[skip-changelog] Updated translation files (#2757) #94
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/release-go-task.md | |
| name: Release | |
| env: | |
| # As defined by the Taskfile's PROJECT_NAME variable | |
| PROJECT_NAME: arduino-cli | |
| # As defined by the Taskfile's DIST_DIR variable | |
| DIST_DIR: dist | |
| # The project's folder on Arduino's download server for uploading builds | |
| AWS_PLUGIN_TARGET: /arduino-cli/ | |
| AWS_REGION: "us-east-1" | |
| ARTIFACT_NAME: dist | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+*" | |
| jobs: | |
| create-release-artifacts: | |
| outputs: | |
| version: ${{ steps.get-version.outputs.version }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| os: | |
| - Windows_32bit | |
| - Windows_64bit | |
| - Linux_32bit | |
| - Linux_64bit | |
| - Linux_ARMv6 | |
| - Linux_ARMv7 | |
| - Linux_ARM64 | |
| - macOS_64bit | |
| - macOS_ARM64 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Create changelog | |
| # Avoid creating the same changelog for each os | |
| if: matrix.os == 'Windows_32bit' | |
| uses: arduino/create-changelog@v1 | |
| with: | |
| tag-regex: '^v[0-9]+\.[0-9]+\.[0-9]+.*$' | |
| filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*' | |
| case-insensitive-regex: true | |
| changelog-file-path: "${{ env.DIST_DIR }}/CHANGELOG.md" | |
| - name: Install Task | |
| uses: arduino/setup-task@v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: 3.x | |
| - name: Build | |
| run: task dist:${{ matrix.os }} | |
| - name: Output Version | |
| id: get-version | |
| run: echo "version=$(task general:get-version)" >> $GITHUB_OUTPUT | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| if-no-files-found: error | |
| name: ${{ env.ARTIFACT_NAME }}-${{ matrix.os }} | |
| path: ${{ env.DIST_DIR }} | |
| notarize-macos: | |
| name: Notarize ${{ matrix.artifact.name }} | |
| runs-on: macos-latest | |
| needs: create-release-artifacts | |
| env: | |
| GON_CONFIG_PATH: gon.config.hcl | |
| strategy: | |
| matrix: | |
| artifact: | |
| - artifact-suffix: macOS_64bit | |
| name: darwin_amd64 | |
| path: "macOS_64bit.tar.gz" | |
| - artifact-suffix: macOS_ARM64 | |
| name: darwin_arm64 | |
| path: "macOS_ARM64.tar.gz" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }} | |
| path: ${{ env.DIST_DIR }} | |
| - name: Remove non-notarized artifact | |
| uses: geekyeggo/delete-artifact@v5 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }} | |
| - name: Import Code-Signing Certificates | |
| env: | |
| KEYCHAIN: "sign.keychain" | |
| INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" | |
| KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret | |
| run: | | |
| echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" | |
| security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
| security default-keychain -s "${{ env.KEYCHAIN }}" | |
| security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
| security import \ | |
| "${{ env.INSTALLER_CERT_MAC_PATH }}" \ | |
| -k "${{ env.KEYCHAIN }}" \ | |
| -f pkcs12 \ | |
| -A \ | |
| -T "/usr/bin/codesign" \ | |
| -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple: \ | |
| -s \ | |
| -k "${{ env.KEYCHAIN_PASSWORD }}" \ | |
| "${{ env.KEYCHAIN }}" | |
| - name: Install gon for code signing and app notarization | |
| run: | | |
| wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip | |
| unzip gon_macos.zip -d /usr/local/bin | |
| - name: Write gon config to file | |
| # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) | |
| run: | | |
| cat > "${{ env.GON_CONFIG_PATH }}" <<EOF | |
| # See: https://github.com/Bearer/gon#configuration-file | |
| source = ["dist/arduino-cli_osx_${{ matrix.artifact.name }}/arduino-cli"] | |
| bundle_id = "cc.arduino.arduino-cli" | |
| sign { | |
| application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" | |
| } | |
| # Ask Gon for zip output to force notarization process to take place. | |
| # The CI will ignore the zip output, using the signed binary only. | |
| zip { | |
| output_path = "unused.zip" | |
| } | |
| EOF | |
| - name: Sign and notarize binary | |
| env: | |
| AC_USERNAME: ${{ secrets.AC_USERNAME }} | |
| AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
| AC_PROVIDER: ${{ secrets.AC_PROVIDER }} | |
| run: | | |
| gon "${{ env.GON_CONFIG_PATH }}" | |
| - name: Re-package binary | |
| working-directory: ${{ env.DIST_DIR }} | |
| # Repackage the signed binary replaced in place by Gon (ignoring the output zip file) | |
| run: | | |
| # GitHub's upload/download-artifact actions don't preserve file permissions, | |
| # so we need to add execution permission back until the action is made to do this. | |
