU_SECUREBOOT=1 and FLASHER_SECUREBOOT=1. Default is false.
      # To use specific settings for each test job, create an include array like this...
      # {"include": [
      #   {
      #     "test_suite": "os",
      #     "environment": "bm.balena-dev.com"
      #   },
      #   {
      #     "test_suite": "cloud",
      #     "environment": "balena-cloud.com",
      #     "test_org": "testbot"
      #   },
      #   {
      #     "test_suite": "hup",
      #     "environment": "balena-cloud.com",
      #     "worker_type": "qemu",
      #     "runs_on": ["self-hosted", "X64", "kvm"]
      #   }
      # ]}
      # Alternatively, you can have the matrix run on a combinatorial match on the provided values where every single permutation of the values will be executed ...
      # {
      #   "test_suite": ["os","cloud","hup"],
      #   "environment": ["bm.balena-dev.com"],
      #   "worker_type": ["qemu","testbot"],
      #   "runs_on": [["self-hosted", "X64", "kvm"]]
      # }
      test_matrix:
        description: "JSON Leviathan test matrix to use for testing. No tests will be run if not provided."
        required: false
        type: string

# https://docs.github.com/en/actions/using-jobs/using-concurrency
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs
# The following concurrency group cancels in-progress jobs or runs on pull_request events only;
# if github.head_ref is undefined, the concurrency group will fallback to the run ID,
# which is guaranteed to be both unique and defined for the run.

# From: https://github.com/orgs/community/discussions/69704#discussioncomment-7803351

# The available contexts for cancel-in-progress expressions are:
# - github: This context provides access to various GitHub-specific variables,
#   such as github.event_name, github.ref, and github.workflow.
# - inputs: This context allows you to access input parameters defined in the workflow.
#   This is particularly useful for conditional cancellation based on user-specified settings.
# - vars: This context provides access to workflow-defined variables,
#   which can be used to store intermediate values or constants.
# When evaluating expressions for cancel-in-progress, certain parameters may not be available at the time of evaluation.
# For instance, the github.job context is not accessible, as it's specific to the running job and not the concurrency group.

# Note that we do not use github.ref here, as PRs from forks will have a
# ref of 'refs/heads/master' and collide with each other. Instead, we use github.head_ref
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-${{ inputs.machine }}-${{ inputs.deploy-environment }}
  # Cancel jobs in-progress for open PRs, but not merged or closed PRs, by checking for the merge ref.
  # Note that for pull_request_target events (PRs from forks), the github.ref value is
  # usually 'refs/heads/master' so we can't rely on that to determine if it is a merge event or not.
  # As a result pull_request_target events will never cancel in-progress jobs and will be queued instead.
  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}

env:
  WORKSPACE: ${{ github.workspace }}
  MACHINE: ${{ inputs.machine }}
  SLUG: ${{ inputs.slug || inputs.machine }}
  VERBOSE: verbose
  WORKFLOW_NAME: ${{ github.workflow }}

# https://docs.github.com/en/actions/security-guides/automatic-token-authentication
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
permissions: {}

jobs:
  approved-commit:
    name: Approved commit
    runs-on: ubuntu-24.04

    permissions:
      pull-requests: write # Write is required to create PR comments for workflow approvals.
      contents: read

    steps:
      # Combining pull_request_target workflow trigger with an explicit checkout of an
      # untrusted PR is a dangerous practice that may lead to repository compromise.
      # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
      # This action requires approvals via reactions for each workflow run.
      # https://github.com/product-os/review-commit-action
      - name: Wait for approval on pull_request_target events
        if: github.event_name == 'pull_request_target' && github.event.pull_request.merged != true
        timeout-minutes: 90
        uses: product-os/review-commit-action@5de80f19607c9052fa1c3cce94c1d0571dfc13c7 # v0.2.3
        with:
          poll-interval: "10"
          allow-authors: false

  # This job runs first and all other jobs depend on it.
  # It is responsible for setting up the device-type and fetching the necessary information
  # to build and deploy the device-type.
  balena-lib:
    name: Device info
    runs-on: ubuntu-24.04
    # Depend on approved-commit just so we don't run without approvals
    needs:
      - approved-commit

    # This environment requires the following variables:
    # - BALENA_HOST
    # This environment requires the following secrets:
    # - BALENA_API_DEPLOY_KEY - used to authenticate with the balena API
    environment: ${{ inputs.deploy-environment || 'balena-cloud.com' }}

    env:
      automation_dir: "${{ github.workspace }}/balena-yocto-scripts/automation"
      BALENARC_BALENA_URL: ${{ vars.BALENA_HOST || vars.BALENARC_BALENA_URL || 'balena-cloud.com' }}

    permissions:
      actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
      pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results.
      contents: read

    defaults:
      run:
        working-directory: .
        shell: bash --noprofile --norc -eo pipefail -x {0}

    outputs:
      device_slug: ${{ steps.balena-lib.outputs.device_slug }}
      os_version: ${{ steps.balena-lib.outputs.os_version }}
      meta_balena_version: ${{ steps.balena-lib.outputs.meta_balena_version }}
      device_repo_revision: ${{ steps.balena-lib.outputs.device_repo_revision }}
      yocto_scripts_ref: ${{ steps.balena-lib.outputs.yocto_scripts_ref }}
      yocto_scripts_version: ${{ steps.balena-lib.outputs.yocto_scripts_version }}
      deploy_artifact: ${{ steps.balena-lib.outputs.deploy_artifact }}
      dt_arch: ${{ steps.balena-lib.outputs.dt_arch }}
      is_private: ${{ steps.is-private.outputs.result }}
      should_finalize: ${{ steps.merge-test-result.outputs.finalize == 'true' || inputs.force-finalize }}
      is_esr: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v20')) || (github.event_name == 'workflow_dispatch' && startsWith(github.ref_name, '20')) }}
      deploy_path: ${{ github.workspace }}/deploy/${{ steps.balena-lib.outputs.device_slug }}/${{ steps.balena-lib.outputs.os_version }}
      balena_host: ${{ env.BALENARC_BALENA_URL }}

    steps:
      # Generate an app installation token that has access to
      # all repos where the app is installed (usually the whole org)
      # Owner input to make token valid for all repositories in the org
      # This behvaiour is required for private submodules
      # https://github.com/actions/create-github-app-token
      - name: Create GitHub App installation token
        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
        id: app-token
        with:
          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      # Generate another app token for the balena-io organization
      # so we can checkout private contracts
      # https://github.com/actions/create-github-app-token
      - name: Create GitHub App installation token (balena-io)
        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
        id: app-token-balena-io
        with:
          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
          owner: balena-io

      # https://github.com/actions/checkout
      - name: Clone device repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: ${{ inputs.device-repo }}
          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
          ref: ${{ inputs.device-repo-ref }} # In the case of a new tagged version, this will be the new tag, claimed from ${{ github.events.push.ref }}
          submodules: true
          fetch-depth: 0 # DEBUG - this is for testing on a device repo
          fetch-tags: true
          # Do not persist the app installation token credentials,
          # and prefer that each step provide credentials where required
          persist-credentials: false

      # Checkout the right ref for meta-balena submodule
      - name: Update meta-balena submodule to ${{ inputs.meta-balena-ref }}
        if: inputs.meta-balena-ref != ''
        working-directory: ./layers/meta-balena
        run: |
          git config --add remote.origin.fetch '+refs/pull/*:refs/remotes/origin/pr/*'
          git fetch --all
          git checkout --force "${{ inputs.meta-balena-ref }}"
          git submodule update --init --recursive

      # Checkout the right ref for balena-yocto-scripts submodule
      - name: Update balena-yocto-scripts submodule to ${{ inputs.yocto-scripts-ref }}
        if: inputs.yocto-scripts-ref != ''
        working-directory: ./balena-yocto-scripts
        run: |
          git config --add remote.origin.fetch '+refs/pull/*:refs/remotes/origin/pr/*'
          git fetch --all
          git checkout --force "${{ inputs.yocto-scripts-ref }}"
          git submodule update --init --recursive

      # Check if the repository is a yocto device respository
      - name: Device repository check
        run: |
          if [ "$(yq '.type' repo.yml)" != "yocto-based OS image" ]; then
            echo "::error::Repository does not appear to be of type 'yocto-based OS image'"
            exit 1
          fi

      # A lot of outputs inferred from here are used everywhere else in the workflow
      - name: Set build outputs
        id: balena-lib
        env:
          CURL: "curl --silent --retry 10 --location --compressed"
          TRANSLATION: "v6"
          BALENAOS_TOKEN: ${{ secrets.BALENA_API_DEPLOY_KEY }}
          API_ENV: ${{ env.BALENARC_BALENA_URL }}
        run: |
          source "${automation_dir}/include/balena-api.inc"
          source "${automation_dir}/include/balena-lib.inc"

          ./balena-yocto-scripts/build/build-device-type-json.sh

          device_slug="$(balena_lib_get_slug "${SLUG}")"
          echo "device_slug=${device_slug}" >>"${GITHUB_OUTPUT}"

          # As we use this to determine the os version from the device repository - when checking out the repo we need enough fetch depth to get tags
          os_version=$(git describe --abbrev=0)
          echo "os_version=${os_version#v*}" >>"${GITHUB_OUTPUT}"

          meta_balena_version="$(balena_lib_get_meta_balena_base_version)"
          echo "meta_balena_version=${meta_balena_version}" >>"${GITHUB_OUTPUT}"

          device_repo_revision="$(git rev-parse --short HEAD)"
          echo "device_repo_revision=${device_repo_revision}" >>"${GITHUB_OUTPUT}"

          yocto_scripts_ref="$(git submodule status balena-yocto-scripts | awk '{print $1}')"
          echo "yocto_scripts_ref=${yocto_scripts_ref}" >>"${GITHUB_OUTPUT}"

          yocto_scripts_version="$(cd balena-yocto-scripts && head -n1 VERSION)"
          echo "yocto_scripts_version=${yocto_scripts_version}" >>"${GITHUB_OUTPUT}"

          deploy_artifact="$(balena_lib_get_deploy_artifact "${SLUG}")"
          echo "deploy_artifact=${deploy_artifact}" >>"${GITHUB_OUTPUT}"

          dt_arch="$(balena_lib_get_dt_arch "${SLUG}")"
          echo "dt_arch=${dt_arch}" >>"${GITHUB_OUTPUT}"

      # Unrolled balena_api_is_dt_private function - https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-api.inc#L424
      # Had to be unrolled due to this: https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-lib.inc#L191 function relying on a jenkins env var to select the balena env - so failed
      # is_private=$(${CURL} -XGET -H "Content-type: application/json" -H "Authorization: bearer ${BALENAOS_TOKEN}" --silent --retry 5 "https://api.${API_ENV}/${TRANSLATION}/device_type?\$filter=slug%20eq%20%27${device_slug}%27&\$select=slug,is_private" | jq -r '.d[0].is_private')
      # echo "is_private=${is_private}" >>"${GITHUB_OUTPUT}"
      - name: Check if device-type is private
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
        id: is-private
        env:
          API_ENV: ${{ env.BALENARC_BALENA_URL }}
          TRANSLATION: "v6"
          DEVICE_SLUG: ${{ steps.balena-lib.outputs.device_slug }}
        with:
          result-encoding: json
          script: |
            const result = await fetch(`https://api.${process.env.API_ENV}/${process.env.TRANSLATION}/device_type?\$filter=slug%20eq%20%27${process.env.DEVICE_SLUG}%27&\$select=slug,is_private`, {
              headers: {
                'Content-type': 'application/json',
                'Authorization': `Bearer ${{ secrets.BALENA_API_DEPLOY_KEY }}`
              }
            })
            const data = await result.json()
            console.log(JSON.stringify(data, null, 2))
            return data.d[0].is_private

      # In the old workflow we had to fetch the merge commit, get the check runs from the PR, and check if a device type passed or failed
      # reference: https://github.com/balena-os/github-workflows/blob/master/.github/workflows/build_and_deploy.yml#L89
      # NOTE: This will not be necessary if we had a way to deploy artifacts and mark as final like with fleet releases

      # We're also checking out the tag in this step, so the subsequent build is done from the tagged version of the device repo
      - name: "Fetch merge commit"
        id: set-merge-commit
        if: ${{ github.event_name == 'push' }} # Only perform on push event - i.e a new version tag
        run: |
          merge_commit=$(git rev-parse :/"^Merge pull request")
          echo "Found merge commit ${merge_commit}"
          echo "merge_commit=${merge_commit}" >>"${GITHUB_OUTPUT}"

      # This will control the deployment of the hostapp only - it will determine if it is marked as final or not
      # The hostapp being finalised is what determines if the API will present this OS version to user
      # If the test_matrix is empty - it means there are no tests for the DT - so don't check tests, and don't finalise, unless manually done with "force-finalize" input
      - name: Check test results
        # https://docs.github.com/en/actions/learn-github-actions/expressions#functions
        # this expression checks that the test_matrix input is truthy - there is no test_matrix input provided in the device-repo workflow file, test results won't be checked, and
        # the release can't be finlized
        if: github.event_name == 'push' && inputs.test_matrix && inputs.finalize-on-push-if-tests-passed
        id: merge-test-result
        env:
          REPO: ${{ inputs.device-repo }}
          COMMIT: ${{ steps.set-merge-commit.outputs.merge_commit }}
          # environment variables used by gh CLI
          # https://cli.github.com/manual/gh_help_environment
          GH_DEBUG: "true"
          GH_PAGER: "cat"
          GH_PROMPT_DISABLED: "true"
          GH_REPO: "${{ github.repository }}"
          GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
          # Gets the PR number of the merge commit
          prid=$(gh api -H "Accept: application/vnd.github+json" "/repos/${REPO}/commits/$COMMIT" --jq '.commit.message' | head -n1 | cut -d "#" -f2 | awk '{ print $1}')

          # Gets the head commit of the PR - needed to fetch workflows ran on that commit
          head=$(gh api -H "Accept: application/vnd.github+json" "/repos/${REPO}/pulls/${prid}" --jq '.head.sha')

          # Fetching workflow runs and filtering by the commit of the head of the PR returns the latest attempts of the workflow for that commit
          # Selecting for workflows with the same name as the workflow name ("github.workflow")
          # There will be "pull_request" and "pull_request_trigger" triggered workflow runs in the response - one will be skipped, one will be success/fail
          # So selecting for .conclusion==success will give us a response and evaluate to true in the following "if" statement if either we successful
          passed="false"
          conclusion="$(gh run list -w "${WORKFLOW_NAME}" -c "${head}" --json conclusion --jq '.[] | select(.conclusion == "success").conclusion')"
          if [[ "${conclusion}" = "success" ]]; then
            passed="true"
          fi
          echo "finalize=${passed}" >>"${GITHUB_OUTPUT}"

  # This job is used to separate the AWS environment from the build environment,
  # but still allow authentication to the AWS environment at build time.
  source-mirror-setup:
    name: Source mirror IAM role
    runs-on: ubuntu-24.04
    # Depend on approved-commit just so we don't run without approvals
    needs:
      - approved-commit

    # This environment should contain the following variables:
    # - AWS_IAM_ROLE: AWS IAM role to assume
    # - SOURCE_MIRROR_S3_SSE_ALGORITHM: AWS S3 server-side encryption algorithm
    # - SOURCE_MIRROR_S3_URL: AWS S3 URL of the source mirror
    # - SOURCE_MIRROR_URL: HTTPS URL of the source mirror
    # - SOURCE_MIRROR_REGION: AWS region of the source mirror
    environment: ${{ inputs.source-mirror-environment || inputs.deploy-environment }}

    outputs:
      # Include a number of similar variable keys to allow for flexibility in the environment and backwards compatibility
      aws-iam-role: ${{ vars.AWS_IAM_ROLE }}
      aws-region: ${{ vars.SOURCE_MIRROR_REGION || vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
      s3-url: ${{ vars.SOURCE_MIRROR_S3_URL || vars.AWS_S3_URL || vars.S3_URL || 's3://yocto-72c1c258-81bb-11ef-b722-0efcede062c9/shared-downloads' }}
      https-url: ${{ vars.SOURCE_MIRROR_URL || vars.AWS_S3_HTTPS_URL || vars.S3_HTTPS_URL || 'https://yocto-72c1c258-81bb-11ef-b722-0efcede062c9.s3.us-east-1.amazonaws.com/shared-downloads/' }}
      aws-s3-sse-algorithm: ${{ vars.SOURCE_MIRROR_S3_SSE_ALGORITHM || vars.AWS_S3_SSE_ALGORITHM || vars.S3_SSE_ALGORITHM || vars.SSE_ALGORITHM || vars.SSE || 'AES256' }}

    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
    permissions:
      id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token

    steps:
      # We don't use this session, it's just to check if the credentials are valid
      # https://github.com/aws-actions/configure-aws-credentials
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        continue-on-error: true # Don't fail at this point as there is still value in running builds and tests
        with:
          role-to-assume: ${{ vars.AWS_IAM_ROLE }}
          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
          aws-region: ${{ vars.SOURCE_MIRROR_REGION || vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
          # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
          mask-aws-account-id: false

  build:
    name: Build
    runs-on: ${{ fromJSON(inputs.build-runs-on) }}
    needs:
      - approved-commit
      - balena-lib
      - source-mirror-setup

    # This environment supports the following variables:
    # - SIGN_API_URL
    # - SIGN_GRUB_KEY_ID
    # - SIGN_HAB_PKI_ID
    # This environment also supports the following secrets:
    # - SIGN_API_KEY
    # - SIGN_KMOD_KEY_APPEND
    # - YOCTO_SSH_PRIVATE_KEY_B64: used to pull private yocto sources from within the same organization
    environment: ${{ inputs.signing-environment }}

    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
    permissions:
      id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
      packages: read
      contents: read

    env:
      automation_dir: "${{ github.workspace }}/balena-yocto-scripts/automation"
      BARYS_ARGUMENTS_VAR: ${{ inputs.build-args || '' }}
      # https://docs.yoctoproject.org/3.1.21/overview-manual/overview-manual-concepts.html#user-configuration
      # Create an autobuilder configuration file that is loaded before local.conf
      AUTO_CONF_FILE: "${{ github.workspace }}/build/conf/auto.conf"
      BALENARC_BALENA_URL: ${{ needs.balena-lib.outputs.balena_host }}
      DEPLOY_PATH: ${{ github.workspace }}/deploy

    defaults:
      run:
        working-directory: .
        shell: bash --noprofile --norc -eo pipefail -x {0}

    steps:
      # this must be done before putting files in the workspace
      # https://github.com/easimon/maximize-build-space
      - name: Maximize build space
        if: contains(fromJSON(inputs.build-runs-on), 'ubuntu-latest') == true
        uses: easimon/maximize-build-space@fc881a613ad2a34aca9c9624518214ebc21dfc0c
        with:
          root-reserve-mb: "4096"
          temp-reserve-mb: "1024"
          swap-size-mb: "4096"
          remove-dotnet: "true"
          remove-android: "true"
          remove-haskell: "true"
          remove-codeql: "true"
          remove-docker-images: "true"

      # Generate an app installation token that has access to
      # all repos where the app is installed (usually the whole org)
      # Owner input to make token valid for all repositories in the org
      # This behvaiour is required for private submodules
      # https://github.com/actions/create-github-app-token
      - name: Create GitHub App installation token
        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
        id: app-token
        with:
          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      # Generate another app token for the balena-io organization
      # so we can checkout private contracts
      # https://github.com/actions/create-github-app-token
      - name: Create GitHub App installation token (balena-io)
        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
        id: app-token-balena-io
        with:
          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
          owner: balena-io

      # https://github.com/actions/checkout
      - name: Clone device repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: ${{ inputs.device-repo }}
          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
          ref: ${{ inputs.device-repo-ref }} # In the case of a new tagged version, this will be the new tag, claimed from ${{ github.events.push.ref }}
          submodules: true
          fetch-depth: 0 # DEBUG - this is for testing on a device repo
          fetch-tags: true
          # Do not persist the app installation token credentials,
          # and prefer that each step provide credentials where required
          persist-credentials: false

      # Checkout the right ref for meta-balena submodule
      - name: Update meta-balena submodule to ${{ inputs.meta-balena-ref }}
        if: inputs.meta-balena-ref != ''
        working-directory: ./layers/meta-balena
        run: |
          git config --add remote.origin.fetch '+refs/pull/*:refs/remotes/origin/pr/*'
          git fetch --all
          git checkout --force "${{ inputs.meta-balena-ref }}"
          git submodule update --init --recursive

      # Checkout the right ref for balena-yocto-scripts submodule
      - name: Update balena-yocto-scripts submodule to ${{ inputs.yocto-scripts-ref }}
        if: inputs.yocto-scripts-ref != ''
        working-directory: ./balena-yocto-scripts
        run: |
          git config --add remote.origin.fetch '+refs/pull/*:refs/remotes/origin/pr/*'
          git fetch --all
          git checkout --force "${{ inputs.yocto-scripts-ref }}"
          git submodule update --init --recursive

      - name: Checkout private Contracts
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        if: needs.balena-lib.outputs.is_private == 'true'
        with:
          repository: balena-io/private-contracts
          token: ${{ steps.app-token-balena-io.outputs.token }}
          path: ${{ github.workspace }}/private-contracts
          # Do not persist the token credentials,
          # and prefer that each step provide credentials where required
          persist-credentials: false

      # Unrolled balena_api_is_dt_private function - https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-api.inc#L424
      # Had to be unrolled due to this: https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-lib.inc#L191 function relying on a jenkins env var to select the balena env - so failed
      - name: Build OS contract
        env:
          CONTRACTS_BUILD_DIR: "${{ github.workspace }}/balena-yocto-scripts/build/contracts"
          NODE: node
          DEVICE_TYPE_SLUG: ${{ needs.balena-lib.outputs.device_slug }}
          CONTRACTS_OUTPUT_DIR: "${{ github.workspace }}/build/contracts"
        run: |
          npm --prefix="${CONTRACTS_BUILD_DIR}" ci > /dev/null || (>&2 echo "[balena_lib_build_contracts]: npm failed installing dependencies" && return 1)
          NODE_PATH="${CONTRACTS_BUILD_DIR}/node_modules" ${NODE} "${CONTRACTS_BUILD_DIR}/generate-oscontracts.js" > /dev/null
          if [ -f "${CONTRACTS_OUTPUT_DIR}/${DEVICE_TYPE_SLUG}/balena-os/balena.yml" ]; then
            echo "${CONTRACTS_OUTPUT_DIR}/${DEVICE_TYPE_SLUG}/balena-os/balena.yml"
          else
            >&2 echo "[balena_lib_build_contracts]: Failed to build OS contract for ${DEVICE_TYPE_SLUG}. Ensure a hw.deviceType contract is in the appropriate repo"
            return 1
          fi
          # Move newly generated OS contract to location expected later on in the workflow
          cp "${CONTRACTS_OUTPUT_DIR}/${DEVICE_TYPE_SLUG}/balena-os/balena.yml" "${WORKSPACE}/balena.yml"

