Separate hostapp artifacts from leviathan artifacts

klutchell · klutchell · commit 51fac7e96144 · 2025-05-22T15:42:05.000-04:00
Change-type: minor
Signed-off-by: Kyle Harding &lt;kyle@balena.io&gt;
diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
@@ -848,59 +848,107 @@ jobs:
           aws s3 sync --sse="${S3_SSE}" "${SHARED_DOWNLOADS_DIR}/" "${S3_URL}/" \
             --exclude "*/*" --exclude "*.tmp" --size-only --follow-symlinks --no-progress
 
+      # login required to pull private balena/balena-img image
+      # https://github.com/docker/login-action
+      - name: Login to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       # TODO: Unroll balena_deploy_artifacts into the workflow shell directly
       # and only package up what is needed for s3 deploy, hostapp deploy, and leviathan tests.
-      # Note that the option to remove compressed files is set to true, as we want to avoid duplicate image files in the upload,
-      # and they can be uncompressed in the s3 deploy step.
-      - name: Prepare artifacts
+      # https://github.com/balena-os/balena-yocto-scripts/blob/fe5debadae75e2b9cda9bd40aa2d0aced777860a/automation/include/balena-deploy.inc#L23
+      - name: Prepare hostapp artifacts
         env:
           ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
+          # Note that this is the DEPLOY_PATH + the device slug and os version
+          DEPLOY_PATH: ${{ github.workspace }}/deploy/${{ needs.balena-lib.outputs.device_slug }}/${{ needs.balena-lib.outputs.os_version }}
         run: |
           if ! command -v zip; then
             sudo apt-get update
             sudo apt-get install -y zip
           fi
 
           source "${automation_dir}/include/balena-deploy.inc"
-          # https://github.com/balena-os/balena-yocto-scripts/blob/fe5debadae75e2b9cda9bd40aa2d0aced777860a/automation/include/balena-deploy.inc#L23
-          balena_deploy_artifacts "${SLUG}" "${DEPLOY_PATH}" true
+          balena_deploy_artifacts "${SLUG}" "${DEPLOY_PATH}" false
 
           cp -v "${WORKSPACE}/balena.yml" "${DEPLOY_PATH}/balena.yml"
 
           du -cksh "${DEPLOY_PATH}"
           find "${DEPLOY_PATH}" -type f -exec du -h {} \;
 
-          tar -I zstd -cf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" .
-          du -h "${ARTIFACTS_TAR}"
+      - name: Prepare deflate files
+        if: needs.balena-lib.outputs.deploy_artifact != 'docker-image'
+        env:
+          HELPER_IMAGE: balena/balena-img:6.20.26
+          # This should be the root of DEPLOY_PATH from prepare hostapp artifacts
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
+        run: |
+          docker run --rm \
+            -e BASE_DIR=/host/images \
+            -v "${DEPLOY_PATH}:/host/images" \
+            "${HELPER_IMAGE}" /usr/src/app/node_modules/.bin/ts-node /usr/src/app/scripts/prepare.ts
+
+          du -cksh "${DEPLOY_PATH}"
+          find "${DEPLOY_PATH}" -exec ls -lh {} \;
 
-      # Encrypt artifacts and remove the original tarball so it doesn't get uploaded
-      - name: Encrypt artifacts
+      # Encrypt .img and .img.zip files and remove the originals
+      - name: Encrypt signed/private artifacts
         if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
-          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
+          # This should be the root of DEPLOY_PATH from prepare hostapp artifacts
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
           PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
         run: |
-          openssl enc -v -e -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_TAR}" -out "${ARTIFACTS_ENC}"
-          rm "${ARTIFACTS_TAR}"
+          set -x
+          for file in "${DEPLOY_PATH}"/**/*.img "${DEPLOY_PATH}"/**/*.img.zip "${DEPLOY_PATH}"/**/*.docker "${DEPLOY_PATH}"/**/*.deflate; do
+            openssl enc -v -e -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${file}" -out "${file}.enc"
+            rm "${file}"
+          done
 
