From 83ec56df85ad5e038258261e3f250223a26b449a Mon Sep 17 00:00:00 2001
From: Kyle Harding <kyle@balena.io>
Date: Wed, 18 Sep 2024 10:36:37 -0400
Subject: [PATCH] Expose secure boot testing features via matrix input

Change-type: patch
Signed-off-by: Kyle Harding <kyle@balena.io>
---
 .github/workflows/yocto-build-deploy.yml | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
index 42e612cd6..78d76162c 100644
--- a/.github/workflows/yocto-build-deploy.yml
+++ b/.github/workflows/yocto-build-deploy.yml
@@ -99,6 +99,7 @@ on:
       # - worker_fleets: The testbot fleets for finding available Leviathan workers. Not used for QEMU workers. Can accept a list of apps separated by commas, no spaces in between
       # - test_org: The organization to use for testing cloud functionality. This default org is `testbot`
       # - runs_on: A JSON array of runner labels to use for the test job(s). For qemu workers use the labels `["self-hosted", "X64", "kvm"]`.
+      # - secure_boot: (truthy) Enable secure boot testing flags QEMU_SECUREBOOT=1 and FLASHER_SECUREBOOT=1. Default is false.
       # To use specific settings for each test job, create an include array like this...
       # {"include": [
       #   {
@@ -1145,27 +1146,21 @@ jobs:
 
           mkdir -p "${REPORTS}"
 
+      # Two variables are needed for secure boot tests. Check Makefile in Leviathan to trace their usage.
+      - name: Enable secure boot tests
+        # Evaluate as truthy
+        if: matrix.secure_boot
+        run: |
+          echo "QEMU_SECUREBOOT=1" >> "${GITHUB_ENV}"
+          echo "FLASHER_SECUREBOOT=1" >> "${GITHUB_ENV}"
+
       # https://github.com/balena-os/leviathan/blob/master/action.yml
       - name: BalenaOS Leviathan Tests
-        uses: balena-os/leviathan@384eab3c6ef896a8a54ce744fd445135e1cae703 # v2.31.43
-        if: inputs.sign-image == false # Ensure we don't run this for non-signed images
-        env:
-          # BALENA_API_TEST_KEY is a secret that should be specific to the runtime environment
-          # It requires permissions to manage autokit workers, and create test fleets
-          BALENACLOUD_API_KEY: ${{ secrets.BALENA_API_TEST_KEY }}
-
-      # Only to run when images are signed, have to run secureboot tests
-      # Make sure it has all the same env variables as the job above
-      - name: "[Secureboot] BalenaOS Leviathan Tests"
-        if: inputs.sign-image == true
         uses: balena-os/leviathan@384eab3c6ef896a8a54ce744fd445135e1cae703 # v2.31.43
         env:
           # BALENA_API_TEST_KEY is a secret that should be specific to the runtime environment
           # It requires permissions to manage autokit workers, and create test fleets
           BALENACLOUD_API_KEY: ${{ secrets.BALENA_API_TEST_KEY }}
-          # Two variables are needed for secure boot tests. Check Makefile in Leviathan to trace their usage.
-          QEMU_SECUREBOOT: 1
-          FLASHER_SECUREBOOT: 1
 
   # This job always runs and will fail if any of the builds or tests fail.
   # This way we can mark this job as required for merging PRs.