      # Causes tarballs of the source control repositories (e.g. Git repositories), including metadata, to be placed in the DL_DIR directory.
      # https://docs.yoctoproject.org/4.0.5/ref-manual/variables.html?highlight=compress#term-BB_GENERATE_MIRROR_TARBALLS
      # The github-script action is a safer method of writing to outputs and variables, vs a shell step.
      # https://github.com/actions/github-script
      - name: Enable mirror tarballs
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const currentValue = process.env.BARYS_ARGUMENTS_VAR || '';
            const newValue = `${currentValue} -a BB_GENERATE_MIRROR_TARBALLS=1`;
            core.exportVariable('BARYS_ARGUMENTS_VAR', newValue);

      - name: Enable signed images
        if: inputs.sign-image == true
        env:
          SIGN_API: "${{ vars.SIGN_API_URL || 'https://sign.balena-cloud.com' }}"
          SIGN_API_KEY: "${{ secrets.SIGN_API_KEY }}"
          SIGN_GRUB_KEY_ID: "${{ vars.SIGN_GRUB_KEY_ID || '2EB29B4CE0132F6337897F5FB8A88D1C62FCC729' }}"
          SIGN_KMOD_KEY_APPEND: "${{ secrets.SIGN_KMOD_KEY_APPEND }}"
          SIGN_HAB_PKI_ID: "${{ vars.SIGN_HAB_PKI_ID || '6d74b15cbc5df27fdc8d470a7c71edb3' }}"
        run: |
          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_API=${SIGN_API}"
          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_API_KEY=${SIGN_API_KEY}"
          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_GRUB_KEY_ID=${SIGN_GRUB_KEY_ID}"
          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_KMOD_KEY_APPEND=${SIGN_KMOD_KEY_APPEND}"
          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_HAB_PKI_ID=${SIGN_HAB_PKI_ID}"
          echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_ENV}"

      # https://docs.yoctoproject.org/4.0.10/ref-manual/classes.html?highlight=source_mirror#own-mirrors-bbclass
      # https://github.com/openembedded/openembedded/blob/master/classes/own-mirrors.bbclass
      # The own-mirrors class makes it easier to set up your own PREMIRRORS from which to first fetch source before
      # attempting to fetch it from the upstream specified in SRC_URI within each recipe.
      - name: Add S3 shared-downloads to MIRRORS
        if: needs.source-mirror-setup.outputs.s3-url
        env:
          SOURCE_MIRROR_URL: ${{ needs.source-mirror-setup.outputs.s3-url }}
        run: |
          mkdir -p "$(dirname "${AUTO_CONF_FILE}")"
          cat <<EOF >> "${AUTO_CONF_FILE}"

          MIRRORS:append = "\\
            cvs://.*/.* ${SOURCE_MIRROR_URL} \\
            svn://.*/.* ${SOURCE_MIRROR_URL} \\
            git://.*/.* ${SOURCE_MIRROR_URL} \\
            hg://.*/.* ${SOURCE_MIRROR_URL} \\
            bzr://.*/.* ${SOURCE_MIRROR_URL} \\
            https?$://.*/.* ${SOURCE_MIRROR_URL} \\
            ftp://.*/.*  ${SOURCE_MIRROR_URL} \\
          "

          EOF
          cat "${AUTO_CONF_FILE}"

      # Use local S3 cache on self-hosted runners
      # https://github.com/tespkg/actions-cache
      # https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
      - name: Restore sstate cache
        id: sstate-restore
        uses: tespkg/actions-cache/restore@91b54a6e03abb8fcec12d3743633d23a1cfcd269 # v1.7.2
        # Unset AWS credentials so they don't override the minio credentials
        env:
          AWS_ACCESS_KEY_ID: yocto-svcacct
          AWS_SECRET_ACCESS_KEY: ${{ secrets.YOCTO_CACHE_SECRET_KEY }}
          AWS_SESSION_TOKEN: ''
          AWS_DEFAULT_REGION: local
          AWS_REGION: local
        with:
          endpoint: minio
          port: 9000
          insecure: "true"
          accessKey: yocto-svcacct
          secretKey: ${{ secrets.YOCTO_CACHE_SECRET_KEY }}
          bucket: yocto-cache
          region: local
          use-fallback: ${{ github.event.repository.private != true }}
          key: ${{ inputs.machine }}-sstate-${{ github.sha }}
          restore-keys: |
            ${{ inputs.machine }}-sstate-
          path: |
            ${{ github.workspace }}/shared/${{ inputs.machine }}/sstate

      # Install openssh-client to use the ssh-agent
      - name: Install openssh-client package
        run: |
          sudo apt-get update
          sudo apt-get install -y openssh-client

      # All preperation complete before this step
      # Start building balenaOS
      - name: Build
        id: build
        env:
          HELPER_IMAGE_REPO: ghcr.io/balena-os/balena-yocto-scripts
          SHARED_BUILD_DIR: ${{ github.workspace }}/shared
          YOCTO_SSH_PRIVATE_KEY_B64: ${{ secrets.YOCTO_SSH_PRIVATE_KEY_B64 }}
        run: |
          # When building for non-x86 device types, meson, after building binaries must try to run them via qemu if possible , maybe as some sanity check or test?
          # Therefore qemu must be used - and our runner mmap_min_addr is set to 4096 (default, set here: https://github.com/product-os/github-runner-kernel/blob/ef5a66951599dc64bf2920d896c36c6d9eda8df6/config/5.10/microvm-kernel-x86_64-5.10.config#L858
          # Using a value of 4096 leads to issues https://gitlab.com/qemu-project/qemu/-/issues/447 so we must set it to 65536
          # We do this in the workflow instead of the runner kernel as it makes this portable across runners
          sysctl vm.mmap_min_addr
          sudo sysctl -w vm.mmap_min_addr=65536
          sysctl vm.mmap_min_addr

          mkdir -p "${SHARED_BUILD_DIR}"

          cat "${AUTO_CONF_FILE}"

          >&2 eval "$(ssh-agent)"
          echo "${{ secrets.YOCTO_SSH_PRIVATE_KEY_B64 }}" | base64 -d | ssh-add - >&2

          ./balena-yocto-scripts/build/balena-build.sh \
            -d "${MACHINE}" \
            -s "${SHARED_BUILD_DIR}" \
            -g "${BARYS_ARGUMENTS_VAR}" | tee balena-build.log

          if grep -R "ERROR: " build/tmp/log/*; then
            exit 1
          fi

          if ! grep -q "Build for ${{ inputs.machine }} suceeded" balena-build.log; then
            exit 1
          fi

      # We don't need to encrypt these as they are not sensitive if the repo is public anyway.
      # https://github.com/actions/upload-artifact
      - name: Upload build logs
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
        # always upload build logs, even if the build fails
        if: always()
        with:
          name: build-logs
          if-no-files-found: error
          retention-days: 7
          compression-level: 7
          path: |
            balena-build.log
            build/tmp/log/**/*.log
            build/tmp/work/**/run.*
            build/tmp/work/**/log.*

      # If there was a cache miss for this key, save a new cache.
      # Use local S3 cache on self-hosted runners.
      # https://github.com/tespkg/actions-cache
      # https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
      - name: Save sstate cache
        uses: tespkg/actions-cache/save@91b54a6e03abb8fcec12d3743633d23a1cfcd269 # v1.7.2
        # Do not save cache for pull_request_target events
        # as they run in the context of the main branch and would be vulnerable to cache poisoning.
        # https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#cache-poisoning
        # https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
        if: steps.sstate-restore.outputs.cache-hit != true && github.event_name != 'pull_request_target'
        # Unset AWS credentials so they don't override the minio credentials
        env:
          AWS_ACCESS_KEY_ID: yocto-svcacct
          AWS_SECRET_ACCESS_KEY: ${{ secrets.YOCTO_CACHE_SECRET_KEY }}
          AWS_SESSION_TOKEN: ''
          AWS_DEFAULT_REGION: local
          AWS_REGION: local
        with:
          endpoint: minio
          port: 9000
          insecure: "true"
          accessKey: yocto-svcacct
          secretKey: ${{ secrets.YOCTO_CACHE_SECRET_KEY }}
          bucket: yocto-cache
          region: local
          use-fallback: ${{ github.event.repository.private != true }}
          key: ${{ inputs.machine }}-sstate-${{ github.sha }}
          path: |
            ${{ github.workspace }}/shared/${{ inputs.machine }}/sstate

      # https://github.com/unfor19/install-aws-cli-action
      # https://github.com/aws/aws-cli/tags
      - name: Setup awscli
        uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1
        env:
          # renovate: datasource=github-tags depName=aws/aws-cli
          AWSCLI_VERSION: 2.24.21
        with:
          version: "${{ env.AWSCLI_VERSION }}"

      # https://github.com/aws-actions/configure-aws-credentials
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: ${{ needs.source-mirror-setup.outputs.aws-iam-role }}
          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
          aws-region: ${{ needs.source-mirror-setup.outputs.aws-region }}
          # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
          mask-aws-account-id: false

      # Sync shared downloads to S3 to use as a sources mirror in case original sources are not available.
      # Exlude all directories and temp files as we only want the content and the .done files.
      # https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/sync.html
      - name: Sync shared downloads to S3
        # Do not publish shared downloads for pull_request_target events to prevent cache poisoning
        # Do not publish shared downloads for private device-types as the mirror is public-read
        if: github.event_name != 'pull_request_target' && needs.balena-lib.outputs.is_private == 'false' && needs.source-mirror-setup.outputs.s3-url
        # Ignore errors for now, as we may have upload conflicts with other jobs
        continue-on-error: true
        env:
          SHARED_DOWNLOADS_DIR: ${{ github.workspace }}/shared/shared-downloads
          S3_SSE: ${{ needs.source-mirror-setup.outputs.aws-s3-sse-algorithm }}
          S3_URL: ${{ needs.source-mirror-setup.outputs.s3-url }}
          S3_REGION: ${{ needs.source-mirror-setup.outputs.aws-region }}
        # Create a symlink to the from the relative container path to the workspace in order to resolve symlinks
        # created in the build container runtime.
        run: |
          sudo ln -sf "${{ github.workspace }}" /work
          du -cksh "${SHARED_DOWNLOADS_DIR}/*"
          aws s3 sync --sse="${S3_SSE}" "${SHARED_DOWNLOADS_DIR}/" "${S3_URL}/" \
            --exclude "*/*" --exclude "*.tmp" --size-only --follow-symlinks --no-progress

      # TODO: Unroll balena_deploy_artifacts into the workflow shell directly
      # and only package up what is needed for s3 deploy, hostapp deploy, and leviathan tests.
      # Note that the option to remove compressed files is set to true, as we want to avoid duplicate image files in the upload,
      # and they can be uncompressed in the s3 deploy step.
      - name: Prepare artifacts
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
        run: |
          if ! command -v zip; then
            sudo apt-get update
            sudo apt-get install -y zip
          fi

          source "${automation_dir}/include/balena-deploy.inc"
          # https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-deploy.inc#L23
          balena_deploy_artifacts "${SLUG}" "${DEPLOY_PATH}" true

          cp -v "${WORKSPACE}/balena.yml" "${DEPLOY_PATH}/balena.yml"

          du -cksh "${DEPLOY_PATH}"
          find "${DEPLOY_PATH}" -type f -exec du -h {} \;

          tar -I zstd -cf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" .
          du -h "${ARTIFACTS_TAR}"

      # Encrypt artifacts and remove the original tarball so it doesn't get uploaded
      - name: Encrypt artifacts
        if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
          PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
        run: |
          openssl enc -v -e -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_TAR}" -out "${ARTIFACTS_ENC}"
          rm "${ARTIFACTS_TAR}"

