name: Build and Upload OS image (scheduled) on: workflow_dispatch: schedule: - cron: "0 21 * * 2" # At 21:00 on Tuesday. - cron: "20 21 * * 2" # At 21:20 on Tuesday. - cron: "40 21 * * 2" # At 21:40 on Tuesday. - cron: "0 21 * * 4" # At 21:00 on Thursday. - cron: "20 21 * * 4" # At 21:20 on Thursday. - cron: "40 21 * * 4" # At 21:40 on Thursday. jobs: stream: runs-on: ubuntu-24.04 outputs: stream: ${{ steps.stream.outputs.stream }} steps: - name: Determine stream id: stream run: | if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then echo "stream=nightly" | tee -a "$GITHUB_OUTPUT" exit 0 fi case "${{ github.event.schedule }}" in "0 21 * * 4" | "0 21 * * 2") echo "stream=debug" | tee -a "$GITHUB_OUTPUT" ;; "20 21 * * 4" | "20 21 * * 2") echo "stream=console" | tee -a "$GITHUB_OUTPUT" ;; "40 21 * * 4" | "40 21 * * 2") echo "stream=nightly" | tee -a "$GITHUB_OUTPUT" ;; *) echo "::error::Unknown stream for schedule '${{ github.event.schedule }}'" exit 1 ;; esac build-image: needs: stream uses: ./.github/workflows/build-os-image.yml permissions: id-token: write contents: read packages: read secrets: inherit with: stream: ${{ needs.stream.outputs.stream }} ref: ${{ github.head_ref }} update-code: # On nightly stream only. if: needs.stream.outputs.stream == 'nightly' needs: ["build-image", "stream"] runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ github.head_ref }} token: ${{ secrets.CI_COMMIT_PUSH_PR }} - name: Setup Go environment uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: "1.22.7" cache: false - name: Determine version id: version uses: ./.github/actions/pseudo_version - name: Update QEMU/MiniConstellation image version run: | defaultVersionReg='defaultImage = \"[^\"]*\"' # Ensure regexp matches (otherwise the file was changed or the workflow is broken). grep -E "${defaultVersionReg}" internal/config/image_enterprise.go # Update version. newVersion="ref\/${{ steps.version.outputs.branchName }}\/stream\/nightly\/${{ steps.version.outputs.version }}" sed -i "s/${defaultVersionReg}/defaultImage = \"${newVersion}\"/" internal/config/image_enterprise.go - name: Build generateMeasurements tool working-directory: internal/attestation/measurements/measurement-generator run: go build -o generate . - name: Update hardcoded measurements working-directory: internal/attestation/measurements run: ./measurement-generator/generate - name: Cleanup run: rm -f internal/attestation/measurements/measurement-generator/generate - name: Create pull request uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: branch: "image/automated/update-measurements-${{ github.run_number }}" base: main title: "image: update measurements and image version" body: | :robot: *This is an automated PR.* :robot: The PR is triggered as part of the scheduled image build on main. It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation). commit-message: "image: update measurements and image version" committer: edgelessci author: edgelessci labels: no changelog # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }} notify-failure: if: failure() needs: [ "stream", "build-image", "update-code" ] runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ github.head_ref }} - name: Pick assignee id: pick-assignee continue-on-error: true uses: ./.github/actions/pick_assignee - name: Notify failure continue-on-error: true uses: ./.github/actions/notify_teams with: teamsWebhookURI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }} title: "Constellation image build failed" assignee: ${{ steps.pick-assignee.outputs.assignee }}