balena.yml

---
name: deploy openBalena

on:
  pull_request:
    types: [opened, synchronize, closed]
    branches: [main, master]
  pull_request_target:
    types: [opened, synchronize, closed]
    branches: [main, master]

# https://docs.github.com/en/actions/security-guides/automatic-token-authentication
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
  actions: read
  checks: read
  contents: read
  deployments: read
  id-token: write # AWS GitHub OIDC required: write
  issues: read
  discussions: read
  packages: read
  pages: read
  pull-requests: read
  repository-projects: read
  security-events: read
  statuses: read

env:
  # nested virtualisation not supported on AWS/EC2 instance types|classes other than X.metal
  AWS_EC2_INSTANCE_TYPE: c6a.2xlarge
  AWS_EC2_LAUNCH_TEMPLATE: lt-02e10a4f66261319d
  AWS_EC2_LT_VERSION: 6
  AWS_IAM_USERNAME: balena-tests-iam-User-1GXO3XP12N6LL
  AWS_VPC_SECURITY_GROUP_IDS: sg-057937f4d89d9d51c
  AWS_VPC_SUBNET_ID: 'subnet-02d18a08ea4058574 subnet-0a026eae1df907a09'
  # https://github.com/balena-io/balena-cli/issues/2447
  DEBUG: 0
  DEVICE_PROXY_TLD: balena-devices.com
  DEVICE_TYPE: generic-amd64
  # https://dash.cloudflare.com/001b3ed2352612aaa068aca1b0022736/balena-devices.com/dns
  # https://github.com/balena-io/autohat/blob/master/resources/qemu.robot#L23
  # https://github.com/balena-io-playground/balena-nested/blob/ab77/open-balena/guests.yml#L29-L32
  DNS_TLD: auto.balena-devices.com
  ENVIRONMENT: balena-cloud.com
  FLEET: balena/open-balena
  OPENBALENA_TESTS_SERVICE: balena-tests
  # spot, on-demand
  MARKET_TYPES: spot
  RELEASES: 50
  RETRY: 3
  SOCAT_VERSION: 1.7.4.4
  VARIANT: prod
  VERBOSE: 'true'

jobs:
  build-test-deploy:
    runs-on: [self-hosted, linux, X64]
    if: |
      (
        github.event.pull_request.head.repo.full_name == github.repository &&
        github.event_name == 'pull_request'
      ) || (
        github.event.pull_request.head.repo.full_name != github.repository &&
        github.event_name == 'pull_request_target'
      )
    timeout-minutes: 120
    strategy:
      fail-fast: true

    steps:
    - uses: actions/checkout@v2
      with:
        # FIXME: remove once balenaBlocks/balenaVirt is a thing
        submodules: true

    - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
      id: ephemeral
      with:
        app_id: ${{ vars.APP_ID || '291899' }}
        installation_retrieval_mode: id
        installation_retrieval_payload: ${{ vars.INSTALLATION_ID || '34046749' }}
        permissions: >-
          {
            "actions": "read",
            "contents": "read",
            "metadata": "read",
            "pull_requests": "write"
          }
        private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

    - uses: aws-actions/configure-aws-credentials@v2
      with:
        aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
        role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
        # balena-io/environments-bases: aws/balenacloud/ephemeral-tests/balena-tests-iam.yml
        role-to-assume: ${{ vars.AWS_IAM_ROLE }}

    # https://github.com/pdcastro/ssh-uuid#why
    # https://github.com/pdcastro/ssh-uuid#linux-debian-ubuntu-others
    - name: install additional dependencies
      id: extra-dependencies
      shell: bash
      run: |
        set -ue
        echo '::notice::install additional dependencies'

        [[ '${{ vars.VERBOSE || 'false' }}' =~ on|On|Yes|yes|true|True ]] && set -x

        source functions

        mkdir -p "${RUNNER_TEMP}/ssh-uuid"

        wget -q -O "${RUNNER_TEMP}/ssh-uuid/ssh-uuid" https://raw.githubusercontent.com/pdcastro/ssh-uuid/master/ssh-uuid.sh \
          && chmod +x "${RUNNER_TEMP}/ssh-uuid/ssh-uuid" \
          && ln -s "${RUNNER_TEMP}/ssh-uuid/ssh-uuid" "${RUNNER_TEMP}/ssh-uuid/scp-uuid"

        with_backoff balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena version

        "${RUNNER_TEMP}/ssh-uuid/scp-uuid" --help

        grep -q "${RUNNER_TEMP}/ssh-uuid" "${GITHUB_PATH}" \
          || echo "${RUNNER_TEMP}/ssh-uuid" >> "${GITHUB_PATH}"