      # Upload either the encrypted or the unencrypted artifacts, whichever is present
      # https://github.com/actions/upload-artifact
      - name: Upload artifacts
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
        with:
          name: build-artifacts
          if-no-files-found: error
          retention-days: 3
          compression-level: 7
          path: |
            ${{ env.ARTIFACTS_TAR }}
            ${{ env.ARTIFACTS_ENC }}

  ##############################
  # hostapp Deploy
  ##############################

  hostapp-deploy:
    name: Deploy hostApp
    runs-on: ${{ fromJSON(inputs.build-runs-on) }}
    # We want to push a hostapp on push events (PR merge) or dispatch
    # These conditions should match s3-deploy
    # Force finlize will finalize no matter what - so we want to make sure there is something to finlize - so it will always trigger this if true
    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || inputs.force-finalize
    needs:
      - approved-commit
      - build
      - balena-lib

    # This environment should contain the following variables:
    # - BALENA_HOST
    # - HOSTAPP_ORG
    # This environment should contain the following secrets:
    # - BALENA_API_DEPLOY_KEY
    environment: ${{ inputs.deploy-environment }}

    env:
      BALENARC_BALENA_URL: ${{ vars.BALENA_HOST || vars.BALENARC_BALENA_URL || 'balena-cloud.com' }}
      DEPLOY_PATH: ${{ github.workspace }}/deploy
      HOSTAPP_ORG: ${{ vars.HOSTAPP_ORG || 'balena_os' }}

    steps:

      # https://github.com/actions/download-artifact
      - name: Fetch build artifacts
        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
        with:
          name: build-artifacts
          path: ${{ runner.temp }}

      - name: Decrypt artifacts
        if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
          PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
        run: |
          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"

      # Only decompress the balena-image.docker and balena.yml files for hostapp deployment\
      # List the contents of the tar file to make sure we're decompressing the right files
      - name: Decompress artifacts
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
        run: |
          set -x
          mkdir -p "${DEPLOY_PATH}"
          tar -tf "${ARTIFACTS_TAR}"
          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" ./balena-image.docker ./balena.yml
          cp -v "${DEPLOY_PATH}/balena.yml" "${WORKSPACE}/balena.yml"

      - name: Setup balena CLI
        uses: balena-io-examples/setup-balena-action@41338eb4bb2b2e8b239d8ca5b8523d1a707333bf # v0.0.6
        env:
          # renovate: datasource=github-releases depName=balena-io/balena-cli
          BALENA_CLI_VERSION: v20.2.10
        with:
          # balena CLI version to install
          cli-version: ${{ env.BALENA_CLI_VERSION }}
          # balenaCloud API token to login automatically
          balena-token: ${{ secrets.BALENA_API_DEPLOY_KEY }}

      # TODO: replace this with balena-io/deploy-to-balena-action when it supports deploy-only
      # https://github.com/balena-io/deploy-to-balena-action/issues/286
      - name: Deploy to balena
        id: deploy-hostapp
        env:
          # BALENA_API_DEPLOY_KEY is a secret that should be specific to the runtime environment
          # It requires permissions to deploy hostApp releases, and fetch supervisor release images (via yocto recipes)
          # This step should never run untrusted user code, as we have a secret in the environment
          BALENAOS_TOKEN: ${{ secrets.BALENA_API_DEPLOY_KEY }}
          BALENAOS_ACCOUNT: ${{ env.HOSTAPP_ORG }}
          SLUG: "${{ needs.balena-lib.outputs.device_slug }}"
          APPNAME: "${{ needs.balena-lib.outputs.device_slug }}"
          DEVICE_REPO_REV: "${{ needs.balena-lib.outputs.device_repo_revision }}"
          META_BALENA_VERSION: "${{ needs.balena-lib.outputs.meta_balena_version }}"
          RELEASE_VERSION: "${{ needs.balena-lib.outputs.os_version }}"
          BOOTABLE: 1
          TRANSLATION: "v6"
          FINAL: ${{ needs.balena-lib.outputs.should_finalize }}
          ESR: "${{ needs.balena-lib.outputs.is_esr }}"
          balenaCloudEmail: # TODO: currently trying to use named API key only, its possible email/pw auth no longer has the additional privileges that it used to
          balenaCloudPassword: # TODO: currently trying to use named API key only, its possible email/pw auth no longer has the additional privileges that it used to
          CURL: "curl --silent --retry 10 --location --compressed"
          VERSION: ${{ needs.balena-lib.outputs.os_version }}
          # Used when creating a new hostapp APP - to give the relevant access to the relevant team
          HOSTAPP_ACCESS_TEAM: OS%20Devs
          HOSTAPP_ACCESS_ROLE: developer
          API_ENV: ${{ env.BALENARC_BALENA_URL }}
        run: |
          set -e

          ## Adapted from https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/entry_scripts/balena-deploy-block.sh
          ## That script was executed from inside a helper image - here we're doing it inline

          # load hostapp bundle and get local image reference, needed for `balena deploy`
          _local_image=$(docker load -i "${DEPLOY_PATH}/balena-image.docker" | cut -d: -f1 --complement | tr -d " " )

          echo "[INFO] Logging into ${API_ENV} as ${BALENAOS_ACCOUNT}"
          export BALENARC_BALENA_URL="${API_ENV}"
          balena login --token "${BALENAOS_TOKEN}"

          if [ "$ESR" = "true" ]; then
            echo "Deploying ESR release"
            APPNAME="${APPNAME}-esr"
          fi

          if [ -f "${WORKSPACE}/balena.yml" ]; then
            echo -e "\nversion: ${VERSION}" >> "${WORKSPACE}/balena.yml"
            if [ "${{ inputs.sign-image }}" = "true" ]; then
              sed -i '/provides:/a \  - type: sw.feature\n    slug: secureboot' "/${WORKSPACE}/balena.yml"
            fi
          fi

          echo "[INFO] Deploying to ${BALENAOS_ACCOUNT}/${APPNAME}"

          ## Adapted from https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-api.inc#L373
          # Get the App Id from the name
          _json=$(${CURL} -XGET "https://api.${API_ENV}/${TRANSLATION}/application?\$filter=(slug%20eq%20'${BALENAOS_ACCOUNT}/${APPNAME}')" -H "Content-Type: application/json" -H "Authorization: Bearer ${BALENAOS_TOKEN}")
          _appID=$(echo "${_json}" | jq --raw-output '.d[0].id')
          echo "${_appID}"

          # Check if app already exists if it doesn't throw an error
          if [ -z "${_appID}" ] || [ "${_appID}" = "null" ]; then
            echo "[ERROR] No hostapp found for ${SLUG} - ensure that a publicly available hostapp is created with `is_host: true`"
            exit 1
          fi
          echo "${_appID}"

          # This is a sanity check to ensure the versions in the yocto build and the contract match
          if [ -f "${WORKSPACE}/balena.yml" ]; then
            _contract_version=$(awk '/version:/ {print $2}' "${WORKSPACE}/balena.yml")
            if [ "${_contract_version}" != "${VERSION}" ]; then
              >&2 echo "balena_lib_release: Version mismatch, contract ${_contract_version} os ${VERSION}"
            fi
          else
            >&2 echo "balena_lib_release: balena.yml contract file not present"
          fi

          if [ "${FINAL}" != true ]; then
            status="--draft"
          fi
          #[ "${VERBOSE}" = "verbose" ] && _debug="--debug"

          # create docker-compose.yml with OS release metadata for the hostapp
          cat > "${WORKSPACE}/docker-compose.yml" <<EOF
          version: '2.4'
          services:
            hostapp:
              image: ${_local_image}
              labels:
                io.balena.image.store: 'root'
                io.balena.image.class: 'hostapp'
                io.balena.update.requires-reboot: '1'
                io.balena.private.hostapp.board-rev: '${DEVICE_REPO_REV}'
          EOF

          if [ -n "${_local_image}" ]; then
            releaseCommit="$(BALENARC_BALENA_URL="${API_ENV}" balena deploy "${BALENAOS_ACCOUNT}/${APPNAME}" --source "${WORKSPACE}" ${status} ${_debug} | sed -n 's/.*Release: //p')"
          else
            releaseCommit="$(BALENARC_BALENA_URL="${API_ENV}" balena deploy "${BALENAOS_ACCOUNT}/${APPNAME}" --build --source "${WORKSPACE}" ${status} ${_debug} | sed -n 's/.*Release: //p')"
          fi
          [ -n "${releaseCommit}" ] && >&2 echo "Deployed ${_local_image} to ${BALENAOS_ACCOUNT}/${APPNAME} as ${status##--} at ${releaseCommit}"
          echo "${releaseCommit}"


          if [ -z "${releaseCommit}" ]; then
            echo "[INFO] Failed to deploy to ${BALENAOS_ACCOUNT}/${APPNAME}"
            exit 1
          fi


          # Potentially this should be split into a separate step
          ### Attaching assets to release ###

          # https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/entry_scripts/balena-deploy-block.sh#L43
          # find assets
          _assets="$(find "${DEPLOY_PATH}" -name licenses.tar.gz) ${DEPLOY_PATH}/CHANGELOG.md"

          # Get hostapp release ID - at the moment we only have the commit hash releaseCommit
          _json=$(${CURL} -XGET -H "Content-type: application/json" "https://api.${API_ENV}/${TRANSLATION}/release?\$filter=commit%20eq%20%27${releaseCommit}%27" -H "Authorization: Bearer ${BALENAOS_TOKEN}")
          _release_id=$(echo "${_json}" | jq -r '.d[0].id')
          echo "${_release_id}"

          # For use in esr tagging step
          echo "release_id=${_release_id}" >>"${GITHUB_OUTPUT}"

          # https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-api.inc#L1163
          # attach each asset to release with _release_id
          for _asset in ${_assets}; do
            if [ -f "${_asset}" ]; then
              _asset_key=$(basename "${_asset}")
              # note: this uses the "resin" endpoint rather than v6
              _json=$(${CURL} -XPOST "https://api.${API_ENV}/resin/release_asset" -H "Authorization: Bearer ${BALENAOS_TOKEN}" --form "release=${_release_id}" --form "asset_key=${_asset_key}" --form "asset=@${_asset}")
              _aid=$(echo "${_json}" | jq -r '.id')
              echo "${_aid}"
              if [ -n "${_aid}" ]; then
                echo "[INFO] Added ${_asset} with ID ${_aid} to release ${releaseCommit}"
              else
                echo "[ERROR] Failed to add ${_asset} to release ${releaseCommit}"
                exit 1
              fi
            fi
          done

      - name: Tag ESR release
        if: needs.balena-lib.outputs.is_esr == 'true' && needs.balena-lib.outputs.should_finalize
        env:
          BALENAOS_ACCOUNT: ${{ vars.HOSTAPP_ORG || 'balena_os' }}
          SLUG: "${{ needs.balena-lib.outputs.device_slug }}"
          APPNAME: "${{ needs.balena-lib.outputs.device_slug }}-esr"
          META_BALENA_VERSION: "${{ needs.balena-lib.outputs.meta_balena_version }}"
          TRANSLATION: "v6"
          CURL: "curl --silent --retry 10 --location --compressed"
          VERSION: ${{ needs.balena-lib.outputs.os_version }}
          HOSTAPP_RELEASE_ID: ${{ steps.deploy-hostapp.outputs.release_id }}
          Q1ESR: "1|01"
          Q2ESR: "4|04"
          Q3ESR: "7|07"
          Q4ESR: "10"
          API_ENV: ${{ env.BALENARC_BALENA_URL }}
        run: |
          set -e

