ci: update measurements and image version

on scheduled build

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

.github/workflows/build-os-image-scheduled.yml

@@ -1,10 +1,14 @@
 name: Build and Upload OS image (scheduled)
 
 on:
+  workflow_dispatch:
   schedule:
-    - cron: "0 21 * * 5" # At 21:00 on Friday.
+    - cron: "0 21 * * 2" # At 21:00 on Tuesday.
-    - cron: "10 21 * * 5" # At 21:10 on Friday.
+    - cron: "10 21 * * 2" # At 21:10 on Tuesday.
-    - cron: "20 21 * * 5" # At 21:20 on Friday.
+    - cron: "20 21 * * 2" # At 21:20 on Tuesday.
+    - cron: "0 21 * * 4" # At 21:00 on Thursday.
+    - cron: "10 21 * * 4" # At 21:10 on Thursday.
+    - cron: "20 21 * * 4" # At 21:20 on Thursday.
 
 jobs:
   stream:
@@ -15,14 +19,19 @@ jobs:
       - name: Determine stream
         id: stream
         run: |
+          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
+            echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
           case "${{ github.event.schedule }}" in
-            "0 21 * * 5")
+            "0 21 * * 5" | "0 21 * * 2")
               echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
               ;;
-            "10 21 * * 5")
+            "10 21 * * 5" | "10 21 * * 2")
               echo "stream=console" | tee -a "$GITHUB_OUTPUT"
               ;;
-            "20 21 * * 5")
+            "20 21 * * 5" | "20 21 * * 2")
               echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
               ;;
             *)
@@ -41,4 +50,58 @@ jobs:
     secrets: inherit
     with:
       stream: ${{ needs.stream.outputs.stream }}
-      ref: main
+      ref: ${{ github.head_ref }}
+
+  update-code:
+    # On nightly stream only.
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      github.event.schedule == '20 21 * * 5' ||
+      github.event.schedule == '20 21 * * 2'
+    needs: build-image
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Setup Go environment
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: "1.20.3"
+
+      - name: Determine version
+        id: version
+        uses: ./.github/actions/pseudo_version
+
+      - name: Update QEMU/MiniConstellation image version
+        run: sed -i "s/defaultImage = \"v[0-9]\+\.[0-9]\+\.[0-9]\+\"/defaultImage = \"ref\/${{ steps.version.outputs.branchName }}\/stream\/nightly\/${{ steps.version.outputs.version }}\"/" internal/config/image.go
+
+      - name: Build generateMeasurements tool
+        working-directory: internal/attestation/measurements/measurement-generator
+        run: go build -o generate .
+
+      - name: Update hardcoded measurements
+        working-directory: internal/attestation/measurements
+        run: ./measurement-generator/generate
+
+      - name: Cleanup
+        run: rm -f internal/attestation/measurements/measurement-generator/generate
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
+        with:
+          branch: "image/automated/update-measurements-${{ github.run_number }}"
+          base: main
+          title: "image: update measurements and image version"
+          body: |
+            :robot: *This is an automated PR.* :robot:
+
+            The PR is triggered as part of the scheduled image build on main.
+            It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
+          commit-message: "image: update measurements and image version"
+          committer: edgelessci <edgelessci@users.noreply.github.com>
+          labels: no changelog
+          # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
+          token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}

.github/workflows/build-os-image.yml

@@ -987,7 +987,7 @@ jobs:
       add_latest: true
 
   add-cli-version-to-versionsapi:
-    needs: [upload-artifacts, build-settings]
+    needs: [upload-artifacts, build-settings, add-image-version-to-versionsapi]
     name: "Add CLI version to versionsapi"
     if: needs.build-settings.outputs.ref != '-'
     permissions:

.github/workflows/release.yml

@@ -144,8 +144,8 @@ jobs:
 
       - name: Update enterprise image version
         run: |
-          sed -i "s/defaultImage = \"v[0-9]\+\.[0-9]\+\.[0-9]\+\"/defaultImage = \"${VERSION}\"/" internal/config/images_enterprise.go
+          sed -i "s/defaultImage = \"v[0-9]\+\.[0-9]\+\.[0-9]\+\"/defaultImage = \"${VERSION}\"/" internal/config/image.go
-          git add internal/config/images_enterprise.go
+          git add internal/config/image.go
 
       - name: Commit
         run: |

internal/config/BUILD.bazel

@@ -7,10 +7,7 @@ go_library(
         "attestation.go",
         "config.go",
         "config_doc.go",
-        # keep
+        "image.go",
-        "images_enterprise.go",
-        # keep
-        "images_oss.go",
         "validation.go",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/config",

internal/config/image.go

@@ -1,5 +1,3 @@
-//go:build enterprise
-
 /*
 Copyright (c) Edgeless Systems GmbH
 
@@ -9,6 +7,6 @@ SPDX-License-Identifier: AGPL-3.0-only
 package config
 
 const (
-	// defaultImage is the default image for the enterprise build.
+	// defaultImage is the default image to use.
 	defaultImage = "v2.6.0"
 )

internal/config/images_oss.go

@@ -1,14 +0,0 @@
-//go:build !enterprise
-
-/*
-Copyright (c) Edgeless Systems GmbH
-
-SPDX-License-Identifier: AGPL-3.0-only
-*/
-
-package config
-
-const (
-	// defaultImage is not set for OSS build.
-	defaultImage = ""
-)