Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create jobs to separate AWS environments from build environments #481

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Create jobs to separate AWS environments from build environments #481

wants to merge 6 commits into from

Conversation

klutchell
Copy link
Contributor

This allows more granular control over which environments are used for which steps, and avoids requiring a single environment to define how to build, sign, and publish.

Initially this workflow will still fallback to the existing monolith environments and the behaviour should be unchanged.

Change-type: minor

@klutchell klutchell temporarily deployed to balena-staging.com January 2, 2025 19:21 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 2, 2025 19:21 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 2, 2025 19:58 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 2, 2025 19:58 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 2, 2025 19:59 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 2, 2025 20:31 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 2, 2025 20:31 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 2, 2025 20:31 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 16:25 — with GitHub Actions Inactive
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 3, 2025
View reviewed changes
.github/workflows/yocto-build-deploy.yml
os_version=$(git describe --abbrev=0)
echo "os_version=${os_version#v*}" >>"${GITHUB_OUTPUT}"

meta_balena_version="$(balena_lib_get_meta_balena_base_version)"

Check failure

Code scanning / octoscan

Write to "$GITHUB_OUTPUT" in a bash script. Error

Write to "$GITHUB_OUTPUT" in a bash script.
.github/workflows/yocto-build-deploy.yml

dt_arch="$(balena_lib_get_dt_arch "${MACHINE}")"
echo "dt_arch=${dt_arch}" >>"${GITHUB_OUTPUT}"

Check failure

Code scanning / octoscan

Use of "git checkout" in a bash script with a potentially dangerous reference. Error

Use of "git checkout" in a bash script with a potentially dangerous reference.
.github/workflows/yocto-build-deploy.yml
env:
# renovate: datasource=github-tags depName=aws/aws-cli
AWSCLI_VERSION: 2.22.10
with:

Check failure

Code scanning / octoscan

Write to "$GITHUB_OUTPUT" in a bash script. Error

Write to "$GITHUB_OUTPUT" in a bash script.
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 16:26 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 16:26 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 17:01 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 17:01 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 17:01 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 17:32 — with GitHub Actions Inactive
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 3, 2025
View reviewed changes
.github/workflows/yocto-build-deploy.yml
# renovate: datasource=github-tags depName=aws/aws-cli
AWSCLI_VERSION: 2.22.10
with:
version: "${{ env.AWSCLI_VERSION }}"

Check failure

Code scanning / octoscan

Write to "$GITHUB_OUTPUT" in a bash script. Error

Write to "$GITHUB_OUTPUT" in a bash script.
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 17:33 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 17:33 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 18:37 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 18:37 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 18:37 — with GitHub Actions Inactive
@klutchell
Separate build jobs by environments
2ced298 
This allows more granular control over which environments are used
for which steps, and avoids requiring a single environment to define
how to build, sign, and publish.

This is better for security as it allows each job to only have
the secrets it needs, and not all secrets for all steps.

We retain backwards compatibility by falling back to the original
monolith environment input for now.

Change-type: minor
Signed-off-by: Kyle Harding <[email protected]>
@klutchell
Force finalize for testing
7894975 
Signed-off-by: Kyle Harding <[email protected]>
@klutchell
Remove balena API key from yocto build step
a6399b6 
This key was only used to fetch the supervisor image name from the API,
but that endpoint does not need auth as the supervisor images are public.

Change-type: patch
Signed-off-by: Kyle Harding <[email protected]>
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 20:43 — with GitHub Actions Inactive
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 3, 2025
View reviewed changes
.github/workflows/yocto-build-deploy.yml
script: |
const result = await fetch(`https://api.${process.env.API_ENV}/${process.env.TRANSLATION}/device_type?\$filter=slug%20eq%20%27${process.env.DEVICE_SLUG}%27&\$select=slug,is_private`, {
headers: {
'Content-type': 'application/json',

Check failure

Code scanning / octoscan

Write to "$GITHUB_OUTPUT" in a bash script. Error

Write to "$GITHUB_OUTPUT" in a bash script.
.github/workflows/yocto-build-deploy.yml
'Authorization': `Bearer ${{ secrets.BALENA_API_DEPLOY_KEY }}`
}
})
const data = await result.json()

Check failure

Code scanning / octoscan

Write to "$GITHUB_OUTPUT" in a bash script. Error

Write to "$GITHUB_OUTPUT" in a bash script.
.github/workflows/yocto-build-deploy.yml
const data = await result.json()
console.log(JSON.stringify(data, null, 2))
return data.d[0].is_private

Check failure

Code scanning / octoscan

Write to "$GITHUB_OUTPUT" in a bash script. Error

Write to "$GITHUB_OUTPUT" in a bash script.
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 20:44 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 20:44 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 21:47 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 21:47 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 3, 2025 21:47 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 23:51 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 23:51 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 3, 2025 23:52 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 4, 2025 00:30 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 4, 2025 00:30 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 4, 2025 00:30 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 4, 2025 00:30 — with GitHub Actions Inactive
@klutchell
Fixup DEPLOY_PATH again
f446d4e 
Signed-off-by: Kyle Harding <[email protected]>
@klutchell klutchell temporarily deployed to balena-staging.com January 4, 2025 01:11 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 4, 2025 01:12 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-staging.com January 4, 2025 01:12 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 4, 2025 01:43 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 4, 2025 01:43 — with GitHub Actions Inactive
@klutchell klutchell temporarily deployed to balena-cloud.com January 4, 2025 01:43 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@klutchell