diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml index a8cab760a..b5ff044c4 100644 --- a/.github/workflows/yocto-build-deploy.yml +++ b/.github/workflows/yocto-build-deploy.yml @@ -38,6 +38,9 @@ on: YOCTO_CACHE_SECRET_KEY: description: "Self-hosted runner S3 secret key for the yocto-svcacct user." required: false + YOCTO_SSH_PRIVATE_KEY_B64: + description: "SSH key to access balena-os private repositories." + required: false inputs: build-runs-on: @@ -455,14 +458,15 @@ jobs: env: SIGN_API: "${{ vars.SIGN_API_URL || 'https://sign.balena-cloud.com' }}" SIGN_API_KEY: "${{ secrets.SIGN_API_KEY }}" - SIGN_GRUB_KEY_ID: 2EB29B4CE0132F6337897F5FB8A88D1C62FCC729 + SIGN_GRUB_KEY_ID: "${{ vars.SIGN_GRUB_KEY_ID || '2EB29B4CE0132F6337897F5FB8A88D1C62FCC729' }}" SIGN_KMOD_KEY_APPEND: "${{ secrets.SIGN_KMOD_KEY_APPEND }}" + SIGN_HAB_PKI_ID: "${{ vars.SIGN_HAB_PKI_ID || '6d74b15cbc5df27fdc8d470a7c71edb3' }}" run: | BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_API=${SIGN_API}" BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_API_KEY=${SIGN_API_KEY}" BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_GRUB_KEY_ID=${SIGN_GRUB_KEY_ID}" BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_KMOD_KEY_APPEND=${SIGN_KMOD_KEY_APPEND}" - BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} --bitbake-args --no-setscene" + BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_HAB_PKI_ID=${SIGN_HAB_PKI_ID}" echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_ENV}" # FIXME: Remove this when we shut down the NFS server in early 2025 @@ -563,6 +567,12 @@ jobs: path: | ${{ github.workspace }}/shared/${{ inputs.machine }}/sstate + # Install openssh-client to use the ssh-agent + - name: Install openssh-client package + run: | + sudo apt-get update + sudo apt-get install -y openssh-client + # All preperation complete before this step # Start building balenaOS # We use the BALENA_API_DEPLOY_KEY secret to preload the supervisor image @@ -572,6 +582,7 @@ jobs: env: HELPER_IMAGE_REPO: ghcr.io/balena-os/balena-yocto-scripts SHARED_BUILD_DIR: ${{ github.workspace }}/shared + YOCTO_SSH_PRIVATE_KEY_B64: ${{ secrets.YOCTO_SSH_PRIVATE_KEY_B64 }} run: | # When building for non-x86 device types, meson, after building binaries must try to run them via qemu if possible , maybe as some sanity check or test? # Therefore qemu must be used - and our runner mmap_min_addr is set to 4096 (default, set here: https://github.com/product-os/github-runner-kernel/blob/ef5a66951599dc64bf2920d896c36c6d9eda8df6/config/5.10/microvm-kernel-x86_64-5.10.config#L858 @@ -585,6 +596,9 @@ jobs: cat "${AUTO_CONF_FILE}" + >&2 eval "$(ssh-agent)" + echo "${{ secrets.YOCTO_SSH_PRIVATE_KEY_B64 }}" | base64 -d | ssh-add - >&2 + ./balena-yocto-scripts/build/balena-build.sh \ -d "${MACHINE}" \ -t "${{ secrets.BALENA_API_DEPLOY_KEY }}" \