|
| 1 | +# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/release-go-task.md |
| 2 | +name: Release |
| 3 | + |
| 4 | +env: |
| 5 | + # As defined by the Taskfile's PROJECT_NAME variable |
| 6 | + PROJECT_NAME: arduino-cloud-cli |
| 7 | + # As defined by the Taskfile's DIST_DIR variable |
| 8 | + DIST_DIR: dist |
| 9 | + # The project's folder on Arduino's download server for uploading builds |
| 10 | + AWS_PLUGIN_TARGET: TODO |
| 11 | + ARTIFACT_NAME: dist |
| 12 | + |
| 13 | +on: |
| 14 | + push: |
| 15 | + tags: |
| 16 | + - "[0-9]+.[0-9]+.[0-9]+*" |
| 17 | + |
| 18 | +jobs: |
| 19 | + create-release-artifacts: |
| 20 | + runs-on: ubuntu-latest |
| 21 | + |
| 22 | + steps: |
| 23 | + - name: Checkout repository |
| 24 | + uses: actions/checkout@v2 |
| 25 | + with: |
| 26 | + fetch-depth: 0 |
| 27 | + |
| 28 | + - name: Create changelog |
| 29 | + uses: arduino/create-changelog@v1 |
| 30 | + with: |
| 31 | + tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+.*$' |
| 32 | + filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*' |
| 33 | + case-insensitive-regex: true |
| 34 | + changelog-file-path: "${{ env.DIST_DIR }}/CHANGELOG.md" |
| 35 | + |
| 36 | + - name: Install Task |
| 37 | + uses: arduino/setup-task@v1 |
| 38 | + with: |
| 39 | + repo-token: ${{ secrets.GITHUB_TOKEN }} |
| 40 | + version: 3.x |
| 41 | + |
| 42 | + - name: Build |
| 43 | + run: task dist:all |
| 44 | + |
| 45 | + - name: Upload artifacts |
| 46 | + uses: actions/upload-artifact@v2 |
| 47 | + with: |
| 48 | + if-no-files-found: error |
| 49 | + name: ${{ env.ARTIFACT_NAME }} |
| 50 | + path: ${{ env.DIST_DIR }} |
| 51 | + |
| 52 | + notarize-macos: |
| 53 | + runs-on: macos-latest |
| 54 | + needs: create-release-artifacts |
| 55 | + |
| 56 | + steps: |
| 57 | + - name: Checkout repository |
| 58 | + uses: actions/checkout@v2 |
| 59 | + |
| 60 | + - name: Download artifacts |
| 61 | + uses: actions/download-artifact@v2 |
| 62 | + with: |
| 63 | + name: ${{ env.ARTIFACT_NAME }} |
| 64 | + path: ${{ env.DIST_DIR }} |
| 65 | + |
| 66 | + - name: Import Code-Signing Certificates |
| 67 | + env: |
| 68 | + KEYCHAIN: "sign.keychain" |
| 69 | + INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" |
| 70 | + KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret |
| 71 | + run: | |
| 72 | + echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" |
| 73 | + security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" |
| 74 | + security default-keychain -s "${{ env.KEYCHAIN }}" |
| 75 | + security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" |
| 76 | + security import \ |
| 77 | + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ |
| 78 | + -k "${{ env.KEYCHAIN }}" \ |
| 79 | + -f pkcs12 \ |
| 80 | + -A \ |
| 81 | + -T "/usr/bin/codesign" \ |
| 82 | + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" |
| 83 | + security set-key-partition-list \ |
| 84 | + -S apple-tool:,apple: \ |
| 85 | + -s \ |
| 86 | + -k "${{ env.KEYCHAIN_PASSWORD }}" \ |
| 87 | + "${{ env.KEYCHAIN }}" |
| 88 | +
|
| 89 | + - name: Install gon for code signing and app notarization |
| 90 | + run: | |
| 91 | + wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip |
| 92 | + unzip gon_macos.zip -d /usr/local/bin |
| 93 | +
|
| 94 | + - name: Sign and notarize binary |
| 95 | + env: |
| 96 | + AC_USERNAME: ${{ secrets.AC_USERNAME }} |
| 97 | + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} |
| 98 | + run: | |
| 99 | + gon gon.config.hcl |
| 100 | +
|
| 101 | + - name: Re-package binary and update checksum |
| 102 | + # This step performs the following: |
| 103 | + # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) |
| 104 | + # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file |
| 105 | + run: | |
| 106 | + # GitHub's upload/download-artifact@v2 actions don't preserve file permissions, |
| 107 | + # so we need to add execution permission back until the action is made to do this. |
| 108 | + chmod +x ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/${{ env.PROJECT_NAME }} |
| 109 | + TAG="${GITHUB_REF/refs\/tags\//}" |
| 110 | + tar -czvf "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz" \ |
| 111 | + -C ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/ ${{ env.PROJECT_NAME }} \ |
| 112 | + -C ../../ LICENSE.txt |
| 113 | + CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)" |
| 114 | + perl \ |
| 115 | + -pi \ |
| 116 | + -w \ |
| 117 | + -e "s/.*${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/${CHECKSUM} ${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/g;" \ |
| 118 | + ${{ env.DIST_DIR }}/*-checksums.txt |
| 119 | +
|
| 120 | + - name: Upload artifacts |
| 121 | + uses: actions/upload-artifact@v2 |
| 122 | + with: |
| 123 | + if-no-files-found: error |
| 124 | + name: ${{ env.ARTIFACT_NAME }} |
| 125 | + path: ${{ env.DIST_DIR }} |
| 126 | + |
| 127 | + create-release: |
| 128 | + runs-on: ubuntu-latest |
| 129 | + needs: notarize-macos |
| 130 | + |
| 131 | + steps: |
| 132 | + - name: Download artifact |
| 133 | + uses: actions/download-artifact@v2 |
| 134 | + with: |
| 135 | + name: ${{ env.ARTIFACT_NAME }} |
| 136 | + path: ${{ env.DIST_DIR }} |
| 137 | + |
| 138 | + - name: Identify Prerelease |
| 139 | + # This is a workaround while waiting for create-release action |
| 140 | + # to implement auto pre-release based on tag |
| 141 | + id: prerelease |
| 142 | + run: | |
| 143 | + wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.0.0.zip |
| 144 | + unzip -p /tmp/3.0.0.zip semver-tool-3.0.0/src/semver >/tmp/semver && chmod +x /tmp/semver |
| 145 | + if [[ "$(/tmp/semver get prerel "${GITHUB_REF/refs\/tags\//}")" ]]; then echo "::set-output name=IS_PRE::true"; fi |
| 146 | +
|
| 147 | + - name: Create Github Release and upload artifacts |
| 148 | + uses: ncipollo/release-action@v1 |
| 149 | + with: |
| 150 | + token: ${{ secrets.GITHUB_TOKEN }} |
| 151 | + bodyFile: ${{ env.DIST_DIR }}/CHANGELOG.md |
| 152 | + draft: false |
| 153 | + prerelease: ${{ steps.prerelease.outputs.IS_PRE }} |
| 154 | + # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem |
| 155 | + # (all the files we need are in the DIST_DIR root) |
| 156 | + artifacts: ${{ env.DIST_DIR }}/* |
| 157 | + |
| 158 | + - name: Upload release files on Arduino downloads servers |
| 159 | + uses: docker://plugins/s3 |
| 160 | + env: |
| 161 | + PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*" |
| 162 | + PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }} |
| 163 | + PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/" |
| 164 | + PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} |
| 165 | + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} |
| 166 | + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |
0 commit comments