diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml index 92dec0148..28e8297c1 100644 --- a/.github/workflows/check-certificates.yml +++ b/.github/workflows/check-certificates.yml @@ -26,7 +26,7 @@ jobs: if: > (github.event_name != 'pull_request' && github.repository == 'arduino/arduino-create-agent') || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-create-agent') - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 strategy: fail-fast: false @@ -109,7 +109,7 @@ jobs: echo "Certificate expiration date: $EXPIRATION_DATE" echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION" - echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION" + echo "days=$DAYS_BEFORE_EXPIRATION" >> $GITHUB_OUTPUT - name: Check if expiration notification period has been reached id: check-expiration diff --git a/.github/workflows/check-go-dependencies-task.yml b/.github/workflows/check-go-dependencies-task.yml index 75c8fc22b..2c792b607 100644 --- a/.github/workflows/check-go-dependencies-task.yml +++ b/.github/workflows/check-go-dependencies-task.yml @@ -56,7 +56,7 @@ jobs: RESULT="false" fi - echo "::set-output name=result::$RESULT" + echo "result=$RESULT" >> $GITHUB_OUTPUT check-cache: needs: run-determination diff --git a/.github/workflows/check-license.yml b/.github/workflows/check-license.yml index 79baf0ca3..ee9362b77 100644 --- a/.github/workflows/check-license.yml +++ b/.github/workflows/check-license.yml @@ -54,7 +54,7 @@ jobs: RESULT="false" fi - echo "::set-output name=result::$RESULT" + echo "result=$RESULT" >> $GITHUB_OUTPUT check-license: needs: run-determination diff --git a/.github/workflows/publish-go-tester-task.yml b/.github/workflows/publish-go-tester-task.yml index fc3d24217..8b3ef4a69 100644 --- a/.github/workflows/publish-go-tester-task.yml +++ b/.github/workflows/publish-go-tester-task.yml @@ -54,7 +54,7 @@ jobs: RESULT="false" fi - echo "::set-output name=result::$RESULT" + echo "result=$RESULT" >> $GITHUB_OUTPUT #this job is heavily customized because the build is quite a bit different from other tooling team projects build: @@ -64,7 +64,7 @@ jobs: #use the strategy instead because we still use the native build strategy: matrix: - os: [ubuntu-18.04, windows-2019, macos-11] + os: [ubuntu-20.04, windows-2019, macos-12] arch: [-amd64] include: - os: windows-2019 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7900ec24c..67e89094c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release +name: Release on: push: @@ -6,6 +6,8 @@ on: - "[0-9]+.[0-9]+.[0-9]+*" env: + # As defined by the Taskfile's PROJECT_NAME variable + PROJECT_NAME: arduino-create-agent TARGET: "/CreateAgent/Stable" OLD_TARGET: "/CreateBridge/" # compatibility with older releases (we can't change config.ini) VERSION_TARGET: "arduino-create-static/agent-metadata/" @@ -13,6 +15,8 @@ env: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_REGION: "us-east-1" # or https://github.com/aws/aws-cli/issues/5623 KEYCHAIN: "sign.keychain" + KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret + GON_CONFIG_PATH: gon.config.hcl INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" AC_USERNAME: ${{ secrets.AC_USERNAME }} # used by gon AC_PASSWORD: ${{ secrets.AC_PASSWORD }} # used by gon @@ -22,7 +26,7 @@ jobs: build: strategy: matrix: - os: [ubuntu-18.04, windows-2019, macos-11] + os: [ubuntu-20.04, windows-2019, macos-12] arch: [-amd64] include: - os: windows-2019 @@ -49,7 +53,7 @@ jobs: run: | curl -L -s https://github.com/fsaintjacques/semver-tool/archive/3.1.0.zip -o /tmp/3.1.0.zip unzip -p /tmp/3.1.0.zip semver-tool-3.1.0/src/semver >/tmp/semver && chmod +x /tmp/semver - if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "::set-output name=IS_PRE::true"; fi + if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "IS_PRE=true" >> $GITHUB_OUTPUT; fi - name: Disable EOL conversions run: git config --global core.autocrlf false @@ -65,7 +69,7 @@ jobs: # dependencies used for compiling the GUI - name: Install Dependencies (Linux) run: sudo apt update && sudo apt install -y --no-install-recommends build-essential libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev - if: matrix.os == 'ubuntu-18.04' + if: matrix.os == 'ubuntu-20.04' - name: Install Go deps # Since 10/23/2019 pwsh is the default shell @@ -87,12 +91,12 @@ jobs: - name: Build the Agent for linux run: task go:build - if: matrix.os == 'ubuntu-18.04' + if: matrix.os == 'ubuntu-20.04' # build the agent without GUI support (no tray icon) - name: Build the Agent-cli run: task go:build-cli - if: matrix.os == 'ubuntu-18.04' + if: matrix.os == 'ubuntu-20.04' # the manifest is required by windows GUI apps, otherwise the binary will crash with: "Unable to create main window: TTM_ADDTOOL failed" (for reference https://github.com/lxn/walk/issues/28) # rsrc will produce a *.syso file that should get automatically recognized by go build command and linked into an executable. @@ -118,15 +122,15 @@ jobs: CGO_CFLAGS: -mmacosx-version-min=10.11 CGO_LDFLAGS: -mmacosx-version-min=10.11 run: task go:build - if: matrix.os == 'macos-11' + if: matrix.os == 'macos-12' # this will create `public/` dir with compressed full bin (/-.gz) and a json file - name: Create autoupdate files - run: go-selfupdate arduino-create-agent${{ matrix.ext }} ${TAG_VERSION} + run: go-selfupdate ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION} if: matrix.arch != '-386' && steps.prerelease.outputs.IS_PRE != 'true' - name: Create autoupdate files for win32 - run: go-selfupdate -platform windows${{ matrix.arch }} arduino-create-agent${{ matrix.ext }} ${TAG_VERSION} + run: go-selfupdate -platform windows${{ matrix.arch }} ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION} if: matrix.arch == '-386' && matrix.os == 'windows-2019' && steps.prerelease.outputs.IS_PRE != 'true' - name: Upload autoupdate files to Arduino downloads servers @@ -139,79 +143,165 @@ jobs: - name: Upload artifacts uses: actions/upload-artifact@v3 with: - name: arduino-create-agent-${{ matrix.os }}${{ matrix.arch }} + name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}${{ matrix.arch }} path: | - arduino-create-agent* + ${{ env.PROJECT_NAME }}* config.ini if-no-files-found: error - # The code-sign-mac-executable job will download the macos artifact from the previous job, sign e notarize the binary and re-upload it. - code-sign-mac-executable: + create-macos-bundle: needs: build - strategy: - matrix: # to allow support for future architectures - os: [macos-11] - arch: [-amd64] - runs-on: ${{ matrix.os }} + runs-on: macos-12 + env: + EXE_PATH: "skel/ArduinoCreateAgent.app/Contents/MacOS/" steps: + - name: Checkout + uses: actions/checkout@v3 + with: + repository: 'bcmi-labs/arduino-create-agent-installer' # the repo which contains the bundle structure and icons + token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} + - name: Download artifact uses: actions/download-artifact@v3 with: - name: arduino-create-agent-${{ matrix.os }}${{ matrix.arch }} - path: arduino-create-agent + name: ${{ env.PROJECT_NAME }}-macos-12-amd64 + path: ${{ env.EXE_PATH }} + + - name: Remove placeholder file + run: rm -rf ${{ env.EXE_PATH }}.empty + + - name: Move config.ini to the Resources dir + working-directory: ${{ env.EXE_PATH }} + run: mv config.ini ../Resources/ + + # zip artifacts do not mantain executable permission + - name: Make executable + run: chmod -v +x ${{ env.EXE_PATH }}${{ env.PROJECT_NAME }} + + - name: Rename executable to Arduino_Create_Agent + run: mv -v ${{ env.EXE_PATH }}${{ env.PROJECT_NAME }} ${{ env.EXE_PATH }}Arduino_Create_Agent + + - name: get year + run: echo "YEAR=$(date "+%Y")" >> $GITHUB_ENV + + - name: Generate Info.plist for MacOS + run: | + cat > skel/ArduinoCreateAgent.app/Contents/Info.plist <CFBundlePackageTypeAPPLCFBundleInfoDictionaryVersion6.0 + + CFBundleIconFile AppIcon.icns + + CFBundleName Arduino Create Agent + CFBundleExecutable Arduino_Create_Agent + CFBundleIdentifier create.arduino.cc + + CFBundleVersion ${GITHUB_REF##*/} + NSHumanReadableCopyright © Copyright ${{ env.YEAR }} Arduino LLC + CFBundleShortVersionString ${GITHUB_REF##*/} + LSUIElement + + NSPrincipalClassNSApplication + NSMainNibFileMainMenu + + + EOF + + - name: Tar bundle to keep permissions + run: tar -cvf ArduinoCreateAgent.app.tar -C skel/ . + + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + if-no-files-found: error + name: ArduinoCreateAgent.app + path: ArduinoCreateAgent.app.tar + + # The notarize-macos job will download the macos bundle from the previous job, sign, notarize and re-upload it. + notarize-macos: + name: Notarize bundle + runs-on: macos-12 + env: + GON_PATH: ${{ github.workspace }}/gon + needs: create-macos-bundle + + steps: + - name: Download