          ## Adapted from https://github.com/balena-os/balena-yocto-scripts/blob/master/automation/include/balena-lib.inc
          _regex="^[1-3][0-9]{3}\.${Q1ESR}|${Q2ESR}|${Q3ESR}|${Q4ESR}\.[0-9]*$"

          if ! echo "${VERSION}" | grep -Eq "${_regex}"; then
            >&2 echo "Invalid ESR release ${VERSION}"
            exit 1
          fi
          BALENARC_BALENA_URL=${API_ENV} balena tag set version "${VERSION}" --release "${HOSTAPP_RELEASE_ID}"
          BALENARC_BALENA_URL=${API_ENV} balena tag set meta-balena-base "${META_BALENA_VERSION}" --release "${HOSTAPP_RELEASE_ID}"

          _x_version="${VERSION%.*}.x"
          _json=$(${CURL} -XGET "https://api.${API_ENV}/${TRANSLATION}/application_tag?\$select=tag_key,value&\$filter=(application/app_name%20eq%20%27${APPNAME}%27)%20and%20(tag_key%20eq%20%27esr-current%27)" -H "Content-Type: application/json" -H "Authorization: Bearer ${BALENAOS_TOKEN}")
          last_current=$(echo "${_json}" | jq -r -e '.d[0].value') || true

          _json=$(${CURL} -XGET "https://api.${API_ENV}/${TRANSLATION}/application_tag?\$select=tag_key,value&\$filter=(application/app_name%20eq%20%27${APPNAME}%27)%20and%20(tag_key%20eq%20%27esr-sunset%27)" -H "Content-Type: application/json" -H "Authorization: Bearer ${BALENAOS_TOKEN}")
          last_sunset=$(echo "${_json}" | jq -r -e '.d[0].value') || true

          _json=$(${CURL} -XGET "https://api.${API_ENV}/${TRANSLATION}/application_tag?\$select=tag_key,value&\$filter=(application/app_name%20eq%20%27${APPNAME}%27)%20and%20(tag_key%20eq%20%27esr-next%27)" -H "Content-Type: application/json" -H "Authorization: Bearer ${BALENAOS_TOKEN}")
          last_next=$(echo "${_json}" | jq -r -e '.d[0].value') || true


          if [ "${last_current}" = "null" ]; then
            echo "[INFO][${BALENAOS_ACCOUNT}/${APPNAME}] Tagging fleet with esr-current: ${_x_version}"
            BALENARC_BALENA_URL=${API_ENV} balena tag set esr-current "${_x_version}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
          elif [ "${last_sunset}" = "null" ]; then
            if [ "${last_next}" = "null" ]; then
              echo "[INFO][${BALENAOS_ACCOUNT}/${APPNAME}] Tagging fleet with esr-next: ${_x_version}"
              BALENARC_BALENA_URL=${API_ENV} balena tag set esr-next "${_x_version}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
            else
              # Only re-tag if deploying a new x version
              if [ "${_x_version}" != "${last_next}" ]; then
                echo "[INFO][${BALENAOS_ACCOUNT}/${APPNAME}] Tagging fleet with esr-next: ${_x_version} esr-current: ${last_next} esr-sunset: ${last_current}"
                BALENARC_BALENA_URL=${API_ENV} balena tag set esr-next "${_x_version}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
                BALENARC_BALENA_URL=${API_ENV} balena tag set esr-current "${last_next}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
                BALENARC_BALENA_URL=${API_ENV} balena tag set esr-sunset "${last_current}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
              fi
            fi
          else
            if [ "${last_next}" = "null" ]; then
              >&2 echo "Invalid fleet tags: current: ${last_current} next: ${last_next} sunset: ${last_sunset}"
              exit 1
            else
              # Only re-tag if deploying a new x version
              if [ "${_x_version}" != "${last_next}" ]; then
                echo "[INFO][${BALENAOS_ACCOUNT}/${APPNAME}] Tagging fleet with esr-next: ${_x_version} esr-current: ${last_next} esr-sunset: ${last_current}"
                BALENARC_BALENA_URL=${API_ENV} balena tag set esr-next "${_x_version}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
                BALENARC_BALENA_URL=${API_ENV} balena tag set esr-current "${last_next}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
                BALENARC_BALENA_URL=${API_ENV} balena tag set esr-sunset "${last_current}" --fleet "${BALENAOS_ACCOUNT}/${APPNAME}"
              fi
            fi
          fi

  ##############################
  # S3 Deploy
  ##############################

  s3-deploy:
    name: Deploy to S3
    runs-on: ${{ fromJSON(inputs.build-runs-on) }}
    # We want to push a hostapp on push events (PR merge) or dispatch
    # These conditions should match hostapp-deploy
    # Force finlize will finalize no matter what - so we want to make sure there is something to finlize - so it will always trigger this if true
    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || inputs.force-finalize
    needs:
      - approved-commit
      - build
      - balena-lib

    # This environment should contain the following variables:
    # - AWS_SECURITY_GROUP: AWS security group to use for AMI testing
    # - AWS_SUBNET: AWS subnet for AMI testing
    # - AWS_KMS_KEY_ID: AWS KMS key ID make AMIs public
    # - AWS_REGION: AWS region for S3 image deployment
    # - AWS_IAM_ROLE: AWS IAM role to assume for S3 image deployment, AMI deployment
    # - AWS_S3_BUCKET: AWS S3 bucket for image deployment, and AMI deployment
    # - AWS_S3_SSE_ALGORITHM: AWS S3 server-side encryption algorithm
    environment: ${{ inputs.deploy-environment }}

    env:  
      # Include a number of similar variable keys to allow for flexibility in the environment and backwards compatibility
      AWS_IAM_ROLE: ${{ vars.AWS_IAM_ROLE }}
      AWS_REGION: ${{ vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
      AWS_SECURITY_GROUP_ID: ${{ vars.AWS_SECURITY_GROUP_ID || vars.AWS_SECURITY_GROUP || 'sg-057937f4d89d9d51c' }}
      AWS_SUBNET_ID: ${{ vars.AWS_SUBNET_ID || vars.AWS_SUBNET || 'subnet-02d18a08ea4058574' }}
      AWS_KMS_KEY_ID: ${{ vars.AWS_KMS_KEY_ID || vars.AWS_KMS_KEY }}
      AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET || vars.S3_BUCKET }}
      AWS_S3_SSE_ALGORITHM: ${{ vars.SOURCE_MIRROR_S3_SSE_ALGORITHM || vars.AWS_S3_SSE_ALGORITHM || vars.S3_SSE_ALGORITHM || vars.SSE_ALGORITHM || vars.SSE || 'AES256' }}

      DEPLOY_PATH: ${{ github.workspace }}/deploy/${{ needs.balena-lib.outputs.device_slug }}/${{ needs.balena-lib.outputs.os_version }}
      # Same as DEPLOY_PATH but used by prepare.ts which expects the structure "/host/images/${device_slug}/${version}/..."
      PREPARE_DEPLOY_PATH: ${{ github.workspace }}/deploy

    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
    permissions:
      id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token

    steps:

      # https://github.com/actions/download-artifact
      - name: Fetch build artifacts
        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
        with:
          name: build-artifacts
          path: ${{ runner.temp }}

      - name: Decrypt artifacts
        if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
          PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
        run: |
          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"

      # Decompress the entire the entire tarball for the S3 upload.
      # Note that in this case DEPLOY_PATH includes <workspace>/deploy/${device_slug}/${version}/
      # List the contents of the tar file to make sure we're decompressing the right files.
      # Unzip the raw image files that were zipped and removed before uploading.
      - name: Decompress artifacts
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
        run: |
          set -x
          mkdir -p "${DEPLOY_PATH}"
          tar -tf "${ARTIFACTS_TAR}"
          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}"

          if ! command -v unzip; then
            sudo apt-get update
            sudo apt-get install -y unzip
          fi

          find "${DEPLOY_PATH}/image" -type f -name "*.img.zip"

          for zip in "${DEPLOY_PATH}"/image/*.img.zip; do
            unzip "${zip}" -d "$(dirname "${zip}")"
          done

      # https://github.com/unfor19/install-aws-cli-action
      # https://github.com/aws/aws-cli/tags
      - name: Setup awscli
        uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1
        env:
          # renovate: datasource=github-tags depName=aws/aws-cli
          AWSCLI_VERSION: 2.24.21
        with:
          version: "${{ env.AWSCLI_VERSION }}"

      # https://github.com/aws-actions/configure-aws-credentials
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: ${{ env.AWS_IAM_ROLE }}
          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
          aws-region: ${{ env.AWS_REGION }}
          # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
          mask-aws-account-id: false

      # login required to pull private balena/balena-img image
      # https://github.com/docker/login-action
      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Prepare files for S3
        if: needs.balena-lib.outputs.deploy_artifact != 'docker-image'
        env:
          HELPER_IMAGE: balena/balena-img:6.20.26
          PREPARE_DEPLOY_PATH: ${{ env.PREPARE_DEPLOY_PATH }}
        run: |
          docker run --rm \
            -e BASE_DIR=/host/images \
            -v "${PREPARE_DEPLOY_PATH}:/host/images" \
            "${HELPER_IMAGE}" /usr/src/app/node_modules/.bin/ts-node /usr/src/app/scripts/prepare.ts

          find "${PREPARE_DEPLOY_PATH}" -exec ls -lh {} \;

      - name: Set S3 ACL to private
        id: s3-acl-private
        if: needs.balena-lib.outputs.is_private != 'false'
        run: echo "string=private" >>"${GITHUB_OUTPUT}"

      - name: Set S3 ESR destination directory
        id: s3-esr-images-dir
        if: needs.balena-lib.outputs.is_esr == 'true'
        run: echo "string=esr-images" >>"${GITHUB_OUTPUT}"

      # "If no keys are provided, but an IAM role is associated with the EC2 instance, it will be used transparently".
      # https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/rm.html
      # https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/cp.html
      # https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/sync.html
      - name: Deploy to S3
        if: needs.balena-lib.outputs.deploy_artifact != 'docker-image'
        env:
          S3_ACL: ${{ steps.s3-acl-private.outputs.string || 'public-read' }}
          S3_SSE: ${{ env.AWS_S3_SSE_ALGORITHM }}
          S3_URL: "s3://${{ env.AWS_S3_BUCKET }}/${{ steps.s3-esr-images-dir.outputs.string || 'images' }}"
          S3_REGION: ${{ env.AWS_REGION }}
          SLUG: ${{ needs.balena-lib.outputs.device_slug }}
          VERSION: ${{ needs.balena-lib.outputs.os_version }}
          SOURCE_DIR: ${{ env.PREPARE_DEPLOY_PATH }}
        run: |
          if [ -n "$(aws s3 ls "${S3_URL}/${SLUG}/${VERSION}/")" ] && [ -z "$($S3_CMD ls "${S3_URL}/${SLUG}/${VERSION}/IGNORE")" ]; then
            echo "::warning::Deployment already exists at ${S3_URL}/${VERSION}"
            exit 0
          fi

          echo "${VERSION}" > "${SOURCE_DIR}/${SLUG}/latest"
          touch "${SOURCE_DIR}/${SLUG}/${VERSION}/IGNORE"

          aws s3 rm --recursive "${S3_URL}/${SLUG}/${VERSION}"
          aws s3 cp --no-progress --sse="${S3_SSE}" --acl="${S3_ACL}" "${SOURCE_DIR}/${SLUG}/${VERSION}/IGNORE" "${S3_URL}/${SLUG}/${VERSION}/"
          aws s3 sync --no-progress --sse="${S3_SSE}" --acl="${S3_ACL}" "${SOURCE_DIR}/${SLUG}/${VERSION}/" "${S3_URL}/${SLUG}/${VERSION}/"
          aws s3 cp --no-progress --sse="${S3_SSE}" --acl=public-read "${SOURCE_DIR}/${SLUG}/latest" "${S3_URL}/${SLUG}/"
          aws s3 rm "${S3_URL}/${SLUG}/${VERSION}/IGNORE"

