constellation/.github/workflows/build-os-image-scheduled.yml

name: Build and Upload OS image (scheduled)

on:
  workflow_dispatch:
  schedule:
    - cron: "0 21 * * 2" # At 21:00 on Tuesday.
    - cron: "20 21 * * 2" # At 21:20 on Tuesday.
    - cron: "40 21 * * 2" # At 21:40 on Tuesday.
    - cron: "0 21 * * 4" # At 21:00 on Thursday.
    - cron: "20 21 * * 4" # At 21:20 on Thursday.
    - cron: "40 21 * * 4" # At 21:40 on Thursday.

jobs:
  stream:
    runs-on: ubuntu-24.04
    outputs:
      stream: ${{ steps.stream.outputs.stream }}
    steps:
      - name: Determine stream
        id: stream
        run: |
          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
            echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
            exit 0
          fi

          case "${{ github.event.schedule }}" in
            "0 21 * * 4" | "0 21 * * 2")
              echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
              ;;
            "20 21 * * 4" | "20 21 * * 2")
              echo "stream=console" | tee -a "$GITHUB_OUTPUT"
              ;;
            "40 21 * * 4" | "40 21 * * 2")
              echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
              ;;
            *)
              echo "::error::Unknown stream for schedule '${{ github.event.schedule }}'"
              exit 1
              ;;
          esac

  build-image:
    needs: stream
    uses: ./.github/workflows/build-os-image.yml
    permissions:
      id-token: write
      contents: read
      packages: read
    secrets: inherit
    with:
      stream: ${{ needs.stream.outputs.stream }}
      ref: ${{ github.head_ref }}

  update-code:
    # On nightly stream only.
    if: needs.stream.outputs.stream == 'nightly'
    needs: ["build-image", "stream"]
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}

      - name: Setup Go environment
        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: "1.22.7"
          cache: false

      - name: Determine version
        id: version
        uses: ./.github/actions/pseudo_version

      - name: Update QEMU/MiniConstellation image version
        run: |
          defaultVersionReg='defaultImage = \"[^\"]*\"'

          # Ensure regexp matches (otherwise the file was changed or the workflow is broken).
          grep -E "${defaultVersionReg}" internal/config/image_enterprise.go

          # Update version.
          newVersion="ref\/${{ steps.version.outputs.branchName }}\/stream\/nightly\/${{ steps.version.outputs.version }}"
          sed -i "s/${defaultVersionReg}/defaultImage = \"${newVersion}\"/" internal/config/image_enterprise.go

      - name: Build generateMeasurements tool
        working-directory: internal/attestation/measurements/measurement-generator
        run: go build -o generate .

      - name: Update hardcoded measurements
        working-directory: internal/attestation/measurements
        run: ./measurement-generator/generate

      - name: Cleanup
        run: rm -f internal/attestation/measurements/measurement-generator/generate

      - name: Create pull request
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: "image/automated/update-measurements-${{ github.run_number }}"
          base: main
          title: "image: update measurements and image version"
          body: |
            :robot: *This is an automated PR.* :robot:

            The PR is triggered as part of the scheduled image build on main.
            It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
          commit-message: "image: update measurements and image version"
          committer: edgelessci <edgelessci@users.noreply.github.com>
          author: edgelessci <edgelessci@users.noreply.github.com>
          labels: no changelog
          # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
          token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}

  notify-failure:
    if: failure()
    needs: [ "stream", "build-image", "update-code" ]
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}

      - name: Pick assignee
        id: pick-assignee
        continue-on-error: true
        uses: ./.github/actions/pick_assignee

      - name: Notify failure
        continue-on-error: true
        uses: ./.github/actions/notify_teams
        with:
          teamsWebhookURI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
          title: "Constellation image build failed"
          assignee: ${{ steps.pick-assignee.outputs.assignee }}