Bump github.com/arduino/go-paths-helper from 1.12.0 to 1.12.1 (#962) #347
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
tags: | |
- "[0-9]+.[0-9]+.[0-9]+*" | |
permissions: | |
contents: write | |
id-token: write # This is required for requesting the JWT | |
env: | |
# As defined by the Taskfile's PROJECT_NAME variable | |
PROJECT_NAME: arduino-cloud-agent | |
TARGET: "/CreateAgent/Stable/" | |
VERSION_TARGET: "arduino-create-static/agent-metadata/" | |
AWS_REGION: "us-east-1" # or https://github.com/aws/aws-cli/issues/5623 | |
KEYCHAIN: "sign.keychain" | |
KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret | |
GON_CONFIG_PATH: gon.config.hcl | |
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" | |
AC_USERNAME: ${{ secrets.AC_USERNAME }} # used by gon | |
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} # used by gon | |
AC_PROVIDER: ${{ secrets.AC_PROVIDER }} # used by gon | |
# See: https://github.com/actions/setup-go/tree/v3#readme | |
GO_VERSION: "1.21" | |
jobs: | |
# The build job is responsible for: configuring the environment, testing and compiling process | |
build: | |
outputs: | |
prerelease: ${{ steps.prerelease.outputs.IS_PRE }} | |
strategy: | |
matrix: | |
os: [ubuntu-20.04, windows-2019, macos-12] | |
arch: [amd64] | |
include: | |
- os: windows-2019 | |
arch: 386 | |
ext: ".exe" | |
- os: windows-2019 | |
ext: ".exe" | |
defaults: | |
run: | |
shell: bash | |
# by default disable CGO, it's not needed (except on macos) | |
env: | |
CGO_ENABLED: 0 | |
runs-on: ${{ matrix.os }} | |
environment: production | |
steps: | |
- name: Set env vars | |
run: | | |
echo "TAG_VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
echo $(go env GOPATH)/bin >> $GITHUB_PATH | |
- name: Identify Prerelease | |
# This is a workaround while waiting for create-release action to implement auto pre-release based on tag | |
id: prerelease | |
run: | | |
curl -L -s https://github.com/fsaintjacques/semver-tool/archive/3.1.0.zip -o /tmp/3.1.0.zip | |
unzip -p /tmp/3.1.0.zip semver-tool-3.1.0/src/semver >/tmp/semver && chmod +x /tmp/semver | |
if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "IS_PRE=true" >> $GITHUB_OUTPUT; fi | |
- name: Disable EOL conversions | |
run: git config --global core.autocrlf false | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install Go deps | |
run: go install github.com/sanbornm/go-selfupdate/...@latest | |
- name: Install Taskfile | |
uses: arduino/setup-task@v2 | |
with: | |
version: "3.x" | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build the Agent for linux | |
run: task go:build | |
if: matrix.os == 'ubuntu-20.04' | |
# the manifest is required by windows GUI apps, otherwise the binary will crash with: "Unable to create main window: TTM_ADDTOOL failed" (for reference https