name: Build and Upload OS image (scheduled) on: workflow_dispatch: schedule: - cron: "0 21 * * 2" # At 21:00 on Tuesday. - cron: "10 21 * * 2" # At 21:10 on Tuesday. - cron: "20 21 * * 2" # At 21:20 on Tuesday. - cron: "0 21 * * 4" # At 21:00 on Thursday. - cron: "10 21 * * 4" # At 21:10 on Thursday. - cron: "20 21 * * 4" # At 21:20 on Thursday. jobs: stream: runs-on: ubuntu-22.04 outputs: stream: ${{ steps.stream.outputs.stream }} steps: - name: Determine stream id: stream run: | if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then echo "stream=nightly" | tee -a "$GITHUB_OUTPUT" exit 0 fi case "${{ github.event.schedule }}" in "0 21 * * 4" | "0 21 * * 2") echo "stream=debug" | tee -a "$GITHUB_OUTPUT" ;; "10 21 * * 4" | "10 21 * * 2") echo "stream=console" | tee -a "$GITHUB_OUTPUT" ;; "20 21 * * 4" | "20 21 * * 2") echo "stream=nightly" | tee -a "$GITHUB_OUTPUT" ;; *) echo "::error::Unknown stream for schedule '${{ github.event.schedule }}'" exit 1 ;; esac build-image: needs: stream uses: ./.github/workflows/build-os-image.yml permissions: id-token: write contents: read packages: read secrets: inherit with: stream: ${{ needs.stream.outputs.stream }} ref: ${{ github.head_ref }} update-code: # On nightly stream only. if: | github.event_name == 'workflow_dispatch' || github.event.schedule == '20 21 * * 4' || github.event.schedule == '20 21 * * 2' needs: build-image runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.head_ref }} - name: Setup Go environment uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: "1.21.5" cache: false - name: Determine version id: version uses: ./.github/actions/pseudo_version - name: Update QEMU/MiniConstellation image version run: | defaultVersionReg='defaultImage = \"[^\"]*\"' # Ensure regexp matches (otherwise the file was changed or the workflow is broken). grep -E "${defaultVersionReg}" internal/config/image_enterprise.go # Update version. newVersion="ref\/${{ steps.version.outputs.branchName }}\/stream\/nightly\/${{ steps.version.outputs.version }}" sed -i "s/${defaultVersionReg}/defaultImage = \"${newVersion}\"/" internal/config/image_enterprise.go - name: Build generateMeasurements tool working-directory: internal/attestation/measurements/measurement-generator run: go build -o generate . - name: Update hardcoded measurements working-directory: internal/attestation/measurements run: ./measurement-generator/generate - name: Cleanup run: rm -f internal/attestation/measurements/measurement-generator/generate - name: Create pull request uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: branch: "image/automated/update-measurements-${{ github.run_number }}" base: main title: "image: update measurements and image version" body: | :robot: *This is an automated PR.* :robot: The PR is triggered as part of the scheduled image build on main. It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation). commit-message: "image: update measurements and image version" committer: edgelessci labels: no changelog # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }} notify-failure: if: failure() needs: [ "stream", "build-image", "update-code" ] runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.head_ref }} - name: Pick assignee id: pick-assignee continue-on-error: true uses: ./.github/actions/pick_assignee - name: Notify failure continue-on-error: true uses: ./.github/actions/notify_teams with: teamsWebhookURI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }} title: "Constellation image build failed" assignee: ${{ steps.pick-assignee.outputs.assignee }}