au-ts · midnightveil · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Ivan-Velickovic
diff --git a/.github/setup_ssh_key.sh b/.github/setup_ssh_key.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# Copyright 2025, UNSW
+# SPDX-License-Identifier: BSD-2-Clause
+
+set -e
+
+mkdir -p ~/.ssh
+
+cat >> ~/.ssh/known_hosts <<\EOF
+login.trustworthy.systems ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD111xPT6mKt1s+wJvXIGwUXaebbM/B1GE7ztMUgKBqySbO/5AXXFUr/xflvSluH3lYG5tTpGwPYbJyHOmnJGLY=
+login.trustworthy.systems ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYZpsSbQVXO1FUK/OLYsHZm8nceROnrb/pOPoZOJjeOesE5JtL0g2c8AXWp8mEJ/8eWCUXD/iVDQs2FN9MGanh1ZgzmU6OyyE050W31owcMEX8pK8PVsHKZCal2YFKBzh5gbTKmFw7cNweXRdu49V9M8K8rc5We3TGU8NVx6c6UTOtZ/jg47t0GNukt7EKeMKlJKjxnaE32ECYhSYAmJ0u1tZQFIYP4Cz8vXcBdujdo2+7OMs5tBDhGFufITg6OQDgBFLEgRmKZCLV+17Qxop/Cp4S/BmGPpid4PfRDpTW9ccYdiuymjmoJpXY6QB+bH++gnQhxOpdfM8vKjJDxsOyUNqh0H20uIn/er6gGIdbLqS1nI/DtmGmbSfRVXBuNKxQMxcBh45MEYxrQp51p9kW/eN5/2YdFYDNSw7/fagfiwmjcKUvsiySeRXZzGu5fRHqZktKXGCFeuA6O4uXx/kqshLdGJ6X0d1Kl4v02S7Jh0pcA8i146/1he1+D4FLpb8=
+login.trustworthy.systems ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINn1vg1dwyMuDFVWdUqoIRmOHv9FdbCZ4q+0zDY/xTJN
+login.trustworthy.systems ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSzWm9H9EKxcinJs8qwBP3U89DBAB+aO+0zb30gynjdnTKpoCMh58LFxzWWs3bM6liNQKj2FJ7Bpog1N7qExxB3dwo34xQ1Nt4YYSE8TIgfjHGmcvo81F8mElNJYH8d7r1iFsVQcjrnhUzapMyeSIL5UtAVHcJmxKNLjgUOeP6YrAE8q6e0Ods1dLS0p3K4IA1LMz57gTdeZfld3GJ/LPg/6D7LEcxkPX+KG15Y7J/zc1uE0GuPFfLYY16rCcbY0ezhqqqgCig/PIQPqc12g6m+n2WkSjMDv6XycyedoCORKySfOCCBkmI8BkTmoO7Nlm/tQ8UbGDH+6o5CiP5WjEDvbf6Gm9gBANemfxP6Nkyhf+0HrBTXSKjSYVXe99q6YZOG2TvUiDsR8Y7cdWDukbge2AdSy7aRRGPnKPWk2HkFBXahpHQm/wFft/1DZaurX/Vee2GlsFXCGkog0vWi2COvWcGFTIMPwcSyuoLTc5exoy5zF3tcDsPWagkLSxBxbU=
+login.trustworthy.systems ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCRA/W8LVxLFjzPvijygdSw+rPW/EQEG8WoUVcTm5dYXDIhCc0Zxibd19zPb1LQpE2/Ohe+I16iC5glpmFyDfrs=
+login.trustworthy.systems ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPYp/3vDMDnHnjtqt5Oqievgz04g/LJ4yEKOlXCu9Yux
+tftp.keg.cse.unsw.edu.au ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEj7X6doSoop91gTvBD7L4O7VGwCO5pLNsu5YAGS1L64MJqo+3wTYgFRdMWTM0hL3YN+1sSabJPICJzKk0EJxkg=
+EOF
+
+cat >> ~/.ssh/config <<EOF
+Host *
+  ServerAliveInterval 30
+  ControlMaster auto
+  ControlPath ~/.ssh/%r@%h:%p-${GITHUB_RUN_ID}-${GITHUB_JOB}-${INPUT_INDEX}
+  ControlPersist 15
+
+Host ts
+  Hostname login.trustworthy.systems
+  User ts_ci
+
+Host tftp.keg.cse.unsw.edu.au
+  User ts_ci
+  ProxyJump ts
+
+EOF
+
+echo "${MACHINE_QUEUE_KEY}" > ~/.ssh/id_ed25519
+chmod 600 ~/.ssh/id_ed25519
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -6,8 +6,16 @@ name: CI
 
 on:
   pull_request:
+    types: [synchronize, labeled]
   push:
     branches: [ "main" ]
+  schedule:
+    # 19.37 AEST on a Friday weekly
+    # i.e. 07.37 UTC on Friday weekly.
