Fix and simplify the whole lot

balena-os · Sep 16, 2024 · 5e52b6e · 5e52b6e
1 parent 7f986b0
commit 5e52b6e
Showing 1 changed file with 15 additions and 19 deletions.
diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
@@ -433,7 +433,7 @@ jobs:
       #     BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a BB_PRESSURE_MAX_CPU=${BB_PRESSURE_MAX_CPU}"
       #     BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a BB_PRESSURE_MAX_IO=${BB_PRESSURE_MAX_IO}"
       #     BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a BB_PRESSURE_MAX_MEMORY=${BB_PRESSURE_MAX_MEMORY}"
-      #     echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_OUTPUT}"
+      #     echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_ENV}"
 
       - name: Enable signed images
         if: inputs.sign-image == true
@@ -448,7 +448,7 @@ jobs:
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_GRUB_KEY_ID=${SIGN_GRUB_KEY_ID}"
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} -a SIGN_KMOD_KEY_APPEND=${SIGN_KMOD_KEY_APPEND}"
           BARYS_ARGUMENTS_VAR="${BARYS_ARGUMENTS_VAR} --bitbake-args --no-setscene"
-          echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_OUTPUT}"
+          echo "BARYS_ARGUMENTS_VAR=${BARYS_ARGUMENTS_VAR}" >>"${GITHUB_ENV}"
 
       # the directory is required even if we don't mount the NFS share
       - name: Create shared cache mount point
@@ -502,7 +502,7 @@ jobs:
           DEVICE_TYPE_SLUG: ${{ steps.balena-lib.outputs.device_slug }}
           VERSION: ${{ steps.balena-lib.outputs.os_version }}
         run: |
-          echo "DEPLOY_PATH=${{ runner.temp }}/deploy/${DEVICE_TYPE_SLUG}/${VERSION}" >>"${GITHUB_OUTPUT}"
+          echo "DEPLOY_PATH=${{ runner.temp }}/deploy/${DEVICE_TYPE_SLUG}/${VERSION}" >>"${GITHUB_ENV}"
 
       # TODO: prepare artifacts manually to replace balena_deploy_artifacts
       - name: Prepare artifacts
@@ -521,15 +521,17 @@ jobs:
         env:
           BUILD_ARTIFACTS: '${{ env.DEPLOY_PATH }}/image/balena.img ${{ env.DEPLOY_PATH }}/balena-image.docker'
         run: |
-          result="$(openssl enc -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -P -pbkdf2)"
-          salt="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n1)"
-          iv="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | tail -n1)"
-          key="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n2 | tail -n1)"
-
           for artifact in ${BUILD_ARTIFACTS}; do
-              cat <"${artifact}" | openssl enc -e -aes-256-cbc -in - -out - -K "${key}" -iv "${iv}" -S "${salt}" >"${artifact}.enc"
+              cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${artifact}.enc"
           done
-          echo "artifacts='${{ env.DEPLOY_PATH }}/image/balena.img.enc ${{ env.DEPLOY_PATH }}/balena-image.docker.enc'" >>"${GITHUB_OUTPUT}"
+
+          EOF="$(openssl rand -hex 16)"
+          {
+            echo "artifacts <<${EOF}" ;
+            echo '${{ env.DEPLOY_PATH }}/image/balena.img.enc' ;
+            echo '${{ env.DEPLOY_PATH }}/balena-image.docker.enc' ;
+            echo "${EOF}" ;
+          } >>"${GITHUB_OUTPUT}"
 
       # https://github.com/actions/upload-artifact
       # We upload only `balena.img` for use with the leviathan tests - this is the artifact that is presented to users
@@ -1138,16 +1140,10 @@ jobs:
       - name: Decrypt artifacts
         working-directory: ${{ env.WORKSPACE }}
         run: |
-          result="$(openssl enc -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -P -pbkdf2)"
-          salt="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n1)"
-          iv="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | tail -n1)"
-          key="$(echo "${result}" | sed 's/iv =/iv=/g' | tr ' ' '\n' | awk -F'=' '{print $2}' | head -n2 | tail -n1)"
-
           # shellcheck disable=SC2038
-          find . -type f -print0 -name '*.enc' \
-            | xargs -I{} echo {} \
-            | sed 's/\.enc//g' \
-            | xargs -I{} openssl enc -d -aes-256-cbc -in {}.enc -out {} -K "${key}" -iv "${iv}" -S "${salt}"
+          find . -type f -name '*.enc' \
+            | xargs -I{} echo {} | sed 's/\.enc//g' \
+            | xargs -I{} openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in {}.enc -out {}
 
       - name: Install gzip
         run: |