-
Notifications
You must be signed in to change notification settings - Fork 53
138 lines (120 loc) · 4.84 KB
/
build-os-image-scheduled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Build and Upload OS image (scheduled)
on:
workflow_dispatch:
schedule:
- cron: "0 21 * * 2" # At 21:00 on Tuesday.
- cron: "20 21 * * 2" # At 21:20 on Tuesday.
- cron: "40 21 * * 2" # At 21:40 on Tuesday.
- cron: "0 21 * * 4" # At 21:00 on Thursday.
- cron: "20 21 * * 4" # At 21:20 on Thursday.
- cron: "40 21 * * 4" # At 21:40 on Thursday.
jobs:
stream:
runs-on: ubuntu-24.04
outputs:
stream: ${{ steps.stream.outputs.stream }}
steps:
- name: Determine stream
id: stream
run: |
if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
exit 0
fi
case "${{ github.event.schedule }}" in
"0 21 * * 4" | "0 21 * * 2")
echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
;;
"20 21 * * 4" | "20 21 * * 2")
echo "stream=console" | tee -a "$GITHUB_OUTPUT"
;;
"40 21 * * 4" | "40 21 * * 2")
echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
;;
*)
echo "::error::Unknown stream for schedule '${{ github.event.schedule }}'"
exit 1
;;
esac
build-image:
needs: stream
uses: ./.github/workflows/build-os-image.yml
permissions:
id-token: write
contents: read
packages: read
secrets: inherit
with:
stream: ${{ needs.stream.outputs.stream }}
ref: ${{ github.head_ref }}
update-code:
# On nightly stream only.
if: needs.stream.outputs.stream == 'nightly'
needs: ["build-image", "stream"]
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.CI_COMMIT_PUSH_PR }}
- name: Setup Go environment
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.23.2"
cache: false
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Update QEMU/MiniConstellation image version
run: |
defaultVersionReg='defaultImage = \"[^\"]*\"'
# Ensure regexp matches (otherwise the file was changed or the workflow is broken).
grep -E "${defaultVersionReg}" internal/config/image_enterprise.go
# Update version.
newVersion="ref\/${{ steps.version.outputs.branchName }}\/stream\/nightly\/${{ steps.version.outputs.version }}"
sed -i "s/${defaultVersionReg}/defaultImage = \"${newVersion}\"/" internal/config/image_enterprise.go
- name: Build generateMeasurements tool
working-directory: internal/attestation/measurements/measurement-generator
run: go build -o generate .
- name: Update hardcoded measurements
working-directory: internal/attestation/measurements
run: ./measurement-generator/generate
- name: Cleanup
run: rm -f internal/attestation/measurements/measurement-generator/generate
- name: Create pull request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
branch: "image/automated/update-measurements-${{ github.run_number }}"
base: main
title: "image: update measurements and image version"
body: |
:robot: *This is an automated PR.* :robot:
The PR is triggered as part of the scheduled image build on main.
It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
commit-message: "image: update measurements and image version"
committer: edgelessci <[email protected]>
author: edgelessci <[email protected]>
labels: no changelog
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
notify-failure:
if: failure()
needs: [ "stream", "build-image", "update-code" ]
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.head_ref }}
- name: Pick assignee
id: pick-assignee
continue-on-error: true
uses: ./.github/actions/pick_assignee
- name: Notify failure
continue-on-error: true
uses: ./.github/actions/notify_teams
with:
teamsWebhookURI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
title: "Constellation image build failed"
assignee: ${{ steps.pick-assignee.outputs.assignee }}