diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 905280e3eab..09d9f133101 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -30,6 +30,6 @@ jobs: PLUGIN_SOURCE: 'dist/*' PLUGIN_TARGET: '/arduino-cli/nightly' PLUGIN_STRIP_PREFIX: 'dist/' - PLUGIN_BUCKET: 'arduino-downloads-prod-beagle' + PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cac5a20e6a5..d2e4757209e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,7 +6,8 @@ on: - '[0-9].[0-9].[0-9]*' jobs: - publish-release: + + create-release-artifacts: runs-on: ubuntu-latest container: @@ -16,13 +17,118 @@ jobs: - $PWD/go:/go steps: - - name: checkout + - name: Checkout uses: actions/checkout@v1 - - name: build + - name: Build + run: goreleaser + + - name: Upload artifacts + uses: actions/upload-artifact@v1 + with: + name: dist + path: dist + + notarize-macos: + runs-on: macos-latest + needs: create-release-artifacts + + steps: + - name: Checkout + uses: actions/checkout@v1 + + - name: Download artifacts + uses: actions/download-artifact@v1 + with: + name: dist + + - name: Get the current release tag + id: get_tag + run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} + + - name: Download Gon + run: | + wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip + unzip gon_0.2.2_macos.zip -d /usr/local/bin + rm -f gon_0.2.2_macos.zip + + - name: Notarize binary, re-package it and update checksum env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + TAG: ${{ steps.get_tag.outputs.VERSION }} + AC_USERNAME: ${{ secrets.AC_USERNAME }} + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} + # This step performs the following: + # 1. Download keychain from GH secrets and decode it from base64 + # 2. Add the keychain to the system keychains and unlock it + # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD) + # 4. Repackage the signed binary replaced in place by Gon + # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file + run: | + echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db + security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db + security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db + gon gon.config.hcl + tar -czvf dist/arduino-cli_${TAG}_macOS_64bit.tar.gz \ + -C dist/arduino_cli_osx_darwin_amd64/ arduino-cli \ + -C ../../ LICENSE.txt + CLI_CHECKSUM=$(shasum -a 256 dist/arduino-cli_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1) + perl -pi -w -e "s/.*arduino-cli_${TAG}_macOS_64bit.tar.gz/${CLI_CHECKSUM} arduino-cli_${TAG}_macOS_64bit.tar.gz/g;" dist/*-checksums.txt + + - name: Upload artifacts + uses: actions/upload-artifact@v1 + with: + name: dist + path: dist + + create-release: + runs-on: ubuntu-latest + needs: notarize-macos + + steps: + - name: Checkout + uses: actions/checkout@v1 + + - name: Download artifact + uses: actions/download-artifact@v1 + with: + name: dist + + - name: Read CHANGELOG + id: changelog + run: | + body=$(cat dist/CHANGELOG.md) + body="${body//'%'/'%25'}" + body="${body//$'\n'/'%0A'}" + body="${body//$'\r'/'%0D'}" + echo $body + echo "::set-output name=BODY::$body" + + - name: Create Github Release + id: create_release + uses: actions/create-release@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref }} + release_name: ${{ github.ref }} + body: ${{ steps.changelog.outputs.BODY }} + draft: false + prerelease: false + + - name: Upload release files on Github + uses: svenstaro/upload-release-action@v1-release + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: dist/* + tag: ${{ github.ref }} + file_glob: true + + - name: Upload release files on Arduino downloads servers + uses: docker://plugins/s3 + env: + PLUGIN_SOURCE: 'dist/*' + PLUGIN_TARGET: '/arduino-cli/' + PLUGIN_STRIP_PREFIX: 'dist/' + PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: 'us-east-1' - run: goreleaser diff --git a/.goreleaser.yml b/.goreleaser.yml index ef70eaac986..e02897be7a6 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -6,7 +6,7 @@ snapshot: name_template: '{{ .Env.PACKAGE_NAME_PREFIX }}-{{ time "20060102" }}' release: - prerelease: auto + disable: true changelog: filters: @@ -112,11 +112,3 @@ archives: windows: Windows files: - LICENSE.txt - -blob: - - - provider: s3 - bucket: arduino-downloads-prod-beagle - ids: - - arduino_cli - folder: "{{ .ProjectName }}" diff --git a/gon.config.hcl b/gon.config.hcl new file mode 100644 index 00000000000..41a6cadb604 --- /dev/null +++ b/gon.config.hcl @@ -0,0 +1,6 @@ +source = ["dist/arduino_cli_osx_darwin_amd64/arduino-cli"] +bundle_id = "cc.arduino.arduino-cli" + +sign { + application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" +}