-
-
Notifications
You must be signed in to change notification settings - Fork 12
134 lines (115 loc) · 4.66 KB
/
nightly.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Nightly build
on:
schedule:
# run every day at 1AM
- cron: "0 1 * * *"
jobs:
create-nightly-artifacts:
# This workflow is only of value to the arduino/arduino-arduino-lint repository and
# would always fail in forks
if: github.repository == 'arduino/arduino-lint'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install Taskfile
uses: arduino/setup-task@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x
- name: Build
env:
NIGHTLY: true
run: task dist:all
- name: Upload artifacts
uses: actions/upload-artifact@v2
with:
name: dist
path: dist
notarize-macos:
runs-on: macos-latest
needs: create-nightly-artifacts
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Download artifacts
uses: actions/download-artifact@v2
with:
name: dist
# to ensure compatibility with v1
path: dist
- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
security create-keychain -p ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
security default-keychain -s ${{ env.KEYCHAIN }}
security unlock-keychain -p ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
- name: Install gon for code signing and app notarization
run: |
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
unzip gon_macos.zip -d /usr/local/bin
- name: Sign and notarize binary
env:
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
run: |
gon gon.config.hcl
- name: Re-package binary and update checksum
# This step performs the following:
# 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
# 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
run: |
# GitHub's upload/download-artifact@v2 action doesn't preserve file permissions,
# so we need to add execution permission back until the action is made to do this.
chmod +x dist/arduino-lint_osx_darwin_amd64/arduino-lint
PACKAGE_FILENAME="$(basename dist/arduino-lint_nightly-*_macOS_64bit.tar.gz)"
tar -czvf dist/$PACKAGE_FILENAME \
-C dist/arduino-lint_osx_darwin_amd64/ arduino-lint \
-C ../../ LICENSE.txt
CLI_CHECKSUM=$(shasum -a 256 dist/$PACKAGE_FILENAME | cut -d " " -f 1)
perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CLI_CHECKSUM} ${PACKAGE_FILENAME}/g;" dist/*-checksums.txt
- name: Upload artifacts
uses: actions/upload-artifact@v2
with:
name: dist
path: dist
publish-nightly:
runs-on: ubuntu-latest
needs: notarize-macos
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Download artifact
uses: actions/download-artifact@v2
with:
name: dist
# to ensure compatibility with v1
path: dist
- name: Upload release files on Arduino downloads servers
uses: docker://plugins/s3
env:
PLUGIN_SOURCE: "dist/*"
PLUGIN_TARGET: "/arduino-lint/nightly"
PLUGIN_STRIP_PREFIX: "dist/"
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Report failure
if: failure()
uses: masci/datadog@v1
with:
api-key: ${{ secrets.DD_API_KEY }}
events: |
- title: "arduino-lint nightly build failed"
text: "Nightly build workflow has failed"
alert_type: "error"
host: ${{ github.repository }}
tags:
- "project:arduino-lint"
- "workflow:${{ github.workflow }}"