-      # Upload either the encrypted or the unencrypted artifacts, whichever is present
       # https://github.com/actions/upload-artifact
-      - name: Upload artifacts
+      - name: Upload hostapp artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
-          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
+          # Note that this is the DEPLOY_PATH + the device slug and os version
+          DEPLOY_PATH: ${{ github.workspace }}/deploy/${{ needs.balena-lib.outputs.device_slug }}/${{ needs.balena-lib.outputs.os_version }}
         with:
-          name: build-artifacts
+          name: hostapp-artifacts
           if-no-files-found: error
           retention-days: 3
-          # Change compression-level to 0 since we already compressed with zstd and
-          # encrypted files cannot be compressed further.
+          # Use 0 compression to avoid corrupting the encrypted files
           compression-level: 0
           path: |
-            ${{ env.ARTIFACTS_TAR }}
-            ${{ env.ARTIFACTS_ENC }}
+            ${{ env.DEPLOY_PATH }}/image/*.img.zip
+            ${{ env.DEPLOY_PATH }}/image/*.img.zip.enc
+            ${{ env.DEPLOY_PATH }}/compressed*/*.deflate
+            ${{ env.DEPLOY_PATH }}/compressed*/*.deflate.enc
+            ${{ env.DEPLOY_PATH }}/*.yml
+            ${{ env.DEPLOY_PATH }}/*.json
+            ${{ env.DEPLOY_PATH }}/*.md
+            ${{ env.DEPLOY_PATH }}/VERSION*
+            ${{ env.DEPLOY_PATH }}/*.manifest
+            ${{ env.DEPLOY_PATH }}/*.tar.gz
+
+      # https://github.com/actions/upload-artifact
+      - name: Upload testing artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        env:
+          # Note that this is the DEPLOY_PATH + the device slug and os version
+          DEPLOY_PATH: ${{ github.workspace }}/deploy/${{ needs.balena-lib.outputs.device_slug }}/${{ needs.balena-lib.outputs.os_version }}
+        with:
+          name: testing-artifacts
+          if-no-files-found: error
+          retention-days: 3
+          # Use 0 compression to avoid corrupting the encrypted files
+          compression-level: 0
+          path: |
+            ${{ env.DEPLOY_PATH }}/image/*.img.zip
+            ${{ env.DEPLOY_PATH }}/image/*.img.zip.enc
+            ${{ env.DEPLOY_PATH }}/*.docker.enc
+            ${{ env.DEPLOY_PATH }}/*.tar.gz
 
   ##############################
   # hostapp Deploy
@@ -931,26 +979,26 @@ jobs:
     env:
       BALENARC_BALENA_URL: ${{ vars.BALENA_HOST || vars.BALENARC_BALENA_URL || 'balena-cloud.com' }}
       HOSTAPP_ORG: ${{ vars.HOSTAPP_ORG || 'balena_os' }}
-      DEPLOY_PATH: ${{ github.workspace }}/deploy/${{ needs.balena-lib.outputs.device_slug }}/${{ needs.balena-lib.outputs.os_version }}
-      # Same as DEPLOY_PATH but used by prepare.ts which expects the structure "/host/images/${device_slug}/${version}/..."
-      PREPARE_DEPLOY_PATH: ${{ github.workspace }}/deploy
+      DEPLOY_PATH: ${{ github.workspace }}/deploy
 
     steps:
 
       # Use gh to download the build artifacts from the build job
       # https://github.com/actions/download-artifact/issues/396#issuecomment-2796144940
       # https://cli.github.com/manual/gh_run_download
       # https://cli.github.com/manual/gh_help_environment
-      - name: Download build artifacts
+      - name: Download hostapp artifacts
         run: |
-          gh run download "${GITHUB_RUN_ID}" --dir "${{ runner.temp }}" --name build-artifacts
+          mkdir -p "${DEPLOY_PATH}"
+          gh run download "${GITHUB_RUN_ID}" --dir "${DEPLOY_PATH}" --name hostapp-artifacts
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           GH_DEBUG: "true"
           GH_PAGER: "cat"
           GH_PROMPT_DISABLED: "true"
           GH_SPINNER_DISABLED: "true"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
 
       # # https://github.com/actions/download-artifact
       # - name: Download build artifacts
@@ -962,24 +1010,20 @@ jobs:
       - name: Decrypt artifacts
         if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
-          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
           PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
-          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"
+          set -x
+          for enc in "${DEPLOY_PATH}"/**/*.enc; do
+            openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
+          done
 
