diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml deleted file mode 100644 index ce0daaf9f77..00000000000 --- a/.github/workflows/nightly.yaml +++ /dev/null @@ -1,132 +0,0 @@ -name: nightly - -on: - schedule: - # run every day at 1AM - - cron: "0 1 * * *" - -jobs: - create-nightly-artifacts: - # This workflow is only of value to the arduino/arduino-cli repository and - # would always fail in forks - if: github.repository == 'arduino/arduino-cli' - runs-on: ubuntu-latest - - steps: - - name: checkout - uses: actions/checkout@v1 - with: - fetch-depth: 0 - - - name: Install Taskfile - uses: arduino/setup-task@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - version: 3.x - - - name: Build - env: - NIGHTLY: true - run: task dist:all - - - name: Upload artifacts - uses: actions/upload-artifact@v2 - with: - name: dist - path: dist - - notarize-macos: - runs-on: macos-latest - needs: create-nightly-artifacts - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Download artifacts - uses: actions/download-artifact@v2 - with: - name: dist - # to ensure compatibility with v1 - path: dist - - - name: Import Code-Signing Certificates - env: - KEYCHAIN: "sign.keychain" - INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" - run: | - echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" - security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - security default-keychain -s "${{ env.KEYCHAIN }}" - security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - security import "${{ env.INSTALLER_CERT_MAC_PATH }}" -k "${{ env.KEYCHAIN }}" -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" - security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - - - name: Install gon for code signing and app notarization - run: | - wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip - unzip gon_macos.zip -d /usr/local/bin - - - name: Sign and notarize binary - env: - AC_USERNAME: ${{ secrets.AC_USERNAME }} - AC_PASSWORD: ${{ secrets.AC_PASSWORD }} - run: | - gon gon.config.hcl - - - name: Re-package binary and update checksum - # This step performs the following: - # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) - # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file - run: | - # GitHub's upload/download-artifact@v1 actions don't preserve file permissions, - # so we need to add execution permission back until @v2 actions are released. - chmod +x dist/arduino-cli_osx_darwin_amd64/arduino-cli - PACKAGE_FILENAME="$(basename dist/arduino-cli_${{ github.workflow }}-*_macOS_64bit.tar.gz)" - tar -czvf "dist/$PACKAGE_FILENAME" \ - -C dist/arduino-cli_osx_darwin_amd64/ arduino-cli \ - -C ../../ LICENSE.txt - CLI_CHECKSUM="$(shasum -a 256 "dist/$PACKAGE_FILENAME" | cut -d " " -f 1)" - perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CLI_CHECKSUM} ${PACKAGE_FILENAME}/g;" dist/*-checksums.txt - - - name: Upload artifacts - uses: actions/upload-artifact@v2 - with: - name: dist - path: dist - - publish-nightly: - runs-on: ubuntu-latest - needs: notarize-macos - - steps: - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: dist - # to ensure compatibility with v1 - path: dist - - - name: upload - uses: docker://plugins/s3 - env: - PLUGIN_SOURCE: "dist/*" - PLUGIN_TARGET: "/arduino-cli/nightly" - PLUGIN_STRIP_PREFIX: "dist/" - PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Report failure - if: failure() - uses: masci/datadog@v1 - with: - api-key: ${{ secrets.DD_API_KEY }} - events: | - - title: "Arduino CLI nighly build failed" - text: "Nightly build worfklow has failed" - alert_type: "error" - host: ${{ github.repository }} - tags: - - "project:arduino-cli" - - "workflow:${{ github.workflow }}" diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml new file mode 100644 index 00000000000..075654ceedd --- /dev/null +++ b/.github/workflows/publish-go-nightly-task.yml @@ -0,0 +1,156 @@ +# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/publish-go-nightly-task.md +name: Publish Nightly Build + +env: + # As defined by the Taskfile's PROJECT_NAME variable + PROJECT_NAME: arduino-cli + # As defined by the Taskfile's DIST_DIR variable + DIST_DIR: dist + # The project's folder on Arduino's download server for uploading builds + AWS_PLUGIN_TARGET: /arduino-cli/ + ARTIFACT_NAME: dist + +# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows +on: + schedule: + # run every day at 1AM + - cron: "0 1 * * *" + workflow_dispatch: + repository_dispatch: + +jobs: + create-nightly-artifacts: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Install Task + uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + + - name: Build + env: + NIGHTLY: true + run: task dist:all + + - name: Upload artifacts + uses: actions/upload-artifact@v2 + with: + if-no-files-found: error + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + notarize-macos: + runs-on: macos-latest + needs: create-nightly-artifacts + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Download artifacts + uses: actions/download-artifact@v2 + with: + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + - name: Import Code-Signing Certificates + env: + KEYCHAIN: "sign.keychain" + INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" + KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret + run: | + echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" + security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security