  ##############################
  # AMI Deploy
  ##############################

  ami-deploy:
    name: Deploy AMI
    runs-on: ${{ fromJSON(inputs.build-runs-on) }}
    if: inputs.deploy-ami && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
    needs:
      - approved-commit
      - build
      - balena-lib

    # This environment should contain the following variables:
    # - AWS_SECURITY_GROUP: AWS security group to use for AMI testing
    # - AWS_SUBNET: AWS subnet for AMI testing
    # - AWS_KMS_KEY_ID: AWS KMS key ID make AMIs public
    # - AWS_REGION: AWS region for S3 image deployment
    # - AWS_IAM_ROLE: AWS IAM role to assume for S3 image deployment, AMI deployment
    # - AWS_S3_BUCKET: AWS S3 bucket for image deployment, and AMI deployment
    # - AWS_S3_SSE_ALGORITHM: AWS S3 server-side encryption algorithm
    # This environment should contain the following secrets:
    # - BALENA_API_DEPLOY_KEY: Balena API deploy key with access to the balena_os/cloud-config-* fleets
    environment: ${{ inputs.deploy-environment }}

    env:  
      # Include a number of similar variable keys to allow for flexibility in the environment and backwards compatibility
      AWS_IAM_ROLE: ${{ vars.AWS_IAM_ROLE }}
      AWS_REGION: ${{ vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
      AWS_SECURITY_GROUP_ID: ${{ vars.AWS_SECURITY_GROUP_ID || vars.AWS_SECURITY_GROUP || 'sg-057937f4d89d9d51c' }}
      AWS_SUBNET_ID: ${{ vars.AWS_SUBNET_ID || vars.AWS_SUBNET || 'subnet-02d18a08ea4058574' }}
      AWS_KMS_KEY_ID: ${{ vars.AWS_KMS_KEY_ID || vars.AWS_KMS_KEY }}
      AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET || vars.S3_BUCKET }}
      AWS_S3_SSE_ALGORITHM: ${{ vars.SOURCE_MIRROR_S3_SSE_ALGORITHM || vars.AWS_S3_SSE_ALGORITHM || vars.S3_SSE_ALGORITHM || vars.SSE_ALGORITHM || vars.SSE || 'AES256' }}

      DEPLOY_PATH: ${{ github.workspace }}/deploy

    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
    permissions:
      id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token

    steps:

      # https://github.com/actions/download-artifact
      - name: Fetch build artifacts
        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
        with:
          name: build-artifacts
          path: ${{ runner.temp }}

      - name: Decrypt artifacts
        if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
          PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
        run: |
          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"

      # Only decompress the raw image file for the AMI creation
      # List the contents of the tar file to make sure we're decompressing the right files
      - name: Decompress artifacts
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
        run: |
          mkdir -p "${DEPLOY_PATH}"
          tar -tf "${ARTIFACTS_TAR}"
          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" ./image/balena.img.zip

          if ! command -v unzip; then
            sudo apt-get update
            sudo apt-get install -y unzip
          fi

          unzip "${DEPLOY_PATH}/image/balena.img.zip" -d "${DEPLOY_PATH}/image/"

      # https://github.com/unfor19/install-aws-cli-action
      # https://github.com/aws/aws-cli/tags
      - name: Setup awscli
        uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1
        env:
          # renovate: datasource=github-tags depName=aws/aws-cli
          AWSCLI_VERSION: 2.24.21
        with:
          version: "${{ env.AWSCLI_VERSION }}"

      # https://github.com/aws-actions/configure-aws-credentials
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: ${{ env.AWS_IAM_ROLE }}
          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
          aws-region: ${{ env.AWS_REGION }}
          # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
          mask-aws-account-id: false

      - name: Set AMI arch
        id: ami-arch
        env:
          DT_ARCH: ${{ needs.balena-lib.outputs.dt_arch }}
        run: |
          if [ "${DT_ARCH}" = "amd64" ]; then
            echo "string=x86_64" >>"${GITHUB_OUTPUT}"
          elif [ "${DT_ARCH}" = "aarch64" ]; then
            echo "string=arm64" >>"${GITHUB_OUTPUT}"
          fi

      # # AMI name format: balenaOS(-installer?)(-secureboot?)-VERSION-DEVICE_TYPE
      - name: Set AMI name
        id: ami-name
        env: 
          VERSION: "${{ needs.balena-lib.outputs.os_version }}"
        run: |
          if [ "${{ inputs.sign-image }}" = "true" ]; then
            echo "AMI_NAME=balenaOS-secureboot-${VERSION}-${SLUG}" | sed 's/+/-/g' >>"${GITHUB_ENV}"
          else
            echo "AMI_NAME=balenaOS-${VERSION}-${SLUG}" | sed 's/+/-/g' >>"${GITHUB_ENV}"
          fi

      - name: Setup balena CLI
        uses: balena-io-examples/setup-balena-action@41338eb4bb2b2e8b239d8ca5b8523d1a707333bf # v0.0.6
        env:
          # renovate: datasource=github-releases depName=balena-io/balena-cli
          BALENA_CLI_VERSION: v20.2.10
        with:
          # balena CLI version to install
          cli-version: ${{ env.BALENA_CLI_VERSION }}
          # balenaCloud API token to login automatically
          balena-token: ${{ secrets.BALENA_API_DEPLOY_KEY }}

      - name: Configure AMI installer image
        env:
          BALENACLI_TOKEN: ${{ secrets.BALENA_API_DEPLOY_KEY }}
          IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
          AMI_SECUREBOOT: "${{ inputs.sign-image }}"
          BALENA_PRELOAD_APP: "balena_os/cloud-config-${{ needs.balena-lib.outputs.dt_arch }}"
          HOSTOS_VERSION: "${{ needs.balena-lib.outputs.os_version }}"
        run: |          
          config_json=$(mktemp)
          cat << EOF > "${config_json}"
          {
              "deviceType": "${SLUG}",
              "installer": {
                  "secureboot": true
              }
          }
          EOF

          if [ -z "${AMI_SECUREBOOT}" ] || [ "${AMI_SECUREBOOT}" = "false" ]; then
              exit 0
          fi

          echo "* Configuring installer image"
          balena os configure "${IMAGE}"\
            --debug \
            --fleet "${BALENA_PRELOAD_APP}" \
            --config-network ethernet \
            --version "${HOSTOS_VERSION}"\
            --device-type "${SLUG}"\
            --config "${config_json}"
          rm -rf "${config_json}"

      - name: Preload AMI install image
        env:
          IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
          BALENA_PRELOAD_APP: "balena_os/cloud-config-${{ needs.balena-lib.outputs.dt_arch }}"
          BALENA_PRELOAD_COMMIT: current
        run: |
          echo "* Adding the preload app"
          balena preload \
            --debug \
            --fleet "${BALENA_PRELOAD_APP}" \
            --commit "${BALENA_PRELOAD_COMMIT}" \
            --pin-device-to-release \
            "${IMAGE}"

      - name: Create AWS EBS snapshot
        id: ami-ebs-snapshot
        env:
            IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
            AWS_DEFAULT_REGION: "${{ env.AWS_REGION }}"
            S3_BUCKET: "${{ env.AWS_S3_BUCKET }}"
            IMPORT_SNAPSHOT_TIMEOUT_MINS: 30
            AWS_KMS_KEY_ID: ${{ env.AWS_KMS_KEY_ID }}
            AWS_S3_SSE_ALGORITHM: ${{ env.AWS_S3_SSE_ALGORITHM }}
        run: |
          # https://github.com/koalaman/shellcheck/wiki/SC2155#correct-code-1
          # Randomize to lower the chance of parallel builds colliding.
          s3_key="tmp-$(basename ${IMAGE})-${RANDOM}"

          # Push to s3 and create the AMI
          echo "* Pushing ${IMAGE} to s3://${S3_BUCKET}"
          s3_url="s3://${S3_BUCKET}/preloaded-images/${s3_key}"
          echo "s3_url=${s3_url}" >>"${GITHUB_OUTPUT}"
          aws s3 cp --no-progress --sse "${AWS_S3_SSE_ALGORITHM}" "${IMAGE}" "${s3_url}"

          import_task_id=$(aws ec2 import-snapshot \
            --description "snapshot-${AMI_NAME}" \
            --disk-container "Description=balenaOs,Format=RAW,UserBucket={S3Bucket=${S3_BUCKET},S3Key=preloaded-images/${s3_key}}" \
            --encrypted \
            --kms-key-id "${AWS_KMS_KEY_ID}" | jq -r .ImportTaskId)

          echo "* Created a AWS import snapshot task with id ${import_task_id}. Waiting for completition..."
          
          ### Using the aws ec2 wait command times out - currently can't find a way to increase the timeout period, so poll "manually" instead
          # aws ec2 wait snapshot-imported \
          #   --import-task-ids ${import_task_id}
          wait_secs=10
          secs_waited=0
          while true; do
            status="$(aws ec2 describe-import-snapshot-tasks --import-task-ids "${import_task_id}" | jq -r ".ImportSnapshotTasks[].SnapshotTaskDetail.Status")"
            [ "$status" = "completed" ] && break
            [ "$status" = "deleting" ]  && \
                error_msg="$(aws ec2 describe-import-snapshot-tasks --import-task-ids "${import_task_id}" | jq -r ".ImportSnapshotTasks[].SnapshotTaskDetail.StatusMessage")" && \
                echo "ERROR: Error on import task id ${import_task_id}: ${error_msg}" && exit 1

            sleep $wait_secs
            secs_waited=$((secs_waited + wait_secs))
            mins_elapsed=$((secs_waited / 60))

            # Show progress every 2 mins (120 secs)
            [ "$mins_elapsed" -ge "$IMPORT_SNAPSHOT_TIMEOUT_MINS" ] && echo "ERROR: Timeout on import snapshot taksk id ${import_task_id}" && exit 1
          done

          snapshot_id=$(aws ec2 describe-import-snapshot-tasks --import-task-ids "${import_task_id}" | jq -r '.ImportSnapshotTasks[].SnapshotTaskDetail.SnapshotId')
          echo "* AWS import snapshot task complete. SnapshotId: ${snapshot_id}"
          echo "snapshot_id=${snapshot_id}" >>"${GITHUB_OUTPUT}"

      - name: Create AMI image
        id: ami-create
        env:
          IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
          AWS_DEFAULT_REGION: "${{ env.AWS_REGION }}"
          S3_BUCKET: "${{ env.AWS_S3_BUCKET }}"
          AWS_KMS_KEY_ID: ${{ env.AWS_KMS_KEY_ID }}
          AMI_ARCHITECTURE: "${{ steps.ami-arch.outputs.string }}"
          AMI_SNAPSHOT_ID: "${{ steps.ami-ebs-snapshot.outputs.snapshot_id }}"
          AMI_ROOT_DEVICE_NAME: /dev/sda1
          AMI_EBS_DELETE_ON_TERMINATION: true
          AMI_EBS_VOLUME_SIZE: 8
          AMI_EBS_VOLUME_TYPE: gp2
          AMI_BOOT_MODE: uefi
        run: |
          echo "Checking for AMI name conflicts"
          existing_image_id=$(aws ec2 describe-images \
              --filters "Name=name,Values=${AMI_NAME}" \
              --query 'Images[*].[ImageId]' \
              --output text)

          if [ -n "${existing_image_id}" ]; then
              echo "::error::Image ${AMI_NAME} (${existing_image_id}) already exists, this should not happen"
              exit 1
          fi

