Skip to content

Commit a527559

Browse files
committed
workflows: add workflow for raspberrypicm4-ioboard-sb
Change-type: patch Signed-off-by: Alex Gonzalez <alexg@balena.io>
1 parent acc239c commit a527559

1 file changed

Lines changed: 79 additions & 0 deletions

File tree

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
name: Raspberry Pi CM4 IO Board secure boot variant
2+
3+
on:
4+
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore
5+
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
6+
pull_request:
7+
branches:
8+
- main
9+
- master
10+
# ESR branches glob pattern
11+
- 20[0-9][0-9].[0-1]?[1470].x
12+
pull_request_target:
13+
branches:
14+
- main
15+
- master
16+
push:
17+
tags:
18+
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
19+
- v[0-9]+.[0-9]+.[0-9]+\+?r?e?v?*
20+
# Allows you to run this workflow manually from the Actions tab
21+
workflow_dispatch:
22+
inputs:
23+
force-finalize:
24+
description: Force finalize of the build (implicitly enables hostapp and S3 deployments)
25+
required: false
26+
type: boolean
27+
default: false
28+
deploy-environment:
29+
description: Environment to use for build and deploy
30+
required: false
31+
type: string
32+
default: balena-staging.com
33+
signing-environment:
34+
description: The signing environment to use for the bitbake build - includes the related vars and secrets
35+
required: false
36+
type: string
37+
default: 'sign.balena-cloud.com'
38+
meta-balena-ref:
39+
description: meta-balena ref if not the currently pinned version
40+
required: false
41+
type: string
42+
default: ''
43+
44+
permissions:
45+
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
46+
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
47+
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
48+
packages: read
49+
contents: read
50+
51+
jobs:
52+
yocto:
53+
name: Yocto
54+
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@5e33bdd77f207ccf64016feb3a30f4af05e57e96
55+
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
56+
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
57+
# This condition will prevent the workflow from running twice for the same pull request while
58+
# still allowing it to run for all other event types.
59+
if: (github.event.pull_request.head.repo.full_name == github.repository) == (github.event_name == 'pull_request')
60+
secrets: inherit
61+
with:
62+
machine: raspberrypicm4-ioboard-sb
63+
# worker_type defaults to testbot
64+
# worker_fleets defaults to balena/testbot-rig,balena/testbot-rig-partners,balena/testbot-rig-x86,balena/testbot-rig-partners-x86
65+
test_matrix: >
66+
{
67+
"test_suite": ["os","cloud","hup"],
68+
"environment": ["balena-cloud.com"],
69+
"runs_on": [["ubuntu-latest"]],
70+
"secure_boot": ["sb"]
71+
}
72+
# Allow manual workflow runs to force finalize without checking previous test runs
73+
force-finalize: ${{ inputs.force-finalize || false }}
74+
# Default to balena-staging.com for workflow dispatch, but balena-cloud.com for other events
75+
deploy-environment: ${{ inputs.deploy-environment || 'balena-cloud.com' }}
76+
# Allow overriding the meta-balena ref for workflow dispatch events
77+
meta-balena-ref: ${{ inputs.meta-balena-ref || '' }}
78+
sign-image: true
79+
signing-environment: ${{ inputs.signing-environment || 'sign.balena-cloud.com' }}

0 commit comments

Comments
 (0)