    - name: push draft or finalise release
      timeout-minutes: 60
      id: push-release
      uses: balena-io/deploy-to-balena-action@master
      with:
        balena_token: ${{ secrets.BALENA_API_KEY }}
        cache: false
        environment: ${{ env.ENVIRONMENT }}
        fleet: ${{ env.FLEET }}
        github_token: ${{ secrets.GITHUB_TOKEN }}
        # FIXME: remove once balenaBlocks/balenaVirt is a thing
        versionbot: false
        registry_secrets: |
          {
            "ghcr.io": {
              "username": "${{ github.actor }}",
              "password": "${{ steps.ephemeral.outputs.token }}"
            },
            "docker.io": {
              "username": "${{ secrets.DOCKERHUB_USER }}",
              "password": "${{ secrets.DOCKERHUB_TOKEN }}"
            }
          }

    - name: (pre)register test device
      id: register-test-device
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena_device_uuid="$(openssl rand -hex 16)"

        # https://www.balena.io/docs/learn/more/masterclasses/advanced-cli/#52-preregistering-a-device
        balena device register '${{ env.FLEET }}' --uuid "${balena_device_uuid}"

        device_id="$(balena device "${balena_device_uuid}" | grep ^ID: | cut -c20-)"

        # the actual version deployed depends on the AWS EC2/AMI, defined in AWS_EC2_LAUNCH_TEMPLATE
        os_version="$(balena os versions ${{ env.DEVICE_TYPE }} \
          | grep '${{ env.VARIANT }}' | head -n 1 | sed 's/.${{ env.VARIANT }}//g')"

        balena config generate \
          --version "${os_version}" \
          --device "${balena_device_uuid}" \
          --network ethernet \
          --appUpdatePollInterval 10 \
          --output config.json

        balena tag set balena ephemeral-test-device --device "${balena_device_uuid}"

        github_vars=(GITHUB_ACTOR GITHUB_BASE_REF GITHUB_HEAD_REF GITHUB_JOB \
          GITHUB_REF GITHUB_REF_NAME GITHUB_REF_TYPE GITHUB_REPOSITORY \
          GITHUB_REPOSITORY_OWNER GITHUB_RUN_ATTEMPT GITHUB_RUN_ID GITHUB_RUN_NUMBER \
          GITHUB_SHA GITHUB_WORKFLOW RUNNER_ARCH RUNNER_NAME RUNNER_OS)

        for github_var in "${github_vars[@]}"; do
            balena tag set ${github_var} "${!github_var}" --device "${balena_device_uuid}"
        done

        echo "balena_device_uuid=${balena_device_uuid}" >> "${GITHUB_OUTPUT}"
        echo "balena_device_id=${device_id}" >> "${GITHUB_OUTPUT}"

   # https://github.com/balena-io/balena-cli/issues/1543
    - name: pin device to draft release
      id: pin-device
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -uae

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena_releases="$(mktemp)"
        balena releases '${{ env.FLEET }}' | tail -n +2 | head -n ${{ env.RELEASES }} > "${balena_releases}"

        # convert to JSON to find the correct draft release id and commit
        release_id="$(while IFS=' ' read -r id commit created_at status semver is_final
        do
          printf '{"id":%s,"commit":"%s","created_at":"%s","status":"%s","semver":"%s","is_final":%s}\n' \
            "${id}" "${commit}" "${created_at}" "${status}" "${semver}" "${is_final}"
        done < "${balena_releases}" | jq -s | jq -r '.[] | select((.id==${{ steps.push-release.outputs.release_id }}) and (.is_final==false) and (.status=="success")).id')"

        commit="$(while IFS=' ' read -r id commit created_at status semver is_final
        do
          printf '{"id":%s,"commit":"%s","created_at":"%s","status":"%s","semver":"%s","is_final":%s}\n' \
            "${id}" "${commit}" "${created_at}" "${status}" "${semver}" "${is_final}"
        done < "${balena_releases}" | jq -s | jq -r '.[] | select(.id==${{ steps.push-release.outputs.release_id }}).commit')"

        if ! [ '${{ steps.register-test-device.outputs.balena_device_id }}' = '' ] \
          && ! [ "${release_id}" = '' ] \
          && ! [ "${commit}" = '' ]; then
            # pin DUT to draft release
            curl -X PATCH --silent --retry ${{ env.RETRY }} --fail -o /dev/null \
              'https://api.${{ env.ENVIRONMENT }}/v6/device?$filter=id%20in%20(${{ steps.register-test-device.outputs.balena_device_id }})' \
              -H 'authorization: Bearer ${{ secrets.BALENA_API_KEY }}' \
              -H 'content-type: application/json' \
              --data-raw "{\"should_be_running__release\":${release_id}}" \
              --compressed
        fi

        balena device ${{ steps.register-test-device.outputs.balena_device_uuid }}

        app_id="$(balena fleet ${{ env.FLEET }} | grep ^ID: | cut -c14-)"

        echo "balena_app_id=${app_id}" >> "${GITHUB_OUTPUT}"

