Create jobs to separate AWS environments from build environments

klutchell · klutchell · commit 763a1665d230 · 2025-01-02T14:18:36.000-05:00
This allows more granular control over which environments are used
for which steps, and avoids requiring a single environment to define
how to build, sign, and publish.

Initially this workflow will still fallback to the existing
monolith environments and the behaviour should be unchanged.

Change-type: minor
Signed-off-by: Kyle Harding &lt;kyle@balena.io&gt;
diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
@@ -73,10 +73,20 @@ on:
         required: true
         type: string
       deploy-environment:
-        description: The GitHub environment to deploy to - includes the balena Cloud environment and related vars
+        description: The balena environment to use for hostApp deployment - includes the related vars and secrets
         required: false
         type: string
         default: balena-cloud.com
+      source-mirror-environment:
+        description: The AWS environment to use for the S3 source mirror - includes related vars and OIDC role(s)
+        required: false
+        type: string
+        default: ''
+      aws-deploy-environment:
+        description: The AWS environment to use for the S3 and AMI deployment - includes related vars and OIDC role(s)
+        required: false
+        type: string
+        default: ''
       # This input exists because we want the option to not auto-finalise for some device types, even if they have tests and those tests pass - for example some custom device types, the customer doesn't want new releases published until they green light it
       finalize-on-push-if-tests-passed:
         description: Whether to finalize a hostApp container image to a balena environment, if tests pass.
@@ -177,10 +187,99 @@ env:
 permissions: {}
 
 jobs:
+  # This job is used to centralize AWS configuration for S3 source mirror.
+  # It is used to separate the AWS configuration from the build environment.
+  source-mirror-config:
+    name: Configure source mirror
+    runs-on: ubuntu-24.04
+
+    # This environment should contain the following variables:
+    # - AWS_IAM_ROLE: AWS IAM role to assume
+    # - SOURCE_MIRROR_S3_SSE_ALGORITHM: AWS S3 server-side encryption algorithm
+    # - SOURCE_MIRROR_S3_URL: AWS S3 URL of the source mirror
+    # - SOURCE_MIRROR_URL: HTTPS URL of the source mirror
+    # - SOURCE_MIRROR_REGION: AWS region of the source mirror
+    environment: ${{ inputs.source-mirror-environment || inputs.deploy-environment }}
+
+    outputs:
+      # Include a number of similar variable keys to allow for flexibility in the environment and backwards compatibility
+      aws-iam-role: ${{ vars.AWS_IAM_ROLE }}
+      aws-region: ${{ vars.SOURCE_MIRROR_REGION || vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
+      s3-url: ${{ vars.SOURCE_MIRROR_S3_URL || vars.AWS_S3_URL || vars.S3_URL || 's3://yocto-72c1c258-81bb-11ef-b722-0efcede062c9/shared-downloads' }}
+      https-url: ${{ vars.SOURCE_MIRROR_URL || vars.AWS_S3_HTTPS_URL || vars.S3_HTTPS_URL || 'https://yocto-72c1c258-81bb-11ef-b722-0efcede062c9.s3.us-east-1.amazonaws.com/shared-downloads/' }}
+      aws-s3-sse-algorithm: ${{ vars.SOURCE_MIRROR_S3_SSE_ALGORITHM || vars.AWS_S3_SSE_ALGORITHM || vars.S3_SSE_ALGORITHM || vars.SSE_ALGORITHM || vars.SSE || 'AES256' }}
+
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+    permissions:
+      id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+
+    steps:
+      # We don't use this session, it's just to check if the credentials are valid
+      # https://github.com/aws-actions/configure-aws-credentials
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        continue-on-error: true # Don't fail at this point as there is still value in running builds and tests
+        with:
+          role-to-assume: ${{ vars.AWS_IAM_ROLE }}
+          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
+          aws-region: ${{ vars.SOURCE_MIRROR_REGION || vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
+          # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
+          mask-aws-account-id: false
+
+  # This job is used to centralize AWS configuration for S3 and AMI deployment.
+  # It is used to separate the AWS configuration from the build environment.
+  aws-deploy-config:
+    name: Configure AWS
+    runs-on: ubuntu-24.04
+
+    # This environment should contain the following variables:
+    # - AWS_SECURITY_GROUP: AWS security group to use for AMI testing
+    # - AWS_SUBNET: AWS subnet for AMI testing
+    # - AWS_KMS_KEY_ID: AWS KMS key ID make AMIs public
+    # - AWS_REGION: AWS region for S3 image deployment
+    # - AWS_IAM_ROLE: AWS IAM role to assume for S3 image deployment, AMI deployment
+    # - AWS_S3_BUCKET: AWS S3 bucket for image deployment, and AMI deployment
+    # - AWS_S3_SSE_ALGORITHM: AWS S3 server-side encryption algorithm
+    environment: ${{ inputs.aws-deploy-environment || inputs.deploy-environment }}
+
+    outputs:  
+      # Include a number of similar variable keys to allow for flexibility in the environment and backwards compatibility
+      aws-iam-role: ${{ vars.AWS_IAM_ROLE }}
+      aws-region: ${{ vars.AWS_REGION || vars.AWS_S3_REGION || vars.S3_REGION || 'us-east-1' }}
+      aws-security-group: ${{ vars.AWS_SECURITY_GROUP }}
+      aws-subnet: ${{ vars.AWS_SUBNET }}
+      aws-kms-key-id: ${{ vars.AWS_KMS_KEY_ID }}
+      aws-s3-bucket: ${{ vars.AWS_S3_BUCKET || vars.S3_BUCKET }}
+      aws-s3-sse-algorithm: ${{ vars.AWS_S3_SSE_ALGORITHM || 'AES256' }}
+
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+    permissions:
+      id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+
+    steps:
+      # We don't use this session, it's just to check if the credentials are valid
+      # https://github.com/aws-actions/configure-aws-credentials
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        continue-on-error: true # Don't fail at this point as there is still value in running builds and tests
+        with:
+          role-to-assume: ${{ vars.AWS_IAM_ROLE }}
+          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
+          aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
+          # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
+          mask-aws-account-id: false
+
   build:
     name: Build
     runs-on: ${{ fromJSON(inputs.build-runs-on) }}
     environment: ${{ inputs.deploy-environment }}
+    needs:
+      - aws-deploy-config
+      - source-mirror-config
 
     # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
     # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
@@ -200,9 +299,6 @@ jobs:
       # https://docs.yoctoproject.org/3.1.21/overview-manual/overview-manual-concepts.html#user-configuration
       # Create an autobuilder configuration file that is loaded before local.conf
       AUTO_CONF_FILE: "${{ github.workspace }}/build/conf/auto.conf"
-      SOURCE_MIRROR_REGION: ${{ vars.SOURCE_MIRROR_REGION || vars.AWS_REGION || 'us-east-1' }}
-      SOURCE_MIRROR_S3_URL: ${{ vars.SOURCE_MIRROR_S3_URL || 's3://yocto-72c1c258-81bb-11ef-b722-0efcede062c9/shared-downloads' }}
-      SOURCE_MIRROR_URL: ${{ vars.SOURCE_MIRROR_URL || 'https://yocto-72c1c258-81bb-11ef-b722-0efcede062c9.s3.us-east-1.amazonaws.com/shared-downloads/' }}
 
     outputs:
       os_version: ${{ steps.balena-lib.outputs.os_version }}
@@ -515,9 +611,9 @@ jobs:
       # The own-mirrors class makes it easier to set up your own PREMIRRORS from which to first fetch source before
       # attempting to fetch it from the upstream specified in SRC_URI within each recipe.
       - name: Add S3 shared-downloads to MIRRORS
-        if: env.SOURCE_MIRROR_URL
+        if: needs.source-mirror-config.outputs.s3-url
         env:
-          SOURCE_MIRROR_URL: ${{ env.SOURCE_MIRROR_URL }}
+          SOURCE_MIRROR_URL: ${{ needs.source-mirror-config.outputs.s3-url }}
         run: |
           mkdir -p "$(dirname "${AUTO_CONF_FILE}")"
           cat <<EOF >> "${AUTO_CONF_FILE}"
@@ -638,9 +734,9 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
-          role-to-assume: ${{ vars.AWS_IAM_ROLE }}
+          role-to-assume: ${{ needs.source-mirror-config.outputs.aws-iam-role }}
           role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
-          aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
+          aws-region: ${{ needs.source-mirror-config.outputs.aws-region }}
           # https://github.com/orgs/community/discussions/26636#discussioncomment-3252664
           mask-aws-account-id: false
 
