Skip to content

ATL-1119 Disable code signing when workflows run from forks #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 15, 2021
Merged

ATL-1119 Disable code signing when workflows run from forks #213

merged 1 commit into from
Mar 15, 2021

Conversation

rsora
Copy link
Contributor

@rsora rsora commented Mar 12, 2021

This PR supersedes #208 and comes from a fork of this repo in order to test the workflow update it contains.

The purpose of this PR is to refactor the CI workflows to be more "fork friendly".
If workflows are run on a PR generated by a fork, where secrets are not available, the CI will run skipping the signing steps, providing unsigned artifacts.

What this PR does:

  • Skip Mac/Win code signing and Apple notarization only if PR comes from a fork
  • Disable workflows entirely if the user enabled Github Actions in
    their fork repo
  • Add steps to help Mac users to test their forked code in BUILDING.md

Disable code signing when workflows run from forks
056d76b 
- Skip Mac/Win code signing and Apple notarization only if PR comes from a fork
- Disable workflows entirely if the user enabled Github Actions in
their fork repo
- Add steps to help Mac users to test their forked code in BUILDING.md
rsora
rsora commented Mar 12, 2021
View reviewed changes
.github/workflows/build.yml
@@ -16,6 +16,7 @@ on:
jobs:

build:
if: github.repository == 'arduino/arduino-ide'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition disables the workflow in the user fork repo if the fork has GitHub Actions enabled.

@kittaakos kittaakos self-requested a review March 15, 2021 08:03
kittaakos
kittaakos approved these changes Mar 15, 2021
View reviewed changes
Copy link
Contributor

@kittaakos kittaakos left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have verified it, but maybe someone else can also check it on macOS. I checked the followings:

  • PR was submitted from a fork,
  • Build was green, I could download the artifacts,
  • The IDE was not signed, it is expected:
codesign -dv --verbose=4 /Applications/Arduino\ IDE.app 
/Applications/Arduino IDE.app: code object is not signed at all
  • The CI log shows, it ran on a fork:
Skipping the app signing: building from a fork.

Note: I did not have to disable Gatekeeper. I could start the app without any issues although the IDE was not signed.

Verified:

Version: 2.0.0-beta.3-snapshot.a1d854f
Date: 2021-03-12T17:34:20.565Z
CLI Version: 0.16.1 alpha [76f55490]

@kittaakos kittaakos mentioned this pull request Mar 15, 2021
Merged
@rsora
Copy link
Contributor Author

rsora commented Mar 15, 2021

I tested the unsigned artifact on MacOs thanks to @ubidefeo, I'll proceed to merge and closing #208.
Thanks for your review @kittaakos 🙇

@rsora rsora merged commit ef03d3f into arduino:main Mar 15, 2021
@rsora rsora mentioned this pull request Mar 15, 2021
Closed
@per1234 per1234 added the topic: infrastructure Related to project infrastructure label Oct 28, 2021
@per1234 per1234 mentioned this pull request Oct 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kittaakos kittaakos kittaakos approved these changes

Assignees
No one assigned
Labels
topic: infrastructure Related to project infrastructure
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rsora @kittaakos @per1234