default-keychain -s "${{ env.KEYCHAIN }}" + security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security import \ + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ + -k "${{ env.KEYCHAIN }}" \ + -f pkcs12 \ + -A \ + -T /usr/bin/codesign \ + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" + security set-key-partition-list \ + -S apple-tool:,apple: \ + -s \ + -k "${{ env.KEYCHAIN_PASSWORD }}" \ + "${{ env.KEYCHAIN }}" + + - name: Install gon for code signing and app notarization + run: | + wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip + unzip gon_macos.zip -d /usr/local/bin + + - name: Sign and notarize binary + env: + AC_USERNAME: ${{ secrets.AC_USERNAME }} + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} + run: | + gon gon.config.hcl + + - name: Re-package binary and update checksum + # This step performs the following: + # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) + # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file + run: | + # GitHub's upload/download-artifact@v2 actions don't preserve file permissions, + # so we need to add execution permission back until the action is made to do this. + chmod +x "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/${{ env.PROJECT_NAME }}" + PACKAGE_FILENAME="$(basename ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_nightly-*_macOS_64bit.tar.gz)" + tar -czvf "${{ env.DIST_DIR }}/$PACKAGE_FILENAME" \ + -C "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/" "${{ env.PROJECT_NAME }}" \ + -C ../../ LICENSE.txt + CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/$PACKAGE_FILENAME | cut -d " " -f 1)" + perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CHECKSUM} ${PACKAGE_FILENAME}/g;" ${{ env.DIST_DIR }}/*-checksums.txt + + - name: Upload artifacts + uses: actions/upload-artifact@v2 + with: + if-no-files-found: error + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + publish-nightly: + runs-on: ubuntu-latest + needs: notarize-macos + + steps: + - name: Download artifact + uses: actions/download-artifact@v2 + with: + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + - name: Upload release files on Arduino downloads servers + uses: docker://plugins/s3 + env: + PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*" + PLUGIN_TARGET: "${{ env.AWS_PLUGIN_TARGET }}nightly" + PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/" + PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + report: + runs-on: ubuntu-latest + needs: publish-nightly + if: failure() # Run if publish-nightly or any of its job dependencies failed + + steps: + - name: Report failure + uses: masci/datadog@v1 + with: + api-key: ${{ secrets.DD_API_KEY }} + events: | + - title: "${{ env.PROJECT_NAME }} nightly build failed" + text: "Nightly build workflow has failed" + alert_type: "error" + host: ${{ github.repository }} + tags: + - "project:${{ env.PROJECT_NAME }}" + - "workflow:${{ github.workflow }}" diff --git a/README.md b/README.md index c946de77875..bbc15c73e5a 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ and many other tools needed to use any Arduino compatible board and platform. [![Test Go status](https://github.com/arduino/arduino-cli/actions/workflows/test-go-task.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/test-go-task.yml) [![Test Integration status](https://github.com/arduino/arduino-cli/actions/workflows/test-go-integration-task.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/test-go-integration-task.yml) -[![nightly-badge]](https://github.com/Arduino/arduino-cli/actions?workflow=nightly) +[![Publish Nightly Build status](https://github.com/arduino/arduino-cli/actions/workflows/publish-go-nightly-task.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/publish-go-nightly-task.yml) [![Deploy Website status](https://github.com/arduino/arduino-cli/actions/workflows/deploy-cobra-mkdocs-versioned-poetry.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/deploy-cobra-mkdocs-versioned-poetry.yml) [![Codecov](https://codecov.io/gh/arduino/arduino-cli/branch/main/graph/badge.svg)](https://codecov.io/gh/arduino/arduino-cli) @@ -45,10 +45,6 @@ policy] and report the bug to our Security Team 🛡️ Thank you! e-mail contact: security@arduino.cc -[tests-badge]: https://github.com/Arduino/arduino-cli/workflows/test/badge.svg -[nightly-badge]: https://github.com/Arduino/arduino-cli/workflows/nightly/badge.svg -[docs-badge]: https://github.com/Arduino/arduino-cli/workflows/publish-docs/badge.svg -[codecov-badge]: https://codecov.io/gh/arduino/arduino-cli/branch/master/graph/badge.svg [install]: https://arduino.github.io/arduino-cli/latest/installation [user documentation]: https://arduino.github.io/arduino-cli/latest/ [getting started]: https://arduino.github.io/arduino-cli/latest/getting-started/ diff --git a/gon.config.hcl b/gon.config.hcl index a73110a3d13..b2370ee5834 100644 --- a/gon.config.hcl +++ b/gon.config.hcl @@ -1,3 +1,5 @@ +# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/general/gon.config.hcl +# See: https://github.com/mitchellh/gon#configuration-file source = ["dist/arduino-cli_osx_darwin_amd64/arduino-cli"] bundle_id = "cc.arduino.arduino-cli" @@ -8,5 +10,5 @@ sign { # Ask Gon for zip output to force notarization process to take place. # The CI will ignore the zip output, using the signed binary only. zip { - output_path = "arduino-cli.zip" + output_path = "unused.zip" }