-      # Decompress the entire the entire tarball for the S3 upload.
-      # Note that in this case DEPLOY_PATH includes <workspace>/deploy/${device_slug}/${version}/
-      # List the contents of the tar file to make sure we're decompressing the right files.
       # Unzip the raw image files that were zipped and removed before uploading.
       - name: Decompress artifacts
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
           set -x
-          mkdir -p "${DEPLOY_PATH}"
-          tar -tf "${ARTIFACTS_TAR}"
-          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}"
 
           if ! command -v unzip; then
             sudo apt-get update
@@ -994,28 +1038,6 @@ jobs:
 
           cp -v "${DEPLOY_PATH}/balena.yml" "${WORKSPACE}/balena.yml"
 
-      # login required to pull private balena/balena-img image
-      # https://github.com/docker/login-action
-      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: docker.io
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Prepare deflate files
-        if: needs.balena-lib.outputs.deploy_artifact != 'docker-image'
-        env:
-          HELPER_IMAGE: balena/balena-img:6.20.26
-          PREPARE_DEPLOY_PATH: ${{ env.PREPARE_DEPLOY_PATH }}
-        run: |
-          docker run --rm \
-            -e BASE_DIR=/host/images \
-            -v "${PREPARE_DEPLOY_PATH}:/host/images" \
-            "${HELPER_IMAGE}" /usr/src/app/node_modules/.bin/ts-node /usr/src/app/scripts/prepare.ts
-
-          find "${PREPARE_DEPLOY_PATH}" -exec ls -lh {} \;
-
       - name: Setup balena CLI
         uses: balena-io-examples/setup-balena-action@41338eb4bb2b2e8b239d8ca5b8523d1a707333bf # v0.0.6
         env:
@@ -1295,16 +1317,18 @@ jobs:
       # https://github.com/actions/download-artifact/issues/396#issuecomment-2796144940
       # https://cli.github.com/manual/gh_run_download
       # https://cli.github.com/manual/gh_help_environment
-      - name: Download build artifacts
+      - name: Download hostapp artifacts
         run: |
-          gh run download "${GITHUB_RUN_ID}" --dir "${{ runner.temp }}" --name build-artifacts
+          mkdir -p "${DEPLOY_PATH}"
+          gh run download "${GITHUB_RUN_ID}" --dir "${DEPLOY_PATH}" --name hostapp-artifacts
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           GH_DEBUG: "true"
           GH_PAGER: "cat"
           GH_PROMPT_DISABLED: "true"
           GH_SPINNER_DISABLED: "true"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
 
       # # https://github.com/actions/download-artifact
       # - name: Download build artifacts
@@ -1316,24 +1340,20 @@ jobs:
       - name: Decrypt artifacts
         if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
-          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
           PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
-          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"
+          set -x
+          for enc in "${DEPLOY_PATH}"/**/*.enc; do
+            openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
+          done
 
-      # Decompress the entire the entire tarball for the S3 upload.
-      # Note that in this case DEPLOY_PATH includes <workspace>/deploy/${device_slug}/${version}/
-      # List the contents of the tar file to make sure we're decompressing the right files.
       # Unzip the raw image files that were zipped and removed before uploading.
       - name: Decompress artifacts
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
           set -x
-          mkdir -p "${DEPLOY_PATH}"
-          tar -tf "${ARTIFACTS_TAR}"
-          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}"
 
           if ! command -v unzip; then
             sudo apt-get update
@@ -1478,16 +1498,18 @@ jobs:
       # https://github.com/actions/download-artifact/issues/396#issuecomment-2796144940
       # https://cli.github.com/manual/gh_run_download
       # https://cli.github.com/manual/gh_help_environment
-      - name: Download build artifacts
+      - name: Download hostapp artifacts
         run: |
-          gh run download "${GITHUB_RUN_ID}" --dir "${{ runner.temp }}" --name build-artifacts
+          mkdir -p "${DEPLOY_PATH}"
+          gh run download "${GITHUB_RUN_ID}" --dir "${DEPLOY_PATH}" --name hostapp-artifacts
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           GH_DEBUG: "true"
           GH_PAGER: "cat"
           GH_PROMPT_DISABLED: "true"
           GH_SPINNER_DISABLED: "true"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
 
