Skip to content

Commit

Permalink
rework into single workflow
Browse files Browse the repository at this point in the history
Change-type: patch
Signed-off-by: Ryan Cooke <[email protected]>
  • Loading branch information
rcooke-warwick committed Apr 24, 2024
1 parent a8432c5 commit 97dc84e
Show file tree
Hide file tree
Showing 3 changed files with 130 additions and 78 deletions.
68 changes: 45 additions & 23 deletions .github/workflows/flowzone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,9 @@ jobs:
ghcr.io/balena-os/balena-yocto-scripts
bake_targets: yocto-build-env,balena-push-env

# depends on Flowzone having already published the helper images
yocto-build:
name: Yocto-build
uses: ./.github/workflows/yocto-build.yml
name: yocto-build
uses: ./.github/workflows/yocto-build-deploy.yml
needs: flowzone
secrets: inherit
with:
Expand All @@ -46,27 +45,50 @@ jobs:
machine: generic-amd64
sign-image: false
os-dev: false

# depends on the build job having already published the helper images
# In here now for testing - we actually want this to be used on device repos on the creation of a new version tag (or PR merge)
yocto-deploy:
name: Deploy
uses: ./.github/workflows/yocto-deploy.yml
needs: yocto-build
secrets: inherit
with:
# runs-on: '[ "ubuntu-latest" ]'
environment: staging
device-repo: balena-os/balena-generic
device-repo-ref: master
yocto-scripts-ref: ${{ github.event.pull_request.head.sha || github.sha }}
machine: generic-amd64
deploy-s3: true
deploy-hostapp: true
deploy-ami: true
sign-image: false
os-dev: false
deploy-esr: false
device_slug: "generic-amd64"
os_version: "5.2.4"
is_private: false
is_private: false
finalize-hostapp: false

# depends on Flowzone having already published the helper images
# yocto-build:
# name: yocto-build
# uses: ./.github/workflows/yocto-build.yml
# needs: flowzone
# secrets: inherit
# with:
# # runs-on: '[ "ubuntu-latest" ]'
# environment: staging
# device-repo: balena-os/balena-generic
# device-repo-ref: master
# yocto-scripts-ref: ${{ github.event.pull_request.head.sha || github.sha }}
# machine: generic-amd64
# sign-image: false
# os-dev: false


# # depends on the build job having already published the helper images
# # In here now for testing - we actually want this to be used on device repos on the creation of a new version tag (or PR merge)
# yocto-deploy:
# name: Deploy
# uses: ./.github/workflows/yocto-deploy.yml
# needs: yocto-build
# secrets: inherit
# with:
# # runs-on: '[ "ubuntu-latest" ]'
# environment: staging
# device-repo: balena-os/balena-generic
# device-repo-ref: master
# yocto-scripts-ref: ${{ github.event.pull_request.head.sha || github.sha }}
# machine: generic-amd64
# deploy-s3: true
# deploy-hostapp: true
# deploy-ami: true
# sign-image: false
# os-dev: false
# deploy-esr: false
# device_slug: "generic-amd64"
# os_version: "5.2.4"
# is_private: false
14 changes: 8 additions & 6 deletions .github/workflows/repo-example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,16 @@ on:

jobs:
yocto-generic-amd64:
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build.yml@<tag>
name: yocto-build-generic-amd64
uses: ./.github/workflows/yocto-build-deploy.yml
needs: flowzone
secrets: inherit
with:
machine: generic-amd64
sign-image: true
development-mode: false
environment: 'production' # used to select prod api key , # prod api url # SSH url = blank
... etc
environment: production
machine: generic-amd64
sign-image: true
deploy-hostapp: true
is_private: false

generic-aarch64:
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build.yml@<tag>
Expand Down
126 changes: 77 additions & 49 deletions .github/workflows/yocto-build-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,19 @@ on:
required: false
type: boolean
default: true
finalize-hostapp:
description: Whether to finalize a hostApp container image to a balena environment
required: false
type: string
default: "no"
check-merge-tests: #TODO: On PRs, and on manual jobs, set this to false - we can also set it to false to not deploy as final
required: false
type: boolean
default: false
run-tests:
required: false
type: boolean
default: false
deploy-ami:
description: Whether to deploy an AMI to AWS
required: false
Expand Down Expand Up @@ -110,6 +123,7 @@ env:
WORKSPACE: ${{ github.workspace }}
MACHINE: ${{ inputs.machine }}
VERBOSE: verbose
WORKFLOW_NAME: ${{ github.workflow }} #Name of the calling workflow - for use when checking the result of test job on merged PR. Also, can we be clever here and also use it to differentiate between manual/auto runs

