-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change-type: patch Signed-off-by: Ryan Cooke <[email protected]>
- Loading branch information
1 parent
a8432c5
commit c64aa95
Showing
4 changed files
with
154 additions
and
78 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: 'Deploy on release tag' | ||
|
||
on: | ||
push: | ||
tags: | ||
- v[0-9]+.[0-9]+.[0-9]+\+?r?e?v?* | ||
- v20[0-9][0-9].[0-1]?[1470].[0-9]+ | ||
|
||
jobs: | ||
deploy-generic-amd64: | ||
name: deploy-generic-amd64 | ||
uses: ./.github/workflows/yocto-build-deploy.yml | ||
needs: flowzone | ||
secrets: inherit | ||
with: | ||
environment: production | ||
machine: generic-amd64 | ||
sign-image: true | ||
is_private: false | ||
Check failure on line 19 in .github/workflows/merge-example.yml GitHub Actions / Flowzone / Lint workflows
|
||
deploy-s3: true | ||
finalize-hostapp: true | ||
deploy-hostapp: true | ||
check-merge-tests: true | ||
run-tests: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,6 +69,19 @@ on: | |
required: false | ||
type: boolean | ||
default: true | ||
finalize-hostapp: | ||
description: Whether to finalize a hostApp container image to a balena environment | ||
required: false | ||
type: string | ||
default: "no" | ||
check-merge-tests: #TODO: On PRs, and on manual jobs, set this to false - we can also set it to false to not deploy as final | ||
required: false | ||
type: boolean | ||
default: false | ||
run-tests: | ||
required: false | ||
type: boolean | ||
default: false | ||
deploy-ami: | ||
description: Whether to deploy an AMI to AWS | ||
required: false | ||
|
@@ -110,6 +123,7 @@ env: | |
WORKSPACE: ${{ github.workspace }} | ||
MACHINE: ${{ inputs.machine }} | ||
VERBOSE: verbose | ||
WORKFLOW_NAME: ${{ github.workflow }} #Name of the calling workflow - for use when checking the result of test job on merged PR. Also, can we be clever here and also use it to differentiate between manual/auto runs | ||
|
||
permissions: | ||
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token | ||
|
@@ -209,6 +223,58 @@ jobs: | |
# fetch-depth: 1 | ||
fetch-tags: true | ||
|
||
# In the old workflow we had to fetch the merge commit, get the check runs from the PR, and check if a device type passed or failed | ||
# In the github actions workflow, we will only put a deploy job for device types we know we want to deploy | ||
# This prone to error - we have required checks on the PR - but a separate deploy list. If we take off the required check, but forget to remove it from the deploy | ||
# then we have a problem..... | ||
# reference: https://github.com/balena-os/github-workflows/blob/master/.github/workflows/build_and_deploy.yml#L89 | ||
# NOTE: This will not be necessary if we had a way to deploy artifacts and mark as final like with fleet releases | ||
# Skip this if this is triggered from a dispatch | ||
|
||
- name: 'Fetch latest tag' | ||
id: get-latest-tag | ||
if: ${{ inputs.check-merge-tests }} | ||
uses: "actions-ecosystem/action-get-latest-tag@v1" | ||
|
||
# We're also checking out the tag in this step, so the subsequent build is done from the tagged version of the device repo | ||
- name: 'Fetch merge commit' | ||
id: set-merge-commit | ||
if: ${{ inputs.check-merge-tests }} | ||
run: | | ||
merge_commit=$(git checkout ${{steps.get-latest-tag.outputs.tag}} && git rev-parse :/"^Merge pull request") | ||
