Add the infrastructure for shim signing & aarch64 support #2626
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Run PR workflows" | |
on: | |
pull_request: | |
permissions: | |
pull-requests: write | |
concurrency: | |
group: ${{ github.workflow }}-pr-${{ github.head_ref || github.ref_name }} | |
cancel-in-progress: true | |
jobs: | |
pre_check: | |
name: "Check if we need to update the SDK" | |
runs-on: ubuntu-latest | |
# Setting the environment is the more important reason we need this job. | |
# We use this job as a gate, so we can approve the PR workflow only once. If | |
# we set this in the update_sdk job and in the build_image job, we would have | |
# to approve the workflow for every job that kicks off. Given that the jobs | |
# are sequenced, this is cumbersome. Use this job as a gate and make the rest | |
# dependent on it. | |
environment: development | |
outputs: | |
sdk_changes: ${{ steps.step1.outputs.sdk_changes }} | |
steps: | |
- name: Set outputs | |
id: step1 | |
shell: bash | |
run: | | |
echo "sdk_changes=${{ contains(github.event.pull_request.body, '/update-sdk') }}" >> $GITHUB_OUTPUT | |
update_sdk: | |
name: "Build an updated SDK container" | |
needs: [ pre_check ] | |
if: needs.pre_check.outputs.sdk_changes == 'true' | |
# SDK build needs access to bincache ssh secret | |
secrets: inherit | |
uses: ./.github/workflows/update-sdk.yaml | |
build_image: | |
needs: [ update_sdk ] | |
# The update-sdk job may be skipped, which is fine. We only care if it tried to | |
# run, but failed. | |
if: (always() && !cancelled()) && needs.update_sdk.result != 'failure' | |
name: "Build the OS image" | |
uses: ./.github/workflows/ci.yaml | |
with: | |
custom_sdk_version: ${{ needs.update_sdk.outputs.sdk_version }} | |
image_formats: qemu_uefi pxe |