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
Expand Down Expand Up @@ -209,6 +223,58 @@ jobs:
# fetch-depth: 1
fetch-tags: true

# In the old workflow we had to fetch the merge commit, get the check runs from the PR, and check if a device type passed or failed
# In the github actions workflow, we will only put a deploy job for device types we know we want to deploy
# This prone to error - we have required checks on the PR - but a separate deploy list. If we take off the required check, but forget to remove it from the deploy
# then we have a problem.....
# reference: https://github.com/balena-os/github-workflows/blob/master/.github/workflows/build_and_deploy.yml#L89
# NOTE: This will not be necessary if we had a way to deploy artifacts and mark as final like with fleet releases
# Skip this if this is triggered from a dispatch

- name: 'Fetch latest tag'
id: get-latest-tag
if: ${{ inputs.check-merge-tests }}
uses: "actions-ecosystem/action-get-latest-tag@v1"

# We're also checking out the tag in this step, so the subsequent build is done from the tagged version of the device repo
- name: 'Fetch merge commit'
id: set-merge-commit
if: ${{ inputs.check-merge-tests }}
run: |
merge_commit=$(git checkout ${{steps.get-latest-tag.outputs.tag}} && git rev-parse :/"^Merge pull request")
echo "Found merge commit ${merge_commit}"
echo "merge_commit=${merge_commit}" >> $GITHUB_OUTPUT"
git checkout ${{steps.get-latest-tag.outputs.tag}}
# TODO: check if this is needed? On creation of new esr tag what will happen?
# We need to set all the esr flags to true if this evaluates to true - or we have seperate workflow calls for esr
# - name: 'Check ESR release'
# if: ${{ ! inputs.manual_call }}
# uses: actions-ecosystem/action-regex-match@v2
# id: regex-match
# with:
# text: ${{ steps.get-latest-tag.outputs.tag }}
# regex: '^v20[0-9][0-9].[0-1]?[1470].[0-9]+$'

# This will control the deployment of the hostapp only - it will determine if it is marked as final or not
# Regardless, artifacts will be deployed to s3 right now.
# The hostapp being finalised is what determines if the API will present this OS version to users
- name: Check test results
if: ${{ inputs.check-merge-tests }}
id: merge-test-result
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ inputs.device-repo }}
COMMIT: ${{ steps.set-merge-commit.outputs.merge_commit }}
run: |
prid=$(gh api -H "Accept: application/vnd.github+json" /repos/$REPO/commits/$COMMIT --jq '.commit.message' | head -n1 | cut -d "#" -f2 | awk '{ print $1}')
status_url=$(gh api -H "Accept: application/vnd.github+json" /repos/$REPO/pulls/$prid --jq '._links.statuses.href')
passed="no"
if curl -sL "${status_url}" --header "Authorization: Bearer $GH_TOKEN" | jq -e '.[] | select(.context == "'"${WORKFLOW_NAME}"'") | select(.state == "success")' > /dev/null 2>&1; then
passed="yes"
fi
echo "finalize=${passed}" >> $GITHUB_OUTPUT" #Need to be able to manually override...
- name: Device repository check
run: |
if [ "$(yq '.type' repo.yml)" != "yocto-based OS image" ]; then
Expand Down Expand Up @@ -378,28 +444,22 @@ jobs:
source "${automation_dir}/include/balena-deploy.inc"
balena_deploy_artifacts "${{ inputs.machine }}" "${DEPLOY_PATH}" false
# create links required for s3 prepare.ts
# mkdir -p "${DEPLOY_PATH}/${{ steps.balena-lib.outputs.device_slug }}"
# symlinks don't seem to work in the volume we mount to the helper image
#ln -sf ../.. "${DEPLOY_PATH}/${{ steps.balena-lib.outputs.device_slug }}/${{ steps.balena-lib.outputs.os_version }}"
find "${DEPLOY_PATH}" -exec ls -lh {} \;