    - name: configure test device environment
      id: configure-test-env
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena env add VERBOSE '${{ env.VERBOSE }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add DNS_TLD '${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add MDNS_TLD '' \
          --service mdns \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add DB_HOST db \
          --service api \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add REDIS_HOST redis:6379 \
          --service api \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'


        # to allow devices running locally to communicate to the local API, we can route
        # to the local Docker network aliases instead of public DNS, since (a) DNS_TLD is
        # guestfwd(ed) in QEMU to a special internal IP 10.0.2.100; (b) is proxied to
        # haproxy network alias on device; and (c) made public with a wildcard DNS record
        # (e.g.)
        #
        # $ dig +short api.auto.balena-devices.com
        # 10.0.2.100
        #

        balena env add API_HOST 'api.${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        # not used but required for config.json to be valid
        balena env add DELTA_HOST 'delta.${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add REGISTRY2_HOST 'registry.${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add VPN_HOST 'vpn.${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add HOST 'api.${{ env.DNS_TLD }}' \
          --service api \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add TOKEN_AUTH_CERT_ISSUER 'api.${{ env.DNS_TLD }}' \
          --service api \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add REGISTRY2_TOKEN_AUTH_ISSUER 'api.${{ env.DNS_TLD }}' \
          --service registry \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add REGISTRY2_TOKEN_AUTH_REALM 'https://api.${{ env.DNS_TLD }}/auth/v1/token' \
          --service registry \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add REGISTRY2_S3_REGION_ENDPOINT 's3.${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add PRODUCTION_MODE false \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add COMMON_REGION '${{ env.AWS_REGION }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add SUPERUSER_EMAIL 'admin@${{ env.DNS_TLD }}' \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        balena env add ORG_UNIT openBalena \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

    - name: configure test device secrets
      id: configure-test-secrets
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        # cert-manager requires it to get whoami information for the user
        balena env add API_TOKEN '${{ secrets.BALENA_API_KEY }}' \
          --service cert-manager \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        # cert-manager requires is to request wildcard SSL certificate from LetsEncrypt
        balena env add CLOUDFLARE_API_TOKEN '${{ secrets.CLOUDFLARE_API_TOKEN }}' \
          --service cert-manager \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        # AWS credentials to backup/restore PKI assets
        with_backoff balena env add AWS_ACCESS_KEY_ID '${{ env.AWS_ACCESS_KEY_ID }}' \
          --service cert-manager \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

        with_backoff balena env add AWS_SECRET_ACCESS_KEY '${{ env.AWS_SECRET_ACCESS_KEY }}' \
          --service cert-manager \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

    - name: provision ephemeral test device
      id: provision-test-device
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        for subnet_id in ${{ env.AWS_VPC_SUBNET_IDS }}; do
            for market_type in ${{ env.MARKET_TYPES }}; do
                # https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
                response="$(aws ec2 run-instances \
                  --launch-template 'LaunchTemplateId=${{ env.AWS_EC2_LAUNCH_TEMPLATE }},Version=${{ env.AWS_EC2_LT_VERSION }}' \
                  --instance-type '${{ env.AWS_EC2_INSTANCE_TYPE }}' \
                  $([[ $market_type =~ spot ]] && echo '--instance-market-options MarketType=spot') \
                  --security-group-ids '${{ env.AWS_VPC_SECURITY_GROUP_IDS }}' \
                  --subnet-id "${subnet_id}" \
                  --associate-public-ip-address \
                  --user-data file://config.json \
                  --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=balena-tests},{Key=MarketType,Value=${market_type}},{Key=Owner,Value=${{ env.AWS_IAM_USERNAME }}},{Key=GITHUB_SHA,Value=${GITHUB_SHA}-tests}]" || true)"

                [[ -n $response ]] && break
            done
            [[ -n $response ]] && break
        done

        [[ -z $response ]] && exit 1

        instance_id="$(echo "${response}" | jq -r '.Instances[].InstanceId')"

        aws ec2 wait instance-running --instance-ids "${instance_id}"

        aws ec2 wait instance-status-ok --instance-ids "${instance_id}"

        echo "instance_id=${instance_id}" >> "${GITHUB_OUTPUT}"

      env:
        AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
        AWS_DEFAULT_REGION: ${{ env.AWS_REGION }}

    - name: provision SSH key
      id: provision-ssh-key
      # wait for cloud-config
      # https://github.com/balena-os/cloud-config
      timeout-minutes: 10
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        if ! [[ -e "${HOME}/.ssh/id_rsa" ]]; then
            ssh-keygen -N '' \
              -C "$(balena whoami | grep EMAIL | cut -c11-)" \
              -f "${HOME}/.ssh/id_rsa"
        fi

        match=''
        for key in $(balena keys | grep -v ID | awk '{print $1}'); do
            fp=$(balena key ${key} | tail -n 1 | ssh-keygen -E md5 -lf /dev/stdin | awk '{print $2}')
            if [[ $fp =~ $(ssh-keygen -E md5 -lf "${HOME}/.ssh/id_rsa" | awk '{print $2}') ]]; then
                match="${key}"
                break
            fi
        done

        if [[ -z $match ]]; then
            balena key add "${GITHUB_SHA}" "${HOME}/.ssh/id_rsa.pub"
        else
            balena keys
        fi

        pgrep ssh-agent || ssh-agent -a "${SSH_AUTH_SOCK}"

        ssh-add "${HOME}/.ssh/id_rsa"

        while ! [[ "$(ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          cat /mnt/boot/config.json | jq -r .uuid)" =~ ${{ steps.register-test-device.outputs.balena_device_uuid }} ]]; do

            echo "::warning::Still working..."
            sleep "$(( (RANDOM % 5) + 5 ))s"
        done

        echo "key_id=${GITHUB_SHA}" >> "${GITHUB_OUTPUT}"

      env:
        SSH_AUTH_SOCK: /tmp/ssh_agent.sock

    # fall-back to QEMU software emulation when nested virtualisation is not available
    - name: create dummy kvm device
      id: nested-virtualisation-bypass
      timeout-minutes: 10
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        source functions

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena whoami && ssh-add -l

        with_backoff ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          '[[ -e /dev/kvm ]] || mknod /dev/kvm b 1 1'

      env:
        SSH_AUTH_SOCK: /tmp/ssh_agent.sock

    - name: wait for application
      id: wait-application
      timeout-minutes: 30
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        source functions

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena whoami && ssh-add -l

        while [[ "$(curl -X POST --silent --retry ${{ env.RETRY }} --fail \
          'https://api.${{ env.ENVIRONMENT }}/supervisor/v1/device' \
          --header 'authorization: Bearer ${{ secrets.BALENA_API_KEY }}' \
          --header 'Content-Type:application/json' \
          --data '{"uuid": "${{ steps.register-test-device.outputs.balena_device_uuid }}", "method": "GET"}' \
          --compressed | jq -r '.update_pending')" =~ ^true$ ]]; do

            sleep "$(( ( RANDOM % ${{ env.RETRY }} ) + ${{ env.RETRY }} ))s"
        done

        # wait for services to start running
        while with_backoff ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          'balena ps -q | xargs balena inspect | jq -r .[].State.Status' \
          | grep -E 'created|restarting|removing|paused|exited|dead'; do

            echo "::warning::Still working..."
            sleep "$(( (RANDOM % 30) + 30 ))s"
        done

        # wait for Docker healthchecks
        while with_backoff ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          'balena ps -q | xargs balena inspect \
          | jq -r ".[] | select(.State.Health.Status!=null).Name + \":\" + .State.Health.Status"' \
          | grep -E ':starting|:unhealthy'; do

            echo "::warning::Still working..."
            sleep "$(( (RANDOM % 30) + 30 ))s"
        done

      env:
        SSH_AUTH_SOCK: /tmp/ssh_agent.sock

    # (TBC) https://www.balena.io/docs/reference/supervisor/docker-compose/
    # due to lack of long form depends_on support in compositions, restart to ensure all
    # components are running with the latest configuration; preferred over restart via
    # Supervisor API restart due to potential HTTP [timeouts](https://github.com/balena-os/balena-supervisor/issues/1157)
    - name: restart components
      id: restart-application
      timeout-minutes: 15
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        source functions

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena whoami && ssh-add -l

        with_backoff ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          'balena ps -q | xargs balena restart || true'

        #balena device restart ${{ steps.register-test-device.outputs.balena_device_uuid }}