@@ -650,14 +746,14 @@ jobs:
       - name: Sync shared downloads to S3
         # Do not publish shared downloads for pull_request_target events to prevent cache poisoning
         # Do not publish shared downloads for private device-types as the mirror is public-read
-        if: github.event_name != 'pull_request_target' && steps.balena-lib.outputs.is_private == 'false' && env.SOURCE_MIRROR_S3_URL
+        if: github.event_name != 'pull_request_target' && steps.balena-lib.outputs.is_private == 'false' && needs.source-mirror-config.outputs.s3-url
         # Ignore errors for now, as we may have upload conflicts with other jobs
         continue-on-error: true
         env:
           SHARED_DOWNLOADS_DIR: ${{ github.workspace }}/shared/shared-downloads
-          S3_SSE: AES256
-          S3_URL: ${{ env.SOURCE_MIRROR_S3_URL }}
-          S3_REGION: ${{ env.SOURCE_MIRROR_REGION }}
+          S3_SSE: ${{ needs.source-mirror-config.outputs.aws-s3-sse-algorithm }}
+          S3_URL: ${{ needs.source-mirror-config.outputs.s3-url }}
+          S3_REGION: ${{ needs.source-mirror-config.outputs.aws-region }}
         # Create a symlink to the from the relative container path to the workspace in order to resolve symlinks
         # created in the build container runtime.
         run: |
@@ -805,9 +901,9 @@ jobs:
         if: steps.should-deploy.outputs.deploy && steps.balena-lib.outputs.deploy_artifact != 'docker-image'
         env:
           S3_ACL: ${{ steps.s3-acl-private.outputs.string || 'public-read' }}
-          S3_SSE: AES256
-          S3_URL: "s3://${{ vars.AWS_S3_BUCKET || vars.S3_BUCKET }}/${{ steps.s3-esr-images-dir.outputs.string || 'images' }}"
-          S3_REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
+          S3_SSE: ${{ needs.aws-deploy-config.outputs.aws-s3-sse-algorithm }}
+          S3_URL: "s3://${{ needs.aws-deploy-config.outputs.aws-s3-bucket }}/${{ steps.s3-esr-images-dir.outputs.string || 'images' }}"
+          S3_REGION: ${{ needs.aws-deploy-config.outputs.aws-region }}
           SLUG: ${{ steps.balena-lib.outputs.device_slug }}
           VERSION: ${{ steps.balena-lib.outputs.os_version }}
           SOURCE_DIR: ${{ runner.temp }}/deploy
@@ -1151,10 +1247,11 @@ jobs:
         id: ami-ebs-snapshot
         env:
             IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
-            AWS_DEFAULT_REGION: "${{ vars.AWS_REGION || 'us-east-1' }}"
-            S3_BUCKET: "${{ vars.AWS_S3_BUCKET || vars.S3_BUCKET }}"
+            AWS_DEFAULT_REGION: "${{ needs.aws-deploy-config.outputs.aws-region }}"
+            S3_BUCKET: "${{ needs.aws-deploy-config.outputs.aws-s3-bucket }}"
             IMPORT_SNAPSHOT_TIMEOUT_MINS: 30
-            AWS_KMS_KEY_ID: ${{ vars.AWS_KMS_KEY_ID }}
+            AWS_KMS_KEY_ID: ${{ needs.aws-deploy-config.outputs.aws-kms-key-id }}
+            AWS_S3_SSE_ALGORITHM: ${{ needs.aws-deploy-config.outputs.aws-s3-sse-algorithm }}
         run: |
           # https://github.com/koalaman/shellcheck/wiki/SC2155#correct-code-1
           # Randomize to lower the chance of parallel builds colliding.
@@ -1164,7 +1261,7 @@ jobs:
           echo "* Pushing ${IMAGE} to s3://${S3_BUCKET}"
           s3_url="s3://${S3_BUCKET}/preloaded-images/${s3_key}"
           echo "s3_url=${s3_url}" >>"${GITHUB_OUTPUT}"
-          aws s3 cp --no-progress --sse AES256 "${IMAGE}" "${s3_url}"
+          aws s3 cp --no-progress --sse "${AWS_S3_SSE_ALGORITHM}" "${IMAGE}" "${s3_url}"
 
           import_task_id=$(aws ec2 import-snapshot \
             --description "snapshot-${AMI_NAME}" \
@@ -1203,9 +1300,9 @@ jobs:
         id: ami-create
         env:
           IMAGE: ${{ env.DEPLOY_PATH }}/image/balena.img
-          AWS_DEFAULT_REGION: "${{ vars.AWS_REGION || 'us-east-1' }}"
-          S3_BUCKET: "${{ vars.AWS_S3_BUCKET || vars.S3_BUCKET }}"
-          AWS_KMS_KEY_ID: ${{ vars.AWS_KMS_KEY_ID }}
+          AWS_DEFAULT_REGION: "${{ needs.aws-deploy-config.outputs.aws-region }}"
+          S3_BUCKET: "${{ needs.aws-deploy-config.outputs.aws-s3-bucket }}"
+          AWS_KMS_KEY_ID: ${{ needs.aws-deploy-config.outputs.aws-kms-key-id }}
           AMI_ARCHITECTURE: "${{ steps.ami-arch.outputs.string }}"
           AMI_SNAPSHOT_ID: "${{ steps.ami-ebs-snapshot.outputs.snapshot_id }}"
           AMI_ROOT_DEVICE_NAME: /dev/sda1
@@ -1396,7 +1493,7 @@ jobs:
       #     AWS_AMI_PUBLIC_QUOTA: 5
       #     AMI_ARCHITECTURE: "${{ steps.ami-arch.outputs.string }}"
       #     AMI_IMAGE_ID: "${{ steps.ami-test.outputs.ami_image_id }}"
-      #     AWS_DEFAULT_REGION: "${{ vars.AWS_REGION || 'us-east-1' }}"
+      #     AWS_DEFAULT_REGION: "${{ needs.aws-deploy-config.outputs.aws-region }}"
       #   run: |  
       #     # We have x86_64 and aarch64, and want one slot free for customers requests
       #     AWS_AMI_PUBLIC_ARCH_QUOTA=$(((AWS_AMI_PUBLIC_QUOTA - 1)/2))
