.github/workflows/release.yml

name: release

on:
  push:
    tags:
      - "[0-9]+.[0-9]+.[0-9]+*"

jobs:
  create-release-artifacts:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v1
        with:
          fetch-depth: 0

      - name: Create changelog
        uses: arduino/create-changelog@v1
        with:
          tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+$'
          filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*'
          case-insensitive-regex: true
          changelog-file-path: "dist/CHANGELOG.md"

      - name: Install Taskfile
        uses: arduino/actions/setup-taskfile@master
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          version: 3.x

      - name: Build
        run: task dist:all

      - name: Upload artifacts
        uses: actions/upload-artifact@v2
        with:
          name: dist
          path: dist

  notarize-macos:
    runs-on: macos-latest
    needs: create-release-artifacts

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Download artifacts
        uses: actions/download-artifact@v2
        with:
          name: dist
          # to ensure compatibility with v1
          path: dist

      - name: Import Code-Signing Certificates
        env:
          KEYCHAIN: "sign.keychain"
          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
          KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
        run: |
          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
          security create-keychain -p ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
          security default-keychain -s ${{ env.KEYCHAIN }}
          security unlock-keychain -p ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
          security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}

      - name: Install gon for code signing and app notarization
        run: |
          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
          unzip gon_macos.zip -d /usr/local/bin

      - name: Sign and notarize binary
        env:
          AC_USERNAME: ${{ secrets.AC_USERNAME }}
          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
        run: |
          gon gon.config.hcl

      - name: Re-package binary and update checksum
        # This step performs the following:
        # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
        # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
        run: |
          # GitHub's upload/download-artifact@v2 action doesn't preserve file permissions,
          # so we need to add execution permission back until the action is made to do this.
          chmod +x dist/arduino-lint_osx_darwin_amd64/arduino-lint
          TAG=${GITHUB_REF/refs\/tags\//}
          tar -czvf dist/arduino-lint_${TAG}_macOS_64bit.tar.gz \
          -C dist/arduino-lint_osx_darwin_amd64/  arduino-lint   \
          -C ../../ LICENSE.txt
          LINT_CHECKSUM=$(shasum -a 256 dist/arduino-lint_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)
          perl -pi -w -e "s/.*arduino-lint_${TAG}_macOS_64bit.tar.gz/${LINT_CHECKSUM}  arduino-lint_${TAG}_macOS_64bit.tar.gz/g;" dist/*-checksums.txt

      - name: Upload artifacts
        uses: actions/upload-artifact@v2
        with:
          name: dist
          path: dist

  create-release:
    runs-on: ubuntu-latest
    needs: notarize-macos

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Download artifact
        uses: actions/download-artifact@v2
        with:
          name: dist
          # to ensure compatibility with v1
          path: dist

      - name: Read CHANGELOG
        id: changelog
        run: |
          body=$(cat dist/CHANGELOG.md)
          body="${body//'%'/'%25'}"
          body="${body//$'\n'/'%0A'}"
          body="${body//$'\r'/'%0D'}"
          echo $body
          echo "::set-output name=BODY::$body"

      - name: Identify Prerelease
        # This is a workaround while waiting for create-release action
        # to implement auto pre-release based on tag
        id: prerelease
        run: |
          wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.0.0.zip
          unzip -p /tmp/3.0.0.zip semver-tool-3.0.0/src/semver >/tmp/semver && chmod +x /tmp/semver
          if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "::set-output name=IS_PRE::true"; fi

      - name: Create Github Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: ${{ github.ref }}
          body: ${{ steps.changelog.outputs.BODY }}
          draft: false
          prerelease: ${{ steps.prerelease.outputs.IS_PRE }}

      - name: Upload release files on Github
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: dist/*
          tag: ${{ github.ref }}
          file_glob: true

      - name: Upload release files on Arduino downloads servers
        uses: docker://plugins/s3
        env:
          PLUGIN_SOURCE: "dist/*"
          PLUGIN_TARGET: "/arduino-lint/"
          PLUGIN_STRIP_PREFIX: "dist/"
          PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}