balena-os · alexgg · Dec 23, 2024 · Dec 18, 2024 · Dec 23, 2024 · Dec 20, 2024
diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
@@ -38,6 +38,9 @@ on:
       YOCTO_CACHE_SECRET_KEY:
         description: "Self-hosted runner S3 secret key for the yocto-svcacct user."
         required: false
+      YOCTO_SSH_PRIVATE_KEY_B64:
+        description: "SSH key to access balena-os private repositories."
+        required: false
 
     inputs:
       build-runs-on:
@@ -455,14 +458,15 @@ jobs:
         env:
           SIGN_API: "${{ vars.SIGN_API_URL || 'https://sign.balena-cloud.com' }}"
           SIGN_API_KEY: "${{ secrets.SIGN_API_KEY }}"
-          SIGN_GRUB_KEY_ID: 2EB29B4CE0132F6337897F5FB8A88D1C62FCC729
+          SIGN_GRUB_KEY_ID: "${{ vars.SIGN_GRUB_KEY_ID || '2EB29B4CE0132F6337897F5FB8A88D1C62FCC729' }}"
           SIGN_KMOD_KEY_APPEND: "${{ secrets.SIGN_KMOD_KEY_APPEND }}"
+          SIGN_HAB_PKI_ID: "${{ vars.SIGN_HAB_PKI_ID || '6d74b15cbc5df27fdc8d470a7c71edb3' }}"
         run: |
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_API=${SIGN_API}"
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_API_KEY=${SIGN_API_KEY}"
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_GRUB_KEY_ID=${SIGN_GRUB_KEY_ID}"
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_KMOD_KEY_APPEND=${SIGN_KMOD_KEY_APPEND}"
-          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} --bitbake-args --no-setscene"
+          BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_HAB_PKI_ID=${SIGN_HAB_PKI_ID}"
           echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_ENV}"
 
       # FIXME: Remove this when we shut down the NFS server in early 2025
@@ -563,6 +567,12 @@ jobs:
           path: |
             ${{ github.workspace }}/shared/${{ inputs.machine }}/sstate
 
+      # Install openssh-client to use the ssh-agent
+      - name: Install openssh-client package
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y openssh-client
+
       # All preperation complete before this step
       # Start building balenaOS
       # We use the BALENA_API_DEPLOY_KEY secret to preload the supervisor image
@@ -572,6 +582,7 @@ jobs:
         env:
           HELPER_IMAGE_REPO: ghcr.io/balena-os/balena-yocto-scripts
           SHARED_BUILD_DIR: ${{ github.workspace }}/shared
+          YOCTO_SSH_PRIVATE_KEY_B64: ${{ secrets.YOCTO_SSH_PRIVATE_KEY_B64 }}
         run: |
           # When building for non-x86 device types, meson, after building binaries must try to run them via qemu if possible , maybe as some sanity check or test?
           # Therefore qemu must be used - and our runner mmap_min_addr is set to 4096 (default, set here: https://github.com/product-os/github-runner-kernel/blob/ef5a66951599dc64bf2920d896c36c6d9eda8df6/config/5.10/microvm-kernel-x86_64-5.10.config#L858
@@ -585,6 +596,9 @@ jobs:
 
           cat "${AUTO_CONF_FILE}"
 
+          >&2 eval "$(ssh-agent)"
+          echo "${{ secrets.YOCTO_SSH_PRIVATE_KEY_B64 }}" | base64 -d | ssh-add - >&2
+
           ./balena-yocto-scripts/build/balena-build.sh \
             -d "${MACHINE}" \
             -t "${{ secrets.BALENA_API_DEPLOY_KEY }}" \