          # Only supported on x86_64
          if [ "${AMI_ARCHITECTURE}" = "x86_64" ]; then
              TPM="--tpm-support v2.0"
          fi

          echo "Creating ${AMI_NAME} AWS AMI image..."
          image_id=$(aws ec2 register-image \
          --name "${AMI_NAME}" \
          --architecture "${AMI_ARCHITECTURE}" \
          --virtualization-type hvm \
          ${TPM} \
          --ena-support \
          --root-device-name "${AMI_ROOT_DEVICE_NAME}" \
          --boot-mode "${AMI_BOOT_MODE}" \
          --block-device-mappings "DeviceName=${AMI_ROOT_DEVICE_NAME},Ebs={
              DeleteOnTermination=${AMI_EBS_DELETE_ON_TERMINATION},
              SnapshotId=${AMI_SNAPSHOT_ID},
              VolumeSize=${AMI_EBS_VOLUME_SIZE},
              VolumeType=${AMI_EBS_VOLUME_TYPE}}" \
          | jq -r .ImageId)

          # If the AMI creation fails, aws-cli will show the error message to the user and we won't get any imageId
          [ -z "${image_id}" ] && exit 1

          aws ec2 create-tags --resources "${image_id}" --tags Key=Name,Value="${AMI_NAME}"
          echo "AMI image created with id ${image_id}"

          echo "image_id=${image_id}" >>"${GITHUB_OUTPUT}"

      - name: Cleanup installer image from s3
        continue-on-error: true
        if: |
          success() || failure()
        env:
          S3_IMG_URL: ${{ steps.ami-ebs-snapshot.outputs.s3_url }}
        run: |
          aws s3 rm "${S3_IMG_URL}"

      - name: Setup AMI test fleet
        id: ami-test-fleet
        env:
          HOSTOS_VERSION: "${{ needs.balena-lib.outputs.os_version }}"
          AMI_TEST_ORG: testbot
          AMI_TEST_DEV_MODE: true
        run: | 
          key_file="${HOME}/.ssh/id_ed25519"

          ami_test_fleet=$(openssl rand -hex 4)
          config_json=$(mktemp)
          echo "config_json=${config_json}" >>"${GITHUB_OUTPUT}"

          # Create test fleet
          >&2 echo "Creating ${AMI_TEST_ORG}/${ami_test_fleet}"
          >&2 balena fleet create "${ami_test_fleet}" --organization "${AMI_TEST_ORG}" --type "${SLUG}"

          # Register a key
          mkdir -p "$(dirname "${_key_file}")"
          ssh-keygen -t ed25519 -N "" -q -f "${key_file}"
          # shellcheck disable=SC2046
          >&2 eval $(ssh-agent)
          >&2 ssh-add
          balena key add "${ami_test_fleet}" "${key_file}.pub"

          uuid=$(balena device register "${AMI_TEST_ORG}/${ami_test_fleet}" | awk '{print $4}')
          >&2 echo "Pre-registered device with UUID ${uuid}"
          echo "uuid=${uuid}" >>"${GITHUB_OUTPUT}"

          if [ "$AMI_TEST_DEV_MODE" = true ]; then 
              _dev_mode="--dev";
          else
              _dev_mode="";
          fi

          >&2 balena config generate --network ethernet --version "${HOSTOS_VERSION}" --device "${uuid}" --appUpdatePollInterval 5 --output "${config_json}" "${_dev_mode}"
          if [ ! -f "${config_json}" ]; then
            echo "Unable to generate configuration"
            exit 1
          else
              new_uuid=$(jq -r '.uuid' "${config_json}")
              if [ "${new_uuid}" != "${uuid}" ]; then
                  echo "Invalid uuid in ${config_json}"
                  exit 1
              fi
          fi
          echo "fleet=${AMI_TEST_ORG}/${ami_test_fleet}" >>"${GITHUB_OUTPUT}"

      - name: Test AMI image
        id: ami-test
        env:
          IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
          UUID: "${{ steps.ami-test-fleet.outputs.uuid }}"
          CONFIG_JSON: "${{ steps.ami-test-fleet.outputs.config_json }}"
          AWS_SUBNET_ID: ${{ env.AWS_SUBNET_ID }}
          AWS_SECURITY_GROUP_ID: ${{ env.AWS_SECURITY_GROUP_ID }}
        run: |
          # Default to a Nitro instance for TPM support
          _ami_instance_type="m5.large"

          _ami_image_id=$(aws ec2 describe-images --filters "Name=name,Values=${AMI_NAME}" --query 'Images[*].[ImageId]' --output text)
          if [ -z "${_ami_image_id}" ]; then
              echo "No ${AMI_NAME} AMI found."
              exit 1
          fi
          echo "ami_image_id=${_ami_image_id}" >>"${GITHUB_OUTPUT}"

          _instance_arch=$(aws ec2 describe-images --image-ids "${_ami_image_id}" | jq -r '.Images[0].Architecture')
          if [ "${_instance_arch}" = "arm64" ]; then
              _ami_instance_type="a1.large"
          fi

          echo "Instantiating ${_ami_image_id} in subnet ${AWS_SUBNET_ID} and security group ${AWS_SECURITY_GROUP_ID} in ${_ami_instance_type}"
          _instance_id=$(aws ec2 run-instances --image-id "${_ami_image_id}" --count 1 \
              --instance-type "${_ami_instance_type}" \
              --tag-specifications \
              "ResourceType=instance,Tags=[{Key=Name,Value=test-${AMI_NAME}}]" \
              "ResourceType=volume,Tags=[{Key=Name,Value=test-${AMI_NAME}}]" \
              --subnet-id "${AWS_SUBNET_ID}" \
              --security-group-ids "${AWS_SECURITY_GROUP_ID}" \
              --user-data "file://${CONFIG_JSON}" | jq -r '.Instances[0].InstanceId')
          if [ -z "${_instance_id}" ]; then
              echo "Error instantiating ${_ami_image_id} on ${_ami_instance_type}"
              exit 1
          fi

          echo "instance_id=${_instance_id}" >>"${GITHUB_OUTPUT}"
          
          aws ec2 wait instance-running --instance-ids "${_instance_id}"
          aws ec2 wait instance-status-ok --instance-ids "${_instance_id}"
          
          _loops=30
          until echo 'balena ps -q -f name=balena_supervisor | xargs balena inspect | \
              jq -r ".[] | select(.State.Health.Status!=null).Name + \":\" + .State.Health.Status"; exit' | \
              balena device ssh "${UUID}" | grep -q ":healthy"; do
                  echo "Waiting for supervisor..."
                  sleep "$(( (RANDOM % 30) + 30 ))s";
                  _loops=$(( _loops - 1 ))
                  if [ ${_loops} -lt 0 ]; then
                      echo "Timed out without supervisor health check pass"
                      break
                  fi
          done

      - name: Terminate test instance
        continue-on-error: true
        if: always()
        env: 
          INSTANCE_ID: ${{ steps.ami-test.outputs.instance_id }}
        run: |
          aws ec2 terminate-instances --instance-ids "${INSTANCE_ID}"

      - name: Clean up test fleet
        continue-on-error: true
        if: always()
        env: 
          FLEET: "${{ steps.ami-test-fleet.outputs.fleet }}"
        run: |
          [ -z "${FLEET}" ] && exit 0
          balena fleet rm "${FLEET}" --yes || true
          _key_id=$(balena ssh-key list | grep "${FLEET#*/}" | awk '{print $1}')
          balena ssh-key rm "${_key_id}" --yes || true
        
      # FIXME - This currently will not work, due to not being able to share encypted snapshots
      # - name: Make AMI public
      #   if: ${{ steps.ami-test.outcome == 'success' }}
      #   env:
      #     # From https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-quotas.html
      #     # The maximum number of public AMIs per region, including the Recycle Bin, is 5.
      #     AWS_AMI_PUBLIC_QUOTA: 5
      #     AMI_ARCHITECTURE: "${{ steps.ami-arch.outputs.string }}"
      #     AMI_IMAGE_ID: "${{ steps.ami-test.outputs.ami_image_id }}"
      #     AWS_DEFAULT_REGION: "${{ needs.aws-deploy-config.outputs.aws-region }}"
      #   run: |  
      #     # We have x86_64 and aarch64, and want one slot free for customers requests
      #     AWS_AMI_PUBLIC_ARCH_QUOTA=$(((AWS_AMI_PUBLIC_QUOTA - 1)/2))
      #     _ami_public_images_count=$(aws ec2 describe-images \
      #         --owners "self" \
      #         --filters "Name=name,Values="${AMI_NAME%%-*} "Name=architecture,Values="${AMI_ARCHITECTURE} "Name=is-public,Values=true"  \
      #         | jq '.Images | length')
      #     if [ "${_ami_public_images_count}" -ge "${AWS_AMI_PUBLIC_ARCH_QUOTA}"  ]; then
      #         # Make oldest AMI of this architecture private to preserve the public AMI quota
      #         _ami_oldest_image_id=$(aws ec2 describe-images \
      #             --owners "self" \
      #             --filters "Name=name,Values=${AMI_NAME%%-*}" "Name=architecture,Values=${AMI_ARCHITECTURE}" "Name=is-public,Values=true" \
      #             --query 'sort_by(Images, &CreationDate)[0].ImageId')
      #         if [ -n "${_ami_oldest_image_id}" ]; then
      #             if [ "$(aws ec2 describe-images --image-ids "${_ami_oldest_image_id}" | jq -r '.Images[].Public')" = "true" ]; then
      #               echo "Turning AMI with ID ${_ami_oldest_image_id} private"
      #               if aws ec2 modify-image-attribute \
      #                   --image-id "${_ami_oldest_image_id}" \
      #                   --launch-permission '{"Remove":[{"Group":"all"}]}'; then
      #                   if [ "$(aws ec2 describe-images --image-ids "${_ami_oldest_image_id}" | jq -r '.Images[].Public')" = "false" ]; then
      #                       echo "AMI with ID ${_ami_oldest_image_id} is now private"
      #                   else
      #                       echo "Failed to set image with ID ${_ami_oldest_image_id} private"
      #                       exit 1
      #                   fi
      #               fi
      #           else
      #               echo "Image with ID ${_ami_oldest_image_id} is already private"
      #           fi
      #         fi
      #     fi

      #     _ami_snapshot_id=$(aws ec2 describe-images --region="${AWS_DEFAULT_REGION}" --image-ids "${AMI_IMAGE_ID}" | jq -r '.Images[].BlockDeviceMappings[].Ebs.SnapshotId')
      #     if [ -n "${_ami_snapshot_id}" ]; then
      #         if aws ec2 modify-snapshot-attribute --region "${AWS_DEFAULT_REGION}" --snapshot-id "${_ami_snapshot_id}" --attribute createVolumePermission --operation-type add --group-names all; then
      #             if [ "$(aws ec2 describe-snapshot-attribute --region "${AWS_DEFAULT_REGION}" --snapshot-id "${_ami_snapshot_id}" --attribute createVolumePermission | jq -r '.CreateVolumePermissions[].Group')" == "all" ]; then
      #                 echo "AMI snapshot ${_ami_snapshot_id} is now publicly accessible"
      #             else
      #                 echo "AMI snapshot ${_ami_snapshot_id} could not be made public"
      #                 exit 1
      #             fi
      #         fi
      #     else
      #         echo "AMI snapshot ID not found"
      #         exit 1
      #     fi

      #     if aws ec2 modify-image-attribute \
      #         --image-id "${AMI_IMAGE_ID}" \
      #         --launch-permission "Add=[{Group=all}]"; then
      #         if [ "$(aws ec2 describe-images --image-ids "${AMI_IMAGE_ID}" | jq -r '.Images[].Public')" = "true" ]; then
      #             echo "AMI with ID ${AMI_IMAGE_ID} is now public"
      #         else
      #             echo "Failed to set image with ID ${AMI_IMAGE_ID} public"
      #             exit 1
      #         fi
      #     fi
      
