constellation/.github/workflows/build-os-image-scheduled.yml
Malte Poll 2a226fd8e9
deps: update Go toolchain to 1.22.2 (#3010)
* deps: update Go toolchain to 1.22.2
* deps: update vulnerable dependencies (govulncheck)
2024-04-05 12:14:48 +02:00

140 lines
4.8 KiB
YAML

name: Build and Upload OS image (scheduled)
on:
workflow_dispatch:
schedule:
- cron: "0 21 * * 2" # At 21:00 on Tuesday.
- cron: "10 21 * * 2" # At 21:10 on Tuesday.
- cron: "20 21 * * 2" # At 21:20 on Tuesday.
- cron: "0 21 * * 4" # At 21:00 on Thursday.
- cron: "10 21 * * 4" # At 21:10 on Thursday.
- cron: "20 21 * * 4" # At 21:20 on Thursday.
jobs:
stream:
runs-on: ubuntu-22.04
outputs:
stream: ${{ steps.stream.outputs.stream }}
steps:
- name: Determine stream
id: stream
run: |
if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
exit 0
fi
case "${{ github.event.schedule }}" in
"0 21 * * 4" | "0 21 * * 2")
echo "stream=debug" | tee -a "$GITHUB_OUTPUT"
;;
"10 21 * * 4" | "10 21 * * 2")
echo "stream=console" | tee -a "$GITHUB_OUTPUT"
;;
"20 21 * * 4" | "20 21 * * 2")
echo "stream=nightly" | tee -a "$GITHUB_OUTPUT"
;;
*)
echo "::error::Unknown stream for schedule '${{ github.event.schedule }}'"
exit 1
;;
esac
build-image:
needs: stream
uses: ./.github/workflows/build-os-image.yml
permissions:
id-token: write
contents: read
packages: read
secrets: inherit
with:
stream: ${{ needs.stream.outputs.stream }}
ref: ${{ github.head_ref }}
update-code:
# On nightly stream only.
if: |
github.event_name == 'workflow_dispatch' ||
github.event.schedule == '20 21 * * 4' ||
github.event.schedule == '20 21 * * 2'
needs: build-image
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.22.2"
cache: false
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Update QEMU/MiniConstellation image version
run: |
defaultVersionReg='defaultImage = \"[^\"]*\"'
# Ensure regexp matches (otherwise the file was changed or the workflow is broken).
grep -E "${defaultVersionReg}" internal/config/image_enterprise.go
# Update version.
newVersion="ref\/${{ steps.version.outputs.branchName }}\/stream\/nightly\/${{ steps.version.outputs.version }}"
sed -i "s/${defaultVersionReg}/defaultImage = \"${newVersion}\"/" internal/config/image_enterprise.go
- name: Build generateMeasurements tool
working-directory: internal/attestation/measurements/measurement-generator
run: go build -o generate .
- name: Update hardcoded measurements
working-directory: internal/attestation/measurements
run: ./measurement-generator/generate
- name: Cleanup
run: rm -f internal/attestation/measurements/measurement-generator/generate
- name: Create pull request
uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
with:
branch: "image/automated/update-measurements-${{ github.run_number }}"
base: main
title: "image: update measurements and image version"
body: |
:robot: *This is an automated PR.* :robot:
The PR is triggered as part of the scheduled image build on main.
It updates the hardcoded measurements and the image version (for QEMU/MiniConstellation).
commit-message: "image: update measurements and image version"
committer: edgelessci <edgelessci@users.noreply.github.com>
labels: no changelog
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
notify-failure:
if: failure()
needs: [ "stream", "build-image", "update-code" ]
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ github.head_ref }}
- name: Pick assignee
id: pick-assignee
continue-on-error: true
uses: ./.github/actions/pick_assignee
- name: Notify failure
continue-on-error: true
uses: ./.github/actions/notify_teams
with:
teamsWebhookURI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
title: "Constellation image build failed"
assignee: ${{ steps.pick-assignee.outputs.assignee }}