        # wait for Docker healthchecks
        while with_backoff ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          'balena ps -q | xargs balena inspect \
          | jq -r ".[] | select(.State.Health.Status!=null).Name + \":\" + .State.Health.Status"' \
          | grep -vE 'resin_supervisor|balena_supervisor' \
          | grep -E ':starting|:unhealthy'; do

            echo "::warning::Still working..."
            sleep "$(( (RANDOM % 30) + 30 ))s"
        done

      env:
        SSH_AUTH_SOCK: /tmp/ssh_agent.sock

    - name: device tests
      id: device-tests
      if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
      # https://giters.com/gfx/example-github-actions-with-tty
      # https://github.com/actions/runner/issues/241#issuecomment-924327172
      shell: 'script -q -e -c "bash {0}"'
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        source functions

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena whoami && ssh-add -l

        while ! [[ $(curl -X POST --silent --retry ${{ env.RETRY }} --fail \
          'https://api.${{ env.ENVIRONMENT }}/supervisor/v2/applications/state' \
          --header 'authorization: Bearer ${{ secrets.BALENA_API_KEY }}' \
          --header 'Content-Type:application/json' \
          --data '{"uuid": "${{ steps.register-test-device.outputs.balena_device_uuid }}", "method": "GET"}' \
          --compressed | jq -r '.[].services."${{ env.OPENBALENA_TESTS_SERVICE }}".status') =~ Run|run ]]; do

            echo "::warning::Still working..."
            sleep "$(( ( RANDOM % ${{ env.RETRY }} ) + ${{ env.RETRY }} ))s"
        done

        # (TBC) placeholder for a complete end-to-end test suite
        with_backoff ssh-uuid -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
          --service ${{ env.OPENBALENA_TESTS_SERVICE }} \
          ${{ steps.register-test-device.outputs.balena_device_uuid }}.balena \
          '/root/run-tests.sh'

      env:
        SSH_AUTH_SOCK: /tmp/ssh_agent.sock
        ATTEMPTS: 2

    - name: remove SSH key
      if: always()
      id: remove-ssh-key
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        balena keys | grep ${{ steps.provision-ssh-key.outputs.key_id }} \
          | awk '{print $1}' | xargs balena key rm --yes || true

        pgrep ssh-agent && (pgrep ssh-agent | xargs kill)

        rm -f /tmp/ssh_agent.sock

    - name: destroy ephemeral test device
      if: always()
      id: destroy-test-device
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        balena login --token '${{ secrets.BALENA_API_KEY }}'

        aws ec2 terminate-instances \
          --instance-ids ${{ steps.provision-test-device.outputs.instance_id }} || true

        balena device rm ${{ steps.register-test-device.outputs.balena_device_uuid }} --yes || true

      env:
        AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
        AWS_DEFAULT_REGION: ${{ env.AWS_REGION }}

    # remove orphaned ACME DNS-01 validation records
    # https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
    # FIXME: clean up older _acme-challenge.auto TXT records
    - name: cleanup-dns-records
      if: always()
      id: cloudflare-dns-cleanup
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        subdomain="$(echo "${DNS_TLD}" | sed "s/.${DEVICE_PROXY_TLD}//g")"
        match="${{ steps.register-test-device.outputs.balena_device_uuid }}.${subdomain}"

        zone_id="$(curl --silent --retry ${{ env.RETRY }} \
          "https://api.cloudflare.com/client/v4/zones?name=${DEVICE_PROXY_TLD}" \
          -H 'Authorization: Bearer ${{ secrets.CLOUDFLARE_API_TOKEN }}' | jq -r '.result[].id')"

        for record in "$(curl --silent --retry ${{ env.RETRY }} \
          "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records" \
          -H 'Authorization: Bearer ${{ secrets.CLOUDFLARE_API_TOKEN }}' \
          | jq -r --arg match "${match}" '.result[] | select(((.type=="TXT") and (.name | contains($match))))' \
          | base64)"; do

            json="$(echo "${record}" | base64 -d | jq -r)"
            id="$(echo "${json}" | jq -r .id)"
            name="$(echo "${json}" | jq -r .name)"

            if [[ -n $id ]] && [[ -n $name ]]; then
                echo "::warning::Orphaned DNS record ${name} (${id})..."

                if [[ -z $DRY_RUN ]]; then
                    curl -X DELETE --silent --retry ${{ env.RETRY }} \
                      "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${id}" \
                      -H 'Authorization: Bearer ${{ secrets.CLOUDFLARE_API_TOKEN }}'
                fi
            fi
        done

      env:
        DRY_RUN: true

    - name: remove registry secrets
      if: always()
      id: remove-registry-secrets
      run: |
        set -ue

        [[ '${{ env.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x

        rm -f "${HOME}/.balena/secrets.json"