Skip to content

Commit

Permalink
Expose secure boot testing features via matrix input
Browse files Browse the repository at this point in the history
Some device types (generic-armd64) need to run the test
suites twice for the same base image, once with secure boot
vars enabled in Leviathan, and once without.

Rather than run the suites in series, or require building the
image twice, we can allow the test matrix to define separate runs
for the two modes.

Change-type: minor
Signed-off-by: Kyle Harding <[email protected]>
  • Loading branch information
klutchell committed Sep 30, 2024
1 parent 9646cf9 commit 6b12cb9
Showing 1 changed file with 9 additions and 14 deletions.
23 changes: 9 additions & 14 deletions .github/workflows/yocto-build-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ on:
# - worker_fleets: The testbot fleets for finding available Leviathan workers. Not used for QEMU workers. Can accept a list of apps separated by commas, no spaces in between
# - test_org: The organization to use for testing cloud functionality. This default org is `testbot`
# - runs_on: A JSON array of runner labels to use for the test job(s). For qemu workers use the labels `["self-hosted", "X64", "kvm"]`.
# - secure_boot: (truthy) Enable secure boot testing flags QEMU_SECUREBOOT=1 and FLASHER_SECUREBOOT=1. Default is false.
# To use specific settings for each test job, create an include array like this...
# {"include": [
# {
Expand Down Expand Up @@ -1152,27 +1153,21 @@ jobs:
mkdir -p "${REPORTS}"
# Two variables are needed for secure boot tests. Check Makefile in Leviathan to trace their usage.
- name: Enable secure boot tests
# Evaluate as truthy
if: matrix.secure_boot
run: |
echo "QEMU_SECUREBOOT=1" >> "${GITHUB_ENV}"
echo "FLASHER_SECUREBOOT=1" >> "${GITHUB_ENV}"
# https://github.com/balena-os/leviathan/blob/master/action.yml
- name: BalenaOS Leviathan Tests
uses: balena-os/leviathan@17c522fabdce94d77a3ae1abb56dd232eccbea63 # v2.31.44
if: inputs.sign-image == false # Ensure we don't run this for non-signed images
env:
# BALENA_API_TEST_KEY is a secret that should be specific to the runtime environment
# It requires permissions to manage autokit workers, and create test fleets
BALENACLOUD_API_KEY: ${{ secrets.BALENA_API_TEST_KEY }}

# Only to run when images are signed, have to run secureboot tests
# Make sure it has all the same env variables as the job above
- name: "[Secureboot] BalenaOS Leviathan Tests"
if: inputs.sign-image == true
uses: balena-os/leviathan@17c522fabdce94d77a3ae1abb56dd232eccbea63 # v2.31.44
env:
# BALENA_API_TEST_KEY is a secret that should be specific to the runtime environment
# It requires permissions to manage autokit workers, and create test fleets
BALENACLOUD_API_KEY: ${{ secrets.BALENA_API_TEST_KEY }}
# Two variables are needed for secure boot tests. Check Makefile in Leviathan to trace their usage.
QEMU_SECUREBOOT: 1
FLASHER_SECUREBOOT: 1

# This job always runs and will fail if any of the builds or tests fail.
# This way we can mark this job as required for merging PRs.
Expand Down

0 comments on commit 6b12cb9

Please sign in to comment.