# TODO: bundle artifacts separately for convience
# https://github.com/actions/upload-artifact
# We upload only `balena.img` for use with the leviathan tests
# We can get the hostapp image draft and use that for the hup suite
- name: Upload artifacts
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: build-artifacts
if-no-files-found: error
retention-days: 3
# compression-level: 1
compression-level: 7
path: |
${{ env.DEPLOY_PATH }}/*.*
${{ env.DEPLOY_PATH }}/VERSION*
${{ env.DEPLOY_PATH }}/image/balena{,-flasher}.img
${{ env.DEPLOY_PATH }}/image/balena.img
##############################
# S3 Deploy
Expand Down Expand Up @@ -449,17 +509,6 @@ jobs:
if: inputs.deploy-s3 == true && inputs.deploy-esr == true
run: echo "string=esr-images" >> $GITHUB_OUTPUT

# # TODO: pre-install on self-hosted-runners
# # https://github.com/s3-actions/s3cmd
# - name: Set up s3cmd cli tool
# if: inputs.deploy-s3 == true && steps.balena-lib.outputs.deploy_artifact != 'docker-image'
# uses: s3-actions/[email protected]
# with:
# provider: aws # default is linode
# region: ${{ vars.AWS_REGION || vars.S3_REGION }}
# access_key: ${{ secrets.AWS_ACCESS_KEY_ID || secrets.S3_SECRET_KEY }}
# secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY || secrets.S3_ACCESS_KEY }}

# https://github.com/aws-actions/configure-aws-credentials
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
Expand Down Expand Up @@ -533,25 +582,6 @@ jobs:
echo "SECURE_BOOT_FEATURE_FLAG=no" >> $GITHUB_ENV
fi
# Not needed now as trying to accomplish the same things in the workflow file instead
# - name: Pull helper image
# id: hostapp-helper-image
# if: inputs.deploy-hostapp == true
# env:
# HELPER_IMAGE_REPO: ghcr.io/balena-os/balena-yocto-scripts
# YOCTO_SCRIPTS_VERSION: ${{ steps.balena-lib.outputs.yocto_scripts_version }}
# YOCTO_SCRIPTS_REF: ${{ steps.balena-lib.outputs.yocto_scripts_ref }}
# HELPER_IMAGE_VARIANT: balena-push-env
# run: |
# image_tag="${HELPER_IMAGE_REPO}:${YOCTO_SCRIPTS_VERSION}-${HELPER_IMAGE_VARIANT}"
# if ! docker pull "${image_tag}"; then
# image_tag="${HELPER_IMAGE_REPO}:${YOCTO_SCRIPTS_REF}-${HELPER_IMAGE_VARIANT}"
# docker pull "${image_tag}"
# fi

# image_id="$(docker images --format "{{.ID}}" "${image_tag}")"
# echo "id=${image_id}" >> $GITHUB_OUTPUT

- name: Check Balena CLI
run: |
# Test installation works
Expand All @@ -567,7 +597,6 @@ jobs:
run: echo "BALENAOS_TOKEN=${{ secrets.BALENAOS_STAGING_TOKEN }}" >> $GITHUB_ENV



# TODO: replace this with balena-io/deploy-to-balena-action when it supports deploy-only
# https://github.com/balena-io/deploy-to-balena-action/issues/286
- name: Deploy to balena
Expand All @@ -582,21 +611,16 @@ jobs:
BOOTABLE: 1
TRANSLATION: "v6"
DEPLOY: yes
FINAL: no
FINAL: ${{ steps.merge-test-result.outputs.finalize }} || ${{ inputs.finalize-hostapp }}
ESR: "${{ inputs.deploy-esr }}"
balenaCloudEmail:
balenaCloudPassword:
CURL: "curl --silent --retry 10 --location --compressed"
#HOSTAPP_PATH: ${{ runner.temp }}/deploy/balena-image.docker
VERSION: ${{ steps.balena-lib.outputs.os_version }}
run: |
set -e
## What is that for??
# if [ -f "/host/appimage.docker" ]; then
# _local_image=$(docker load -i /host/appimage.docker | cut -d: -f1 --complement | tr -d " " )
# fi
# load hostapp bundle and get local image reference, needed for `balena deploy`
_local_image=$(docker load -i ${DEPLOY_PATH}/balena-image.docker | cut -d: -f1 --complement | tr -d " " )
echo "[INFO] Logging into $API_ENV as ${BALENAOS_ACCOUNT}"
Expand Down Expand Up @@ -842,3 +866,7 @@ jobs:
# -w "${WORKSPACE}" \
# "${{ steps.ami-helper-image.outputs.id }}" /balena-generate-ami.sh


## ADD LEVIATHAN JOB HERE, download artifacts "build-artifacts"
## RUN if ${{ inputs.run-tests }}
## Have to re-check out

0 comments on commit 97dc84e

Please sign in to comment.