artifact + uses: actions/download-artifact@v3 + with: + name: ArduinoCreateAgent.app + + - name: un-Tar bundle + run: tar -xvf ArduinoCreateAgent.app.tar - name: Import Code-Signing Certificates run: | - echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }} - security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }} - security default-keychain -s ${{ env.KEYCHAIN }} - security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }} - security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }} - security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }} + echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" + security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security default-keychain -s "${{ env.KEYCHAIN }}" + security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security import \ + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ + -k "${{ env.KEYCHAIN }}" \ + -f pkcs12 \ + -A \ + -T "/usr/bin/codesign" \ + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" + security set-key-partition-list \ + -S apple-tool:,apple: \ + -s \ + -k "${{ env.KEYCHAIN_PASSWORD }}" \ + "${{ env.KEYCHAIN }}" - name: Install gon for code signing and app notarization + uses: actions/checkout@v3 + with: + repository: darkvertex/gon #this fork has support for --deep notarization + path: ${{ env.GON_PATH }} + ref: deep_sign_support + + - name: Build gon + working-directory: ${{ env.GON_PATH }}/cmd/gon/ run: | - wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip - unzip gon_macos.zip -d /usr/local/bin + ls -lah + go build + mv gon /usr/local/bin - name: Write gon config to file # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) run: | - cat > gon.config.hcl < "${{ env.GON_CONFIG_PATH }}" <> $GITHUB_ENV - if: matrix.os == 'macos-11' - - - name: Generate Info.plist for MacOS - run: | - cat > skel/ArduinoCreateAgent.app/Contents/Info.plist <CFBundlePackageTypeAPPLCFBundleInfoDictionaryVersion6.0 - - CFBundleIconFile AppIcon.icns - - CFBundleName Arduino Create Agent - CFBundleExecutable Arduino_Create_Agent - CFBundleIdentifier create.arduino.cc - - CFBundleVersion ${GITHUB_REF##*/} - NSHumanReadableCopyright © Copyright ${{ env.YEAR }} Arduino LLC - CFBundleShortVersionString ${GITHUB_REF##*/} - LSUIElement - - NSPrincipalClassNSApplication - NSMainNibFileMainMenu - - - EOF - if: matrix.os == 'macos-11' + run: mv -v ${{ matrix.executable-path }}${{ env.PROJECT_NAME }}_cli${{ matrix.extension }} ${{ matrix.executable-path }}Arduino_Create_Agent_cli${{ matrix.extension }} + if: matrix.os == 'ubuntu-20.04' - name: Save InstallBuilder license to file run: echo "${{ secrets.INSTALLER_LICENSE }}" > /tmp/license.xml @@ -320,7 +396,7 @@ jobs: - name: Save macos signing certificate to file run: echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_P12 }} - if: matrix.os == 'macos-11' + if: matrix.os == 'macos-12' # win(edge),mac(safari) -> CERT_INSTALL and win,mac:(ff,chrome) -> CHOICE_CERT_INSTALL # installbuilder reads the env vars with certs paths and use it to sign the installer. @@ -332,7 +408,7 @@ jobs: cp -vr ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-chrome${{matrix.installer-extension}} mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-firefox${{matrix.installer-extension}} rm -r ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-C* - if: matrix.os == 'windows-2019' || matrix.os == 'macos-11' + if: matrix.os == 'windows-2019' || matrix.os == 'macos-12' # linux - name: Launch Bitrock installbuilder-20 with NO_CERT_INSTALL @@ -342,7 +418,7 @@ jobs: mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-firefox.run cp -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-chrome.tar.gz mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-firefox.tar.gz - if: matrix.os == 'ubuntu-18.04' + if: matrix.os == 'ubuntu-20.04' - name: Upload artifacts uses: actions/upload-artifact@v3 @@ -359,7 +435,7 @@ jobs: browser: [safari, firefox, chrome] arch: [-amd64] - runs-on: macos-11 + runs-on: macos-12 steps: - name: Download artifact uses: actions/download-artifact@v3 @@ -373,16 +449,26 @@ jobs: - name: Import Code-Signing Certificates run: | - echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }} - security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }} - security default-keychain -s ${{ env.KEYCHAIN }} - security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }} - security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }} - security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }} + echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" + security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security default-keychain -s "${{ env.KEYCHAIN }}" + security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security import \ + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ + -k "${{ env.KEYCHAIN }}" \ + -f pkcs12 \ + -A \ + -T "/usr/bin/codesign" \ + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" + security set-key-partition-list \ + -S apple-tool:,apple: \ + -s \ + -k "${{ env.KEYCHAIN_PASSWORD }}" \ + "${{ env.KEYCHAIN }}" - name: Install gon for code signing and app notarization run: | - wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip + wget -q https://github.com/mitchellh/gon/releases/download/v0.2.5/gon_macos.zip unzip gon_macos.zip -d /usr/local/bin - name: Write gon config to file @@ -390,7 +476,7 @@ jobs: run: | cat > gon.config_installer.hcl </tmp/semver && chmod +x /tmp/semver - if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "::set-output name=IS_PRE::true"; fi + if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "IS_PRE=true" >> $GITHUB_OUTPUT; fi # mandatory step because upload-release-action does not support multiple folders - name: prepare artifacts for the release @@ -458,8 +544,8 @@ jobs: update_release_body: false # `true` won't work because trigger type is not release files: | release/*.exe - arduino-create-agent-windows-2019-386/arduino-create-agent.exe - arduino-create-agent-windows-2019-amd64/arduino-create-agent.exe + ${{ env.PROJECT_NAME }}-windows-2019-386/${{ env.PROJECT_NAME }}.exe + ${{ env.PROJECT_NAME }}-windows-2019-amd64/${{ env.PROJECT_NAME }}.exe - name: Create changelog uses: arduino/create-changelog@v1 @@ -472,17 +558,14 @@ jobs: - name: Organize release body message #use sed to clean and format the output markdown style id: release_body run: | - body=$(cat CHANGELOG.md) - body="${body//'%'/'%25'}" - body="${body//$'\n'/'%0A'}" - body="${body//$'\r'/'%0D'}" - vt_title_pre="
\nVirusTotal analysis 🛡\n\n" - vt_links="$(echo ${{ steps.virustotal_step.outputs.analysis}} | sed 's/release\///g' | sed 's/,/\n/g' | sed 's/^/- [/' | sed 's/=/](/' | sed 's/$/)/')" - vt_title_post="\n
" - vt_title_pre="${vt_title_pre//'\n'/'%0A'}" - vt_links="${vt_links//$'\n'/'%0A'}" # replace \n with a special character -> generates a single lines, \n will be reintroduced later - vt_title_post="${vt_title_post//'\n'/'%0A'}" - echo "::set-output name=RBODY::$body'%0A'$vt_title_pre$vt_links$vt_title_post" + echo "RBODY<> $GITHUB_OUTPUT + echo "$(cat CHANGELOG.md)" >> $GITHUB_OUTPUT + echo "
" >> $GITHUB_OUTPUT + echo "VirusTotal analysis 🛡" >> $GITHUB_OUTPUT + echo "" >> $GITHUB_OUTPUT + echo "$(echo ${{ steps.virustotal_step.outputs.analysis}} | sed 's/release\///g' | sed 's/,/\n/g' | sed 's/^/- [/' | sed 's/=/](/' | sed 's/$/)/')" >> $GITHUB_OUTPUT + echo "
" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT - name: Create Github Release uses: actions/create-release@v1 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 70085bdef..6f9c91a91 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -103,7 +103,7 @@ jobs: run: | # Use of this flag in the github-label-sync command will cause it to only check the validity of the # configuration. - echo "::set-output name=flag::--dry-run" + echo "flag=--dry-run" >> $GITHUB_OUTPUT - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/test-go-integration-task.yml b/.github/workflows/test-go-integration-task.yml index 3071569ab..36f2b2622 100644 --- a/.github/workflows/test-go-integration-task.yml +++ b/.github/workflows/test-go-integration-task.yml @@ -55,7 +55,7 @@ jobs: RESULT="false" fi - echo "::set-output name=result::$RESULT" + echo "result=$RESULT" >> $GITHUB_OUTPUT test: needs: run-determination diff --git a/.github/workflows/test-go-task.yml b/.github/workflows/test-go-task.yml index eec30beaa..fe20d9af5 100644 --- a/.github/workflows/test-go-task.yml +++ b/.github/workflows/test-go-task.yml @@ -51,7 +51,7 @@ jobs: RESULT="false" fi - echo "::set-output name=result::$RESULT" + echo "result=$RESULT" >> $GITHUB_OUTPUT test: name: test (${{ matrix.module.path }} - ${{ matrix.operating-system }})