From cb2d6feb89fd7941b8b377cca4cdd6bbf1aceb16 Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Mon, 14 Oct 2024 08:06:49 -0700
Subject: [PATCH] Fix collision between macOS workflow artifacts in release
 workflows

GitHub Workflows are used to automatically generate and publish production and nightly releases of the project. This is
done for a range of host architectures, including macOS. The macOS builds are then put through a notarization process in
a dedicated workflow job.

GitHub Actions workflow artifacts are used to transfer the generated files between sequential jobs in the workflow. The
"actions/upload-artifact" and "actions/download-artifact" actions are used for this purpose.

The workflow artifact handling had to be reworked recently in order to handle a breaking change in the 4.0.0 release of
the "actions/upload-artifact". Previously, a single artifact was used for the transfer of the builds for all hosts.
However, support for uploading multiple times to a single artifact was dropped in version 4.0.0 of the
"actions/upload-artifact" action. So it is now necessary to use a dedicated artifact for each of the builds. These are
downloaded in aggregate in a subsequent job by using the artifact name globbing and merging features which were
introduced in version 4.1.0 of the "actions/download-artifact" action.

A regression was introduced at that time. The chosen approach was to use a separate set of artifacts for the
non-notarized and notarized files. An overview of the sequence (the prefixes are the workflow job names):

1. create-release-artifacts/create-nightly-artifacts: Generate builds.
2. create-release-artifacts/create-nightly-artifacts: Upload builds to workflow artifacts
3. notarize-macos: Download workflow artifacts.
4. notarize-macos: Notarize macOS build from downloaded artifact.
5. notarize-macos: Upload notarized build to workflow artifact with a different name than the source artifact.
6. create-release/publish-nightly: Download workflow artifacts.
7. create-release/publish-nightly: Publish builds.

The problem with this is that the artifacts for the non-notarized (uploaded by the
create-release-artifacts/create-nightly-artifacts job) and notarized (created by the notarize-macos job) files are then
downloaded and merged by the create-release/publish-nightly job. Since each artifact contains a file with the same path
in the merged output, the contents of the last downloaded artifact overwrite the contents of the first. It happens that
the non-notarized artifact is downloaded after the notarized artifact, so this file path collision results in
non-notarized macOS builds being published instead of the notarized builds as intended, and as done by the workflow
prior to the regression:

```
% wget https://downloads.arduino.cc/arduino-cli/nightly/arduino-cli_nightly-latest_macOS_ARM64.tar.gz

[...]

% tar -xf arduino-cli_nightly-latest_macOS_ARM64.tar.gz

% spctl -a -vvv -t install arduino-cli
arduino-cli: rejected
```

```
% wget https://downloads.arduino.cc/arduino-cli/arduino-cli_latest_macOS_ARM64.tar.gz

[..]

% tar -xf arduino-cli_latest_macOS_ARM64.tar.gz

% spctl -a -vvv -t install arduino-cli
arduino-cli: rejected
```

The chosen solution is to delete the non-notarized artifacts after downloading each in the notarize-macos jobs. An
overview of the new sequence (the prefixes are the workflow job names):

1. create-release-artifacts/create-nightly-artifacts: Generate builds.
2. create-release-artifacts/create-nightly-artifacts: Upload builds to workflow artifacts
3. notarize-macos: Download macOS x86 or Apple Silicon workflow artifact.
4. notarize-macos: Delete macOS x86 or Apple Silicon workflow artifact.
5. notarize-macos: Notarize macOS build from downloaded artifact.
6. notarize-macos: Upload notarized build to workflow artifact.
7. create-release/publish-nightly: Download workflow artifacts.
8. create-release/publish-nightly: Publish builds.

The result is that there is no file path collision when the create-release/publish-nightly job downloads and merges the
artifacts.
---
 .github/workflows/publish-go-nightly-task.yml | 18 ++++++++++++------
 .github/workflows/release-go-task.yml         | 18 ++++++++++++------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
index ff45fd27fcf..66e6195f1d2 100644
--- a/.github/workflows/publish-go-nightly-task.yml
+++ b/.github/workflows/publish-go-nightly-task.yml
@@ -82,9 +82,11 @@ jobs:
     strategy:
       matrix:
         artifact:
-          - name: darwin_amd64
+          - artifact-suffix: macOS_64bit
+            name: darwin_amd64
             path: "macOS_64bit.tar.gz"
-          - name: darwin_arm64
+          - artifact-suffix: macOS_ARM64
+            name: darwin_arm64
             path: "macOS_ARM64.tar.gz"
 
     steps:
@@ -94,10 +96,14 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
-          pattern: ${{ env.ARTIFACT_NAME }}-*
-          merge-multiple: true
+          name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }}
           path: ${{ env.DIST_DIR }}
 
+      - name: Remove non-notarized artifact
+        uses: geekyeggo/delete-artifact@v5
+        with:
+          name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }}
+
       - name: Import Code-Signing Certificates
         env:
           KEYCHAIN: "sign.keychain"
@@ -167,11 +173,11 @@ jobs:
           -C ../../ LICENSE.txt
           echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV
 
-      - name: Upload artifact
+      - name: Upload notarized artifact
         uses: actions/upload-artifact@v4
         with:
           if-no-files-found: error
-          name: ${{ env.ARTIFACT_NAME }}-notarized-${{ matrix.artifact.name }}
+          name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }}
           path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
 
   create-windows-installer:
diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml
index d536c21cbc2..44fb3102d7a 100644
--- a/.github/workflows/release-go-task.yml
+++ b/.github/workflows/release-go-task.yml
@@ -82,9 +82,11 @@ jobs:
     strategy:
       matrix:
         artifact:
-          - name: darwin_amd64
+          - artifact-suffix: macOS_64bit
+            name: darwin_amd64
             path: "macOS_64bit.tar.gz"
-          - name: darwin_arm64
+          - artifact-suffix: macOS_ARM64
+            name: darwin_arm64
             path: "macOS_ARM64.tar.gz"
 
     steps:
@@ -94,10 +96,14 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
-          pattern: ${{ env.ARTIFACT_NAME }}-*
-          merge-multiple: true
+          name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }}
           path: ${{ env.DIST_DIR }}
 
+      - name: Remove non-notarized artifact
+        uses: geekyeggo/delete-artifact@v5
+        with:
+          name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }}
+
       - name: Import Code-Signing Certificates
         env:
           KEYCHAIN: "sign.keychain"
@@ -167,11 +173,11 @@ jobs:
           -C ../../ LICENSE.txt
           echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV
 
-      - name: Upload artifact
+      - name: Upload notarized artifact
         uses: actions/upload-artifact@v4
         with:
           if-no-files-found: error
-          name: ${{ env.ARTIFACT_NAME }}-notarized-${{ matrix.artifact.name }}
+          name: ${{ env.ARTIFACT_NAME }}-${{ matrix.artifact.artifact-suffix }}
           path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
 
   create-windows-installer: