Skip to content

Publish Nightly Build #1254

Publish Nightly Build

Publish Nightly Build #1254

# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/publish-go-nightly-task.md
name: Publish Nightly Build
env:
# As defined by the Taskfile's PROJECT_NAME variable
PROJECT_NAME: arduino-lint
# As defined by the Taskfile's DIST_DIR variable
DIST_DIR: dist
# The project's folder on Arduino's download server for uploading builds
AWS_PLUGIN_TARGET: /arduino-lint/
AWS_REGION: "us-east-1"
ARTIFACT_PREFIX: dist-
# See: https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
on:
schedule:
# run every day at 1AM
- cron: "0 1 * * *"
workflow_dispatch:
repository_dispatch:
jobs:
create-nightly-artifacts:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
os:
- task: Windows_32bit
artifact-suffix: Windows_32bit
- task: Windows_64bit
artifact-suffix: Windows_64bit
- task: Linux_32bit
artifact-suffix: Linux_32bit
- task: Linux_64bit
artifact-suffix: Linux_64bit
- task: Linux_ARMv6
artifact-suffix: Linux_ARMv6
- task: Linux_ARMv7
artifact-suffix: Linux_ARMv7
- task: Linux_ARM64
artifact-suffix: Linux_ARM64
- task: macOS_64bit
artifact-suffix: macOS_64bit
- task: macOS_ARM64
artifact-suffix: macOS_ARM64
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Task
uses: arduino/setup-task@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x
- name: Build
env:
NIGHTLY: true
run: task dist:${{ matrix.os.task }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.os.artifact-suffix }}
path: ${{ env.DIST_DIR }}
notarize-macos:
name: Notarize ${{ matrix.build.folder-suffix }}
runs-on: macos-latest
needs: create-nightly-artifacts
permissions:
contents: read
env:
GON_CONFIG_PATH: gon.config.hcl
strategy:
matrix:
build:
- artifact-suffix: macOS_64bit
folder-suffix: darwin_amd64
package-suffix: "macOS_64bit.tar.gz"
- artifact-suffix: macOS_ARM64
folder-suffix: darwin_arm64
package-suffix: "macOS_ARM64.tar.gz"
steps:
- name: Set environment variables
run: |
# See: https://docs.github.com/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable
echo "BUILD_FOLDER=${{ env.PROJECT_NAME }}_osx_${{ matrix.build.folder-suffix }}" >> "$GITHUB_ENV"
- name: Checkout repository
uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
path: ${{ env.DIST_DIR }}
- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
# Arbitrary password for a keychain that exists only for the duration of the job, so not secret
KEYCHAIN_PASSWORD: keychainpassword
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
security default-keychain -s "${{ env.KEYCHAIN }}"
security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
security import \
"${{ env.INSTALLER_CERT_MAC_PATH }}" \
-k "${{ env.KEYCHAIN }}" \
-f pkcs12 \
-A \
-T /usr/bin/codesign \
-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
security set-key-partition-list \
-S apple-tool:,apple: \
-s \
-k "${{ env.KEYCHAIN_PASSWORD }}" \
"${{ env.KEYCHAIN }}"
- name: Install gon for code signing and app notarization
run: |
wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip
unzip gon_macos.zip -d /usr/local/bin
- name: Write gon config to file
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
run: |
cat > "${{ env.GON_CONFIG_PATH }}" <<EOF
# See: https://github.com/Bearer/gon#configuration-file
source = ["${{ env.DIST_DIR }}/${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"]
bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
sign {
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
}
# Ask Gon for zip output to force notarization process to take place.
# The CI will ignore the zip output, using the signed binary only.
zip {
output_path = "unused.zip"
}
EOF
- name: Sign and notarize binary
env:
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
AC_PROVIDER: ${{ secrets.AC_PROVIDER }}
run: |
gon "${{ env.GON_CONFIG_PATH }}"
- name: Re-package binary
working-directory: ${{ env.DIST_DIR }}
# Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
run: |
# GitHub's upload/download-artifact actions don't preserve file permissions,
# so we need to add execution permission back until the action is made to do this.
chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"
# Use of an array here is required for globbing
PACKAGE_FILENAME=(${{ env.PROJECT_NAME }}_nightly-*${{ matrix.build.package-suffix }})
tar -czvf "$PACKAGE_FILENAME" \
-C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \
-C ../../ LICENSE.txt
echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV
- name: Replace artifact with notarized build
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
overwrite: true
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
publish-nightly:
runs-on: ubuntu-latest
environment: production
needs: notarize-macos
permissions:
contents: write
id-token: write # This is required for requesting the JWT
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: ${{ env.ARTIFACT_PREFIX }}*
merge-multiple: true
path: ${{ env.DIST_DIR }}
- name: Create checksum file
working-directory: ${{ env.DIST_DIR }}
run: |
TAG="nightly-$(date -u +"%Y%m%d")"
sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: "github_${{ env.PROJECT_NAME }}"
aws-region: ${{ env.AWS_REGION }}
- name: Upload release files on Arduino downloads servers
run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}nightly
report:
runs-on: ubuntu-latest
needs: publish-nightly
if: failure() # Run if publish-nightly or any of its job dependencies failed
permissions: {}
steps:
- name: Report failure
uses: masci/datadog@v1
with:
api-key: ${{ secrets.DD_API_KEY }}
events: |
- title: "${{ env.PROJECT_NAME }} nightly build failed"
text: "Nightly build workflow has failed"
alert_type: "error"
host: ${{ github.repository }}
tags:
- "project:${{ env.PROJECT_NAME }}"
- "workflow:${{ github.workflow }}"