       # # https://github.com/actions/download-artifact
       # - name: Download build artifacts
@@ -1499,28 +1521,31 @@ jobs:
       - name: Decrypt artifacts
         if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
-          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
           PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
-          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"
+          set -x
+          for enc in "${DEPLOY_PATH}"/**/*.enc; do
+            openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
+          done
 
-      # Only decompress the raw image file for the AMI creation
-      # List the contents of the tar file to make sure we're decompressing the right files
+      # Unzip the raw image files that were zipped and removed before uploading.
       - name: Decompress artifacts
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
-          mkdir -p "${DEPLOY_PATH}"
-          tar -tf "${ARTIFACTS_TAR}"
-          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" ./image/balena.img.zip
+          set -x
 
           if ! command -v unzip; then
             sudo apt-get update
             sudo apt-get install -y unzip
           fi
 
-          unzip "${DEPLOY_PATH}/image/balena.img.zip" -d "${DEPLOY_PATH}/image/"
+          find "${DEPLOY_PATH}/image" -type f -name "*.img.zip"
+
+          for zip in "${DEPLOY_PATH}"/image/*.img.zip; do
+            unzip "${zip}" -d "$(dirname "${zip}")"
+          done
 
       # https://github.com/unfor19/install-aws-cli-action
       # https://github.com/aws/aws-cli/tags
@@ -2083,16 +2108,18 @@ jobs:
       # https://github.com/actions/download-artifact/issues/396#issuecomment-2796144940
       # https://cli.github.com/manual/gh_run_download
       # https://cli.github.com/manual/gh_help_environment
-      - name: Download build artifacts
+      - name: Download testing artifacts
         run: |
-          gh run download "${GITHUB_RUN_ID}" --dir "${{ runner.temp }}" --name build-artifacts
+          mkdir -p "${DEPLOY_PATH}"
+          gh run download "${GITHUB_RUN_ID}" --dir "${DEPLOY_PATH}" --name testing-artifacts
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           GH_DEBUG: "true"
           GH_PAGER: "cat"
           GH_PROMPT_DISABLED: "true"
           GH_SPINNER_DISABLED: "true"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
 
       # # https://github.com/actions/download-artifact
       # - name: Download build artifacts
@@ -2104,26 +2131,28 @@ jobs:
       - name: Decrypt artifacts
         if: inputs.sign-image || needs.balena-lib.outputs.is_private == 'true'
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
-          ARTIFACTS_ENC: "${{ runner.temp }}/artifacts.tar.zst.enc"
           PBDKF2_PASSPHRASE: ${{ secrets.PBDKF2_PASSPHRASE }}
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
-          openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${ARTIFACTS_ENC}" -out "${ARTIFACTS_TAR}"
+          set -x
+          for enc in "${DEPLOY_PATH}"/**/*.enc; do
+            openssl enc -v -d -aes-256-cbc -k "${PBDKF2_PASSPHRASE}" -pbkdf2 -iter 310000 -md sha256 -salt -in "${enc}" -out "${enc%.enc}"
+          done
 
-      # Only decompress the raw image file and the balena-image.docker file for the leviathan tests
-      # List the contents of the tar file to make sure we're decompressing the right files
+      # Unzip the raw image files that were zipped and removed before uploading.
       - name: Decompress artifacts
         env:
-          ARTIFACTS_TAR: "${{ runner.temp }}/artifacts.tar.zst"
+          DEPLOY_PATH: ${{ github.workspace }}/deploy
         run: |
-          mkdir -p "${DEPLOY_PATH}"
-          tar -tf "${ARTIFACTS_TAR}"
-          tar -I zstd -xvf "${ARTIFACTS_TAR}" -C "${DEPLOY_PATH}" "./image/${BALENA_OS_IMAGE}.zip" ./balena-image.docker ./kernel_modules_headers.tar.gz
+          set -x
+
           if ! command -v unzip; then
             sudo apt-get update
             sudo apt-get install -y unzip
           fi
 
+          find "${DEPLOY_PATH}/image" -type f -name "*.img.zip"
+
           unzip "${DEPLOY_PATH}/image/${BALENA_OS_IMAGE}.zip" -d "${DEPLOY_PATH}/image/"
 
       # Check out private contracts if this is a private device type - as these are required for the tests