+    # This is a random time as GitHub suggests non-hour-aligned times as their
+    # runners are busier at that time, and it has been scheduled to avoid
+    # conflicts with humans trying to use the boards.
+    - cron: '37 7 * * 4'
 
 env:
   MICROKIT_VERSION: 2.2.0
@@ -21,15 +29,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Install Nix
         uses: cachix/install-nix-action@v31
       - name: Create nix-shell and build PDF
         run: |
           cd docs
           nix develop .#docs --ignore-environment -c bash -c 'pandoc MANUAL.md -o MANUAL.pdf'
       - name: Upload manual PDF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: MANUAL
           path: docs/MANUAL.pdf
@@ -38,7 +46,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: 'true'
       - name: Download Microkit SDK
@@ -71,7 +79,7 @@ jobs:
     runs-on: macos-14
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: 'true'
       - name: Download Microkit SDK
@@ -104,7 +112,7 @@ jobs:
     runs-on: [self-hosted, Linux, X64]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: 'true'
       - name: Setup systems-ci
@@ -134,7 +142,7 @@ jobs:
     needs: build_linux_x86_64_nix
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: true
       - name: Install dependencies (via apt)
@@ -144,7 +152,7 @@ jobs:
       - name: Setup systems-ci
         uses: au-ts/systems-ci@main
       - name: Download images
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: loader-images
           path: ci_build
@@ -154,8 +162,59 @@ jobs:
           exec ./ci/run.py --only-qemu
       - name: Archive logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ci-logs-qemu
           path: ci_logs
           if-no-files-found: error
+
+  run_hardware:
+    name: Run (hardware)
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'au-ts' &&
+              (
+                (github.event_name == 'schedule') ||
+                (github.event_name == 'pull_request' &&
+                  (
+                    (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'hardware-test')) ||
+                    (github.event.action == 'labeled' && github.event.label.name == 'hardware-test')
+                  )
+                )
+              )
+         }}
+    needs: build_linux_x86_64_nix
+    concurrency:
+      group: ${{ github.workflow }}-sddf-hardware-tests-${{ github.event.number }}-${{ strategy.job-index }}
+      cancel-in-progress: true
+    steps:
+      - name: Checkout sDDF repository
+        uses: actions/checkout@v6
+      - name: Get machine queue
+        uses: actions/checkout@v6
+        with:
+          repository: seL4/machine_queue
+          path: machine_queue
+      - name: Download images
+        uses: actions/download-artifact@v8
+        with:
+          name: loader-images
+          path: ci_build
+      - name: Setup systems-ci
+        uses: au-ts/systems-ci@main
+      - name: Setup machine queue SSH key
+        run: .github/setup_ssh_key.sh
+        env:
+          MACHINE_QUEUE_KEY: ${{ secrets.MACHINE_QUEUE_KEY }}
+      - name: Run tests
+        run: |
+          export PATH="$(pwd)/machine_queue":$PATH
+          # GitHub Actions is broken
+          # https://github.com/ringerc/github-actions-signal-handling-demo#why-child-process-tasks-dont-get-a-chance-to-clean-up-on-job-cancel
+          exec ./ci/run.py --no-only-qemu
+      - name: Archive logs
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: ci-logs-hardware
+          path: ci_logs
+          if-no-files-found: error