      # From https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-quotas.html
      # The maximum number of public and private AMIs allowed per Region iz 50000.
      - name: Clean up EOL AMIs
        if: always()
        continue-on-error: true
        env: 
          PERIOD: "2 years ago"
        run: |
          _date=$(date +%Y-%m-%d -d "${PERIOD}")
          echo "Cleaning up AMI images older than ${PERIOD}"
          image_ids=$(aws ec2 describe-images \
              --filters "Name=name,Values=${AMI_NAME%%-*}-*" \
              --owners "self" \
              --query 'Images[?CreationDate<`'"${_date}"'`].[ImageId]' --output text)
          for image_id in ${image_ids}; do
              _snapshots="$(aws ec2 describe-images --image-ids "${image_id}" --query 'Images[*].BlockDeviceMappings[*].Ebs.SnapshotId' --output text)"
              if aws ec2 deregister-image --image-id "${image_id}"; then
                  echo "De-registered AMI ${image_id}"
                  if [ -n "${_snapshots}" ]; then
                      for snapshot in ${_snapshots}; do
                          if aws ec2 delete-snapshot --snapshot-id "${snapshot}"; then
                              echo "Removed snapshot ${snapshot}"
                          else
                              echo "Could not remove snapshot ${snapshot}"
                          fi
                      done
                  fi
              else
                  echo "Could not de-register AMI ${image_id}"
              fi
          done

        # Tear down any AMI's created in the case of a failure - to leave a clean slate for the next run
      - name: Clean up AMI images on failure
        if: failure()
        run: |
          image_id=$(aws ec2 describe-images \
              --filters "Name=name,Values=${AMI_NAME}" \
              --query 'Images[*].[ImageId]' \
              --output text)

          snapshots="$(aws ec2 describe-images --image-ids "${image_id}" --query 'Images[*].BlockDeviceMappings[*].Ebs.SnapshotId' --output text)"
          if aws ec2 deregister-image --image-id "${image_id}"; then
              echo "De-registered AMI ${image_id}"
              if [ -n "${snapshots}" ]; then
                  for snapshot in ${snapshots}; do
                      if aws ec2 delete-snapshot --snapshot-id "${snapshot}"; then
                          echo "Removed snapshot ${snapshot}"
                      else
                          echo "Could not remove snapshot ${snapshot}"
                      fi
                  done
              fi
          else
              echo "Could not de-register AMI ${image_id}"
          fi
          
  ##############################
  # Leviathan Test
  ##############################
  test:
    name: Test
    needs:
      - approved-commit
      - balena-lib
      - build
    # Specify the runner type in the test_matrix input.
    # QEMU workers need ["self-hosted", "X64", "kvm"] or ["self-hosted", "ARM64", "kvm"] runners.
    # Testbot workers can use any GitHub hosted (ubuntu-latest) or self-hosted runner.
    # Default to self-hosted X64 with KVM for now to align with Jenkins but in the future
    # we should consider using GitHub hosted runners for the testbot workers.
    runs-on: ${{ matrix.runs_on || fromJSON('["self-hosted", "X64", "kvm"]') }}
    environment: ${{ matrix.environment }}
    # https://docs.github.com/en/actions/learn-github-actions/expressions#functions
    # this expression checks to make sure at least one test suite was provided via either matrix syntax
    if: |
      github.event_name != 'push' &&
      (
        join(fromJSON(inputs.test_matrix).test_suite) != '' ||
        join(fromJSON(inputs.test_matrix).include.*.test_suite) != ''
      )

    defaults:
      run:
        working-directory: .
        shell: bash --noprofile --norc -eo pipefail -x {0}

    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(inputs.test_matrix) }}

    env:
      # Variables provided via the selected GitHub environment
      BALENACLOUD_API_URL: ${{ vars.BALENA_HOST || matrix.environment || 'balena-cloud.com' }}
      BALENACLOUD_SSH_PORT: ${{ vars.BALENACLOUD_SSH_PORT || '22' }}
      BALENACLOUD_SSH_URL: ${{ vars.BALENACLOUD_SSH_URL || 'ssh.balena-devices.com' }}

      # Settings specific to this test run.
      # Generally provided via inputs.test_matrix but sane defaults are also provided.
      DEVICE_TYPE: ${{ needs.balena-lib.outputs.device_slug }}
      TEST_SUITE: ${{ matrix.test_suite }}
      WORKER_TYPE: ${{ matrix.worker_type || 'testbot' }}
      BALENACLOUD_APP_NAME: ${{ matrix.worker_fleets || 'balena/testbot-rig,balena/testbot-rig-partners,balena/testbot-rig-x86,balena/testbot-rig-partners-x86' }}
      BALENACLOUD_ORG: ${{ matrix.test_org || 'testbot' }}

      # Local directories
      LEVIATHAN_WORKSPACE: ${{ github.workspace }}/leviathan-workspace
      REPORTS: ${{ github.workspace }}/reports
      LEVIATHAN_ROOT: ${{ github.workspace }}/layers/meta-balena/tests/leviathan
      SUITES: ${{ github.workspace }}/layers/meta-balena/tests/suites
      DEPLOY_PATH: ${{ github.workspace }}/deploy

      # QEMU settings
      QEMU_CPUS: 4
      QEMU_MEMORY: "1G"

    steps:
      # https://github.com/actions/create-github-app-token
      # Owner input to make token valid for all repositories in the org
      # This behvaiour is required for private submodules
      - name: Create GitHub App installation token
        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
        id: app-token
        with:
          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      # Generate another app token for the balena-io organization
      # so we can checkout private contracts
      # https://github.com/actions/create-github-app-token
      - name: Create GitHub App installation token (balena-io)
        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
        id: app-token-balena-io
        with:
          app-id: ${{ vars.BALENAOS_CI_APP_ID }}
          private-key: ${{ secrets.BALENAOS_CI_APP_PRIVATE_KEY }}
          owner: balena-io

      # Clone the device respository to fetch Leviathan
      # https://github.com/actions/checkout
      - name: Clone device repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: ${{ inputs.device-repo }}
          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
          ref: ${{ inputs.device-repo-ref }}
          submodules: recursive # We need to set this to recursive as leviathan is a submodule nested inside the meta-balena submodule of the device repo
          fetch-depth: 0
          fetch-tags: true
          # Do not persist the app installation token credentials,
          # and prefer that each step provide credentials where required
          persist-credentials: false

      # Check if the repository is a yocto device respository
      - name: Device repository check
        run: |
          if [ "$(yq '.type' repo.yml)" != "yocto-based OS image" ]; then
            echo "::error::Repository does not appear to be of type 'yocto-based OS image'"
            exit 1
          fi

      # This is useful as it allows us to try out test suite changes not yet merged in meta balena
      - name: Update meta-balena submodule to ${{ inputs.meta-balena-ref }}
        if: inputs.meta-balena-ref != ''
        working-directory: ./layers/meta-balena
        run: |
          git config --add remote.origin.fetch '+refs/pull/*:refs/remotes/origin/pr/*'
          git fetch --all
          git checkout --force "${{ inputs.meta-balena-ref }}"
          git submodule update --init --recursive

      # Images need to end up in workspace folder and need to have correct names
      - name: Fetch artifacts from build job
        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
        with:
          name: build-artifacts
          path: ${{ runner.temp }}

      - name: Decrypt artifacts
        if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
          PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
        run: |
          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"

      # Only decompress the raw image file and the balena-image.docker file for the leviathan tests
      # List the contents of the tar file to make sure we're decompressing the right files
      - name: Decompress artifacts
        env:
          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
        run: |
          mkdir -p "${DEPLOY_PATH}"
          tar -tf "${ARTIFACTS_TAR}"
          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" ./image/balena.img.zip ./balena-image.docker

          if ! command -v unzip; then
            sudo apt-get update
            sudo apt-get install -y unzip
          fi

          unzip "${DEPLOY_PATH}/image/balena.img.zip" -d "${DEPLOY_PATH}/image/"

      # Check out private contracts if this is a private device type - as these are required for the tests
      - name: Checkout private Contracts
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        if: needs.balena-lib.outputs.is_private == 'true'
        with:
          repository: balena-io/private-contracts
          token: ${{ steps.app-token-balena-io.outputs.token }}
          path: ${{ env.LEVIATHAN_ROOT }}/core/private-contracts
          # Do not persist the token credentials,
          # and prefer that each step provide credentials where required
          persist-credentials: false

      - name: Prepare workspace
        run: |
          if ! command -v gzip &> /dev/null; then
            sudo apt-get update
            sudo apt-get install -y --no-install-recommends gzip
          fi

          mkdir -p "${LEVIATHAN_WORKSPACE}"
          gzip -9 -c "${DEPLOY_PATH}/image/balena.img" >"${LEVIATHAN_WORKSPACE}/balena.img.gz"
          cp -v "${DEPLOY_PATH}/balena-image.docker" "${LEVIATHAN_WORKSPACE}/balena-image.docker"

          cp -v "${SUITES}/${TEST_SUITE}/config.js" "${LEVIATHAN_WORKSPACE}/config.js"
          mkdir -p "${REPORTS}"

      # Two variables are needed for secure boot tests. Check Makefile in Leviathan to trace their usage.
      - name: Enable secure boot tests
        # Evaluate as truthy
        if: matrix.secure_boot
        run: |
          echo "QEMU_SECUREBOOT=1" >> "${GITHUB_ENV}"
          echo "FLASHER_SECUREBOOT=1" >> "${GITHUB_ENV}"
          echo "QEMU_MEMORY=4G" >> "${GITHUB_ENV}"

      # https://github.com/balena-os/leviathan/blob/master/action.yml
      - name: BalenaOS Leviathan Tests
        uses: balena-os/leviathan@81e7f26dd581dfb1a5d11e877fa4ecd86e29c440 # v2.31.90
        env:
          WORKSPACE: "${{ env.LEVIATHAN_WORKSPACE }}"
          # BALENA_API_TEST_KEY is a secret that should be specific to the runtime environment
          # It requires permissions to manage autokit workers, and create test fleets
          BALENACLOUD_API_KEY: ${{ secrets.BALENA_API_TEST_KEY }}

  # This job always runs and will fail if any of the builds or tests fail.
  # This way we can mark this job as required for merging PRs.
  # Otherwise we would need to mark each build and test matrix, suite, etc. as required.
  all_jobs:
    name: All jobs
    runs-on: ubuntu-24.04
    needs:
      - approved-commit
      - balena-lib
      - build
      - s3-deploy
      - ami-deploy
      - hostapp-deploy
      - test
    # The default condition for jobs is success(), which means that this
    # job would be skipped if a previous job failed.
    # Unfortunately GitHub treats skipped jobs as a pass as far as merge requirements!
    # So we override the conditions of this job to always run, and check
    # the results of the previous jobs to return overall success or failure.
    if: |
      always()

    defaults:
      run:
        working-directory: .
        shell: bash --noprofile --norc -eo pipefail -x {0}

    strategy:
      fail-fast: true
      matrix:
        include:
          - machine: ${{ inputs.machine }}
            deploy-environment: ${{ inputs.deploy-environment }}
            signing-environment: ${{ inputs.signing-environment }}

    steps:
      - name: Reject failed jobs
        run: |
          if [ "${{ contains(needs.*.result, 'failure') }}" = "true" ]
          then
            echo "One or more jobs have failed"
            exit 1
          fi

      - name: Reject cancelled jobs
        run: |
          if [ "${{ contains(needs.*.result, 'cancelled') }}" = "true" ]
          then
            echo "One or more jobs were cancelled"
            exit 1
          fi