Disable code signing when workflows run from forks #208
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Skip Mac/Win code signing and Apple notarization only if PR comes from a fork - Disable workflows entirely if the user enabled Github Actions in their fork repo - Add steps to help Mac users to test their forked code in BUILDING.md
kittaakos
suggested changes
Mar 12, 2021
| @@ -21,4 +25,4 @@ exports.default = async function notarizing(context) { | |||
| appleId: process.env.AC_USERNAME, | |||
| appleIdPassword: process.env.AC_PASSWORD, | |||
| }); | |||
| }; | |||
| }; | |||
There was a problem hiding this comment.
Please revert. The project uses trailing empty lines.
| @@ -73,6 +73,22 @@ This project is built on [GitHub Actions](https://github.com/arduino/arduino-ide | |||
| git push origin 1.2.3 | |||
| ``` | |||
|
|
|||
| ## Notes for macOS contributors | |||
| Beginning in macOS 10.14.5, software [must be notarized to run](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution). The signing and notarization processes for the Arduino IDE are managed by our Continuous Integration (CI) workflows, implemented with GitHub Actions. On every push and pull request, the Arduino IDE is built and saved to a workflow artifact. These artifacts can be used by contributors and beta testers who don't want to set up a build system locally. | |||
There was a problem hiding this comment.
software -> the software
| @@ -73,6 +73,22 @@ This project is built on [GitHub Actions](https://github.com/arduino/arduino-ide | |||
| git push origin 1.2.3 | |||
| ``` | |||
|
|
|||
| ## Notes for macOS contributors | |||
| Beginning in macOS 10.14.5, software [must be notarized to run](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution). The signing and notarization processes for the Arduino IDE are managed by our Continuous Integration (CI) workflows, implemented with GitHub Actions. On every push and pull request, the Arduino IDE is built and saved to a workflow artifact. These artifacts can be used by contributors and beta testers who don't want to set up a build system locally. | |||
| For security reasons, signing and notarization is disabled for workflow runs for pull requests from forks of this repository. This means that macOS will block you from running those artifacts. | |||
There was a problem hiding this comment.
signing and notarization is -> signing and notarization are
| @@ -119,4 +124,4 @@ jobs: | |||
| WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!! | |||
| :warning::warning::warning::warning: | |||
| SLACK_COLOR: danger | |||
| MSG_MINIMAL: true | |||
| MSG_MINIMAL: true | |||
There was a problem hiding this comment.
We use empty trailing lines.
Hint: if you edit the code in VS Code, Code will insert the empty line for you one save. Please use Code.
arduino-ide/.vscode/settings.json
Line 19 in eadc993
| @@ -173,4 +179,4 @@ jobs: | |||
| PLUGIN_TARGET: "/arduino-ide" | |||
| PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} | |||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |||
| @@ -16,6 +16,7 @@ on: | |||
| jobs: | |||
|
|
|||
| build: | |||
| if: github.repository == 'arduino/arduino-ide' | |||
There was a problem hiding this comment.
I am not sure if I understand this condition. Can you please explain?
|
@kittaakos I'll open a new PR from a fork, so we can test the workflow mods I prepared as you requested. |
👍 Thank you! |
|
Superseded by #213 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR refactors the CI workflows to be more "fork friendly".
If workflows are run on a PR generated by a fork, where secrets are not available, the CI will run skipping the signing steps, providing unsigned artifacts.
What this PR does:
their fork repo