From 0ee1df9bc07689bb57c766a2488e371fa1d8b1e1 Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Tue, 17 Oct 2023 13:26:07 +0200
Subject: [PATCH] image: use systemd-dissect from the host when calculating
 measurements (#2473)

* image: use systemd-dissect from the host when calculating measurements

* ci: setup bazel and nix toolchains before merging os image measurements
---
 .github/workflows/build-os-image.yml |  4 ++++
 image/measured-boot/cmd/BUILD.bazel  | 11 ++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index 5f9dcb1616..8bbdeafe63 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -545,6 +545,10 @@ jobs:
         with:
           ref: ${{ inputs.ref || github.head_ref }}
 
+      - uses: ./.github/actions/setup_bazel_nix
+        with:
+          useCache: "false"
+
       - name: Download measurements
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
diff --git a/image/measured-boot/cmd/BUILD.bazel b/image/measured-boot/cmd/BUILD.bazel
index f2245c0258..0afb9de86f 100644
--- a/image/measured-boot/cmd/BUILD.bazel
+++ b/image/measured-boot/cmd/BUILD.bazel
@@ -21,8 +21,13 @@ go_binary(
     ],
     embed = [":cmd_lib"],
     # keep
-    env = {
-        "DISSECT_TOOLCHAIN": "$(rootpath @systemd//:bin/systemd-dissect)",
-    },
+    # TODO(malt3): The commented out env variable
+    # means we are using `systemd-dissect` from the host.
+    # `systemd-dissect` from nixpkgs breaks GitHub actions runners
+    # for unknown reasons.
+    # Fix this.
+    # env = {
+    #     "DISSECT_TOOLCHAIN": "$(rootpath @systemd//:bin/systemd-dissect)",
+    # },
     visibility = ["//visibility:public"],
 )