echo "Found merge commit ${merge_commit}" | ||
echo "merge_commit=${merge_commit}" >> $GITHUB_OUTPUT" | ||
git checkout ${{steps.get-latest-tag.outputs.tag}} | ||
# TODO: check if this is needed? On creation of new esr tag what will happen? | ||
# We need to set all the esr flags to true if this evaluates to true - or we have seperate workflow calls for esr | ||
# - name: 'Check ESR release' | ||
# if: ${{ ! inputs.manual_call }} | ||
# uses: actions-ecosystem/action-regex-match@v2 | ||
# id: regex-match | ||
# with: | ||
# text: ${{ steps.get-latest-tag.outputs.tag }} | ||
# regex: '^v20[0-9][0-9].[0-1]?[1470].[0-9]+$' | ||
|
||
# This will control the deployment of the hostapp only - it will determine if it is marked as final or not | ||
# Regardless, artifacts will be deployed to s3 right now. | ||
# The hostapp being finalised is what determines if the API will present this OS version to users | ||
- name: Check test results | ||
if: ${{ inputs.check-merge-tests }} | ||
id: merge-test-result | ||
env: | ||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
REPO: ${{ inputs.device-repo }} | ||
COMMIT: ${{ steps.set-merge-commit.outputs.merge_commit }} | ||
run: | | ||
prid=$(gh api -H "Accept: application/vnd.github+json" /repos/$REPO/commits/$COMMIT --jq '.commit.message' | head -n1 | cut -d "#" -f2 | awk '{ print $1}') | ||
status_url=$(gh api -H "Accept: application/vnd.github+json" /repos/$REPO/pulls/$prid --jq '._links.statuses.href') | ||
passed="no" | ||
if curl -sL "${status_url}" --header "Authorization: Bearer $GH_TOKEN" | jq -e '.[] | select(.context == "'"${WORKFLOW_NAME}"'") | select(.state == "success")' > /dev/null 2>&1; then | ||
passed="yes" | ||
fi | ||
echo "finalize=${passed}" >> $GITHUB_OUTPUT" #Need to be able to manually override... | ||
- name: Device repository check | ||
run: | | ||
if [ "$(yq '.type' repo.yml)" != "yocto-based OS image" ]; then | ||
|
@@ -378,28 +444,22 @@ jobs: | |
source "${automation_dir}/include/balena-deploy.inc" | ||
balena_deploy_artifacts "${{ inputs.machine }}" "${DEPLOY_PATH}" false | ||
# create links required for s3 prepare.ts | ||
# mkdir -p "${DEPLOY_PATH}/${{ steps.balena-lib.outputs.device_slug }}" | ||
# symlinks don't seem to work in the volume we mount to the helper image | ||
#ln -sf ../.. "${DEPLOY_PATH}/${{ steps.balena-lib.outputs.device_slug }}/${{ steps.balena-lib.outputs.os_version }}" | ||
find "${DEPLOY_PATH}" -exec ls -lh {} \; | ||
|
||
# TODO: bundle artifacts separately for convience | ||
# https://github.com/actions/upload-artifact | ||
# We upload only `balena.img` for use with the leviathan tests | ||
# We can get the hostapp image draft and use that for the hup suite | ||
- name: Upload artifacts | ||
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 | ||
with: | ||
name: build-artifacts | ||
if-no-files-found: error | ||
retention-days: 3 | ||
# compression-level: 1 | ||
compression-level: 7 | ||
path: | | ||
${{ env.DEPLOY_PATH }}/*.* | ||
${{ env.DEPLOY_PATH }}/VERSION* | ||
${{ env.DEPLOY_PATH }}/image/balena{,-flasher}.img | ||
${{ env.DEPLOY_PATH }}/image/balena.img | ||
############################## | ||
# S3 Deploy | ||
|
@@ -449,17 +509,6 @@ jobs: | |
if: inputs.deploy-s3 == true && inputs.deploy-esr == true | ||
run: echo "string=esr-images" >> $GITHUB_OUTPUT | ||
|
||
# # TODO: pre-install on self-hosted-runners | ||
# # https://github.com/s3-actions/s3cmd | ||
# - name: Set up s3cmd cli tool | ||
# if: inputs.deploy-s3 == true && steps.balena-lib.outputs.deploy_artifact != 'docker-image' | ||
# uses: s3-actions/[email protected] | ||
# with: | ||
# provider: aws # default is linode | ||
# region: ${{ vars.AWS_REGION || vars.S3_REGION }} | ||
# access_key: ${{ secrets.AWS_ACCESS_KEY_ID || secrets.S3_SECRET_KEY }} | ||
# secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY || secrets.S3_ACCESS_KEY }} | ||
|
||
# https://github.com/aws-actions/configure-aws-credentials | ||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | ||
|
@@ -533,25 +582,6 @@ jobs: | |
echo "SECURE_BOOT_FEATURE_FLAG=no" >> $GITHUB_ENV | ||
fi | ||
# Not needed now as trying to accomplish the same things in the workflow file instead | ||
# - name: Pull helper image | ||
# id: hostapp-helper-image | ||
# if: inputs.deploy-hostapp == true | ||
# env: | ||
# HELPER_IMAGE_REPO: ghcr.io/balena-os/balena-yocto-scripts | ||
# YOCTO_SCRIPTS_VERSION: ${{ steps.balena-lib.outputs.yocto_scripts_version }} | ||
# YOCTO_SCRIPTS_REF: ${{ steps.balena-lib.outputs.yocto_scripts_ref }} | ||
# HELPER_IMAGE_VARIANT: balena-push-env | ||
# run: | | ||
# image_tag="${HELPER_IMAGE_REPO}:${YOCTO_SCRIPTS_VERSION}-${HELPER_IMAGE_VARIANT}" | ||
# if ! docker pull "${image_tag}"; then | ||
# image_tag="${HELPER_IMAGE_REPO}:${YOCTO_SCRIPTS_REF}-${HELPER_IMAGE_VARIANT}" | ||
# docker pull "${image_tag}" | ||
# fi | ||
|
||
# image_id="$(docker images --format "{{.ID}}" "${image_tag}")" | ||
# echo "id=${image_id}" >> $GITHUB_OUTPUT | ||
|
||
- name: Check Balena CLI | ||
run: | | ||
# Test installation works | ||
|
@@ -567,7 +597,6 @@ jobs: | |
run: echo "BALENAOS_TOKEN=${{ secrets.BALENAOS_STAGING_TOKEN }}" >> $GITHUB_ENV | ||
|
||
|
||
|
||
# TODO: replace this with balena-io/deploy-to-balena-action when it supports deploy-only | ||
# https://github.com/balena-io/deploy-to-balena-action/issues/286 | ||
- name: Deploy to balena | ||
|
@@ -582,21 +611,16 @@ jobs: | |
BOOTABLE: 1 | ||
TRANSLATION: "v6" | ||
DEPLOY: yes | ||
FINAL: no | ||
FINAL: ${{ steps.merge-test-result.outputs.finalize }} || ${{ inputs.finalize-hostapp }} | ||
ESR: "${{ inputs.deploy-esr }}" | ||
balenaCloudEmail: | ||
balenaCloudPassword: | ||
CURL: "curl --silent --retry 10 --location --compressed" | ||
#HOSTAPP_PATH: ${{ runner.temp }}/deploy/balena-image.docker | ||
VERSION: ${{ steps.balena-lib.outputs.os_version }} | ||
run: | | ||
set -e | ||
## What is that for?? | ||
# if [ -f "/host/appimage.docker" ]; then | ||
# _local_image=$(docker load -i /host/appimage.docker | cut -d: -f1 --complement | tr -d " " ) | ||
# fi | ||
# load hostapp bundle and get local image reference, needed for `balena deploy` | ||
_local_image=$(docker load -i ${DEPLOY_PATH}/balena-image.docker | cut -d: -f1 --complement | tr -d " " ) | ||
echo "[INFO] Logging into $API_ENV as ${BALENAOS_ACCOUNT}" | ||
|
@@ -842,3 +866,7 @@ jobs: | |
# -w "${WORKSPACE}" \ | ||
# "${{ steps.ami-helper-image.outputs.id }}" /balena-generate-ami.sh | ||
|
||
|
||
## ADD LEVIATHAN JOB HERE, download artifacts "build-artifacts" | ||
## RUN if ${{ inputs.run-tests }} | ||
## Have to re-check out |