SECURITY.md: Add product security team details #258
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Yocto | |
on: | |
workflow_call: | |
pull_request: | |
push: | |
branches: | |
- main | |
env: | |
CACHE_DIR: /srv/gh-runners/quic-yocto | |
KAS_REPO_REF_DIR: /srv/gh-runners/quic-yocto/kas-mirrors | |
jobs: | |
kas-lock: | |
if: github.repository == 'quic-yocto/meta-qcom-hwe' | |
runs-on: [self-hosted, x86] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Run kas lock | |
run: | | |
kas dump --update --lock --inplace ci/base.yml | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: kas-lock | |
path: ci/*.lock.yml | |
yocto-check-layer: | |
needs: kas-lock | |
if: github.repository == 'quic-yocto/meta-qcom-hwe' | |
runs-on: [self-hosted, x86] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: kas-lock | |
path: ci/ | |
- name: Run yocto-check-layer | |
run: | | |
ci/yocto-check-layer.sh | |
yocto-patchreview: | |
needs: kas-lock | |
if: github.repository == 'quic-yocto/meta-qcom-hwe' | |
runs-on: [self-hosted, x86] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: kas-lock | |
path: ci/ | |
- name: Run Yocto patchreview | |
run: | | |
ci/yocto-patchreview.sh | |
compile: | |
needs: kas-lock | |
if: github.repository == 'quic-yocto/meta-qcom-hwe' | |
strategy: | |
fail-fast: true | |
matrix: | |
machine: | |
- qcm6490-idp | |
- qcs6490-rb3gen2-core-kit | |
- sa8775p-ride-sx | |
runs-on: [self-hosted, x86] | |
name: ${{ matrix.machine }}/poky/systemd | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: kas-lock | |
path: ci/ | |
- name: Kas build | |
run: | | |
export DL_DIR=${CACHE_DIR}/downloads | |
export SSTATE_DIR=${CACHE_DIR}/sstate-cache | |
export KAS_WORK_DIR=$PWD/../kas | |
mkdir $KAS_WORK_DIR | |
kas build ci/mirror.yml:ci/${{ matrix.machine }}.yml | |
- name: Publish image | |
run: | | |
build_dir=${CACHE_DIR}/builds/${GITHUB_RUN_ID} | |
mkdir -p $build_dir | |
img_dir=$build_dir/${{ matrix.machine }} | |
[ -d $img_dir ] && rm -rf $img_dir | |
mv ../kas/build/tmp/deploy/images/${{matrix.machine}} $img_dir | |
# Instruct our file server to make these files available for download | |
url="https://quic-yocto-fileserver-1029608027416.us-central1.run.app/${GITHUB_RUN_ID}/${{ matrix.machine }}/" | |
retries=3 | |
for ((i=0; i<retries; i++)); do | |
curl -X POST -i -w '%{http_code}' --fail-with-body ${url} && break | |
echo # new line break in case response doesn't have one | |
echo "Error: unable to publish artifacts, sleep and retry" | |
sleep 2 | |
done | |
(( retries == i )) && { echo 'Failed to publish artifacts'; exit 1; } | |
echo # new line break in case response doesn't have one | |
echo Image available at: ${url} | |
boot-test: | |
needs: compile | |
if: github.repository == 'quic-yocto/meta-qcom-hwe' && contains(fromJSON('["push", "schedule"]'), github.event_name) | |
strategy: | |
fail-fast: true | |
matrix: | |
machine: | |
- qcs6490-rb3gen2-core-kit | |
runs-on: [self-hosted, x86] | |
name: ${{ matrix.machine }}/lava | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Create test job definition | |
id: create_definition | |
run: | | |
export DEVICE_TYPE=${{ matrix.machine }} | |
export BUILD_FILE_NAME="core-image-base-${DEVICE_TYPE}.rootfs.qcomflash.tar.gz" | |
export BUILD_DOWNLOAD_URL="https://quic-yocto-fileserver-1029608027416.us-central1.run.app/${GITHUB_RUN_ID}/${{ matrix.machine }}/${BUILD_FILE_NAME}" | |
export JOB_FILE_NAME="${{ matrix.machine }}-${GITHUB_RUN_ID}.yml" | |
sed "s|{{GITHUB_RUN_ID}}|${GITHUB_RUN_ID}|g" ci/lava/${{ matrix.machine }}.yml > "${JOB_FILE_NAME}" | |
sed -i "s|{{GITHUB_SHA}}|${GITHUB_SHA}|g" "${JOB_FILE_NAME}" | |
sed -i "s|{{DEVICE_TYPE}}|${DEVICE_TYPE}|g" "${JOB_FILE_NAME}" | |
sed -i "s|{{BUILD_DOWNLOAD_URL}}|${BUILD_DOWNLOAD_URL}|g" "${JOB_FILE_NAME}" | |
sed -i "s|{{BUILD_FILE_NAME}}|${BUILD_FILE_NAME}|g" "${JOB_FILE_NAME}" | |
cat "${JOB_FILE_NAME}" | |
echo "job_file_name=${JOB_FILE_NAME}" >> "${GITHUB_OUTPUT}" | |
- uses: foundriesio/lava-action@v2 | |
with: | |
lava_token: ${{ secrets.LAVATOKEN }} | |
lava_url: 'lava.infra.foundries.io' | |
job_definition: ${{ steps.create_definition.outputs.job_file_name }} | |
wait_for_job: 'true' | |
fail_action_on_failure: 'true' |