| chmod +x "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}" | |
| TAG=${{ needs.create-release-artifacts.outputs.version }} | |
| PACKAGE_FILENAME="${{ env.PROJECT_NAME }}_${TAG}_${{ matrix.artifact.path }}" | |
| tar -czvf "$PACKAGE_FILENAME" \ | |
| -C "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/" "${{ env.PROJECT_NAME }}" \ | |
| -C ../../ LICENSE.txt | |
| echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV | |
| - name: Upload notarized artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| if-no-files-found: error | |
| name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }} | |
| path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }} | |
| create-windows-installer: | |
| runs-on: windows-sign-pc | |
| needs: create-release-artifacts | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer" | |
| # We are hardcoding the path for signtool because is not present on the windows PATH env var by default. | |
| # Keep in mind that this path could change when upgrading to a new runner version | |
| SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }}-Windows_64bit | |
| path: ${{ env.DIST_DIR }} | |
| - name: Prepare PATH | |
| uses: microsoft/setup-msbuild@v2 | |
| - name: Build MSI | |
| id: buildmsi | |
| run: | | |
| TAG=${{ needs.create-release-artifacts.outputs.version }} | |
| WIX_TAG="${TAG%%-*}" # removes "-rc*" since wix is not happy with it, this only affects RCs builds (error CNDL0108) | |
| PACKAGE_FILENAME="${{ env.PROJECT_NAME }}_${TAG}_Windows_64bit" | |
| SOURCE_DIR="${GITHUB_WORKSPACE}/${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_windows_amd64/" | |
| MSBuild.exe ./installer/cli.wixproj -p:SourceDir="$SOURCE_DIR" -p:OutputPath="${GITHUB_WORKSPACE}/${{ env.DIST_DIR }}" -p:OutputName="$PACKAGE_FILENAME" -p:ProductVersion="$WIX_TAG" | |
| - name: Save Win signing certificate to file | |
| run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}} | |
| - name: Sign MSI | |
| env: | |
| MSI_FILE: ${{ steps.buildmsi.outputs.msi }} # this comes from .installer/cli.wixproj | |
| CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }} | |
| CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }} | |
| # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken | |
| run: | | |
| "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "${{ env.MSI_FILE }}" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| env: | |
| MSI_FILE: ${{ steps.buildmsi.outputs.msi }} | |
| with: | |
| if-no-files-found: error | |
| name: ${{ env.ARTIFACT_NAME }}-windows-installer | |
| path: ${{ env.MSI_FILE }} | |
| create-release: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| needs: | |
| - create-release-artifacts | |
| - notarize-macos | |
| - create-windows-installer | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: ${{ env.ARTIFACT_NAME }}-* | |
| merge-multiple: true | |
| path: ${{ env.DIST_DIR }} | |
| - name: Install Task | |
| uses: arduino/setup-task@v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: 3.x | |
| - name: Install buf | |
| uses: bufbuild/buf-action@v1 | |
| with: | |
| setup_only: true | |
| - name: Collect proto files | |
| run: task protoc:collect | |
| - name: Add configuration JSON schema | |
| run: task dist:jsonschema | |
| - name: Create checksum file | |
| working-directory: ${{ env.DIST_DIR }} | |
| run: | | |
| TAG=${{ needs.create-release-artifacts.outputs.version }} | |
| sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt | |
| - name: Identify Prerelease | |
| # This is a workaround while waiting for create-release action | |
| # to implement auto pre-release based on tag | |
| id: prerelease | |
| run: | | |
| wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.0.0.zip | |
| unzip -p /tmp/3.0.0.zip semver-tool-3.0.0/src/semver >/tmp/semver && chmod +x /tmp/semver | |
| if [[ "$(/tmp/semver get prerel ${{ needs.create-release-artifacts.outputs.version }} )" ]]; then echo "IS_PRE=true" >> $GITHUB_OUTPUT; fi | |
| - name: Create Github Release and upload artifacts | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| bodyFile: ${{ env.DIST_DIR }}/CHANGELOG.md | |
| draft: false | |
| prerelease: ${{ steps.prerelease.outputs.IS_PRE }} | |
| # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem | |
| # (all the files we need are in the DIST_DIR root) | |
| artifacts: ${{ env.DIST_DIR }}/* | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: "github_${{ env.PROJECT_NAME }}" | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Upload release files on Arduino downloads servers | |
| run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }} |