Publish Nightly Build #1254
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/publish-go-nightly-task.md | |
name: Publish Nightly Build | |
env: | |
# As defined by the Taskfile's PROJECT_NAME variable | |
PROJECT_NAME: arduino-lint | |
# As defined by the Taskfile's DIST_DIR variable | |
DIST_DIR: dist | |
# The project's folder on Arduino's download server for uploading builds | |
AWS_PLUGIN_TARGET: /arduino-lint/ | |
AWS_REGION: "us-east-1" | |
ARTIFACT_PREFIX: dist- | |
# See: https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows | |
on: | |
schedule: | |
# run every day at 1AM | |
- cron: "0 1 * * *" | |
workflow_dispatch: | |
repository_dispatch: | |
jobs: | |
create-nightly-artifacts: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
strategy: | |
matrix: | |
os: | |
- task: Windows_32bit | |
artifact-suffix: Windows_32bit | |
- task: Windows_64bit | |
artifact-suffix: Windows_64bit | |
- task: Linux_32bit | |
artifact-suffix: Linux_32bit | |
- task: Linux_64bit | |
artifact-suffix: Linux_64bit | |
- task: Linux_ARMv6 | |
artifact-suffix: Linux_ARMv6 | |
- task: Linux_ARMv7 | |
artifact-suffix: Linux_ARMv7 | |
- task: Linux_ARM64 | |
artifact-suffix: Linux_ARM64 | |
- task: macOS_64bit | |
artifact-suffix: macOS_64bit | |
- task: macOS_ARM64 | |
artifact-suffix: macOS_ARM64 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install Task | |
uses: arduino/setup-task@v2 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 3.x | |
- name: Build | |
env: | |
NIGHTLY: true | |
run: task dist:${{ matrix.os.task }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: error | |
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.os.artifact-suffix }} | |
path: ${{ env.DIST_DIR }} | |
notarize-macos: | |
name: Notarize ${{ matrix.build.folder-suffix }} | |
runs-on: macos-latest | |
needs: create-nightly-artifacts | |
permissions: | |
contents: read | |
env: | |
GON_CONFIG_PATH: gon.config.hcl | |
strategy: | |
matrix: | |
build: | |
- artifact-suffix: macOS_64bit | |
folder-suffix: darwin_amd64 | |
package-suffix: "macOS_64bit.tar.gz" | |
- artifact-suffix: macOS_ARM64 | |
folder-suffix: darwin_arm64 | |
package-suffix: "macOS_ARM64.tar.gz" | |
steps: | |
- name: Set environment variables | |
run: | | |
# See: https://docs.github.com/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable | |
echo "BUILD_FOLDER=${{ env.PROJECT_NAME }}_osx_${{ matrix.build.folder-suffix }}" >> "$GITHUB_ENV" | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }} | |
path: ${{ env.DIST_DIR }} | |
- name: Import Code-Signing Certificates | |
env: | |
KEYCHAIN: "sign.keychain" | |
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" | |
# Arbitrary password for a keychain that exists only for the duration of the job, so not secret | |
KEYCHAIN_PASSWORD: keychainpassword | |
run: | | |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" | |
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
security default-keychain -s "${{ env.KEYCHAIN }}" | |
security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
security import \ | |
"${{ env.INSTALLER_CERT_MAC_PATH }}" \ | |
-k "${{ env.KEYCHAIN }}" \ | |
-f pkcs12 \ | |
-A \ | |
-T /usr/bin/codesign \ | |
-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" | |
security set-key-partition-list \ | |
-S apple-tool:,apple: \ | |
-s \ | |
-k "${{ env.KEYCHAIN_PASSWORD }}" \ | |
"${{ env.KEYCHAIN }}" | |
- name: Install gon for code signing and app notarization | |
run: | | |
wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip | |
unzip gon_macos.zip -d /usr/local/bin | |
- name: Write gon config to file | |
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) | |
run: | | |
cat > "${{ env.GON_CONFIG_PATH }}" <<EOF | |
# See: https://github.com/Bearer/gon#configuration-file | |
source = ["${{ env.DIST_DIR }}/${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"] | |
bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}" | |
sign { | |
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" | |
} | |
# Ask Gon for zip output to force notarization process to take place. | |
# The CI will ignore the zip output, using the signed binary only. | |
zip { | |
output_path = "unused.zip" | |
} | |
EOF | |
- name: Sign and notarize binary | |
env: | |
AC_USERNAME: ${{ secrets.AC_USERNAME }} | |
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
AC_PROVIDER: ${{ secrets.AC_PROVIDER }} | |
run: | | |
gon "${{ env.GON_CONFIG_PATH }}" | |
- name: Re-package binary | |
working-directory: ${{ env.DIST_DIR }} | |
# Repackage the signed binary replaced in place by Gon (ignoring the output zip file) | |
run: | | |
# GitHub's upload/download-artifact actions don't preserve file permissions, | |
# so we need to add execution permission back until the action is made to do this. | |
chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}" | |
# Use of an array here is required for globbing | |
PACKAGE_FILENAME=(${{ env.PROJECT_NAME }}_nightly-*${{ matrix.build.package-suffix }}) | |
tar -czvf "$PACKAGE_FILENAME" \ | |
-C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \ | |
-C ../../ LICENSE.txt | |
echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV | |
- name: Replace artifact with notarized build | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: error | |
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }} | |
overwrite: true | |
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }} | |
publish-nightly: | |
runs-on: ubuntu-latest | |
environment: production | |
needs: notarize-macos | |
permissions: | |
contents: write | |
id-token: write # This is required for requesting the JWT | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: ${{ env.ARTIFACT_PREFIX }}* | |
merge-multiple: true | |
path: ${{ env.DIST_DIR }} | |
- name: Create checksum file | |
working-directory: ${{ env.DIST_DIR }} | |
run: | | |
TAG="nightly-$(date -u +"%Y%m%d")" | |
sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt | |
- name: configure aws credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: "github_${{ env.PROJECT_NAME }}" | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Upload release files on Arduino downloads servers | |
run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}nightly | |
report: | |
runs-on: ubuntu-latest | |
needs: publish-nightly | |
if: failure() # Run if publish-nightly or any of its job dependencies failed | |
permissions: {} | |
steps: | |
- name: Report failure | |
uses: masci/datadog@v1 | |
with: | |
api-key: ${{ secrets.DD_API_KEY }} | |
events: | | |
- title: "${{ env.PROJECT_NAME }} nightly build failed" | |
text: "Nightly build workflow has failed" | |
alert_type: "error" | |
host: ${{ github.repository }} | |
tags: | |
- "project:${{ env.PROJECT_NAME }}" | |
- "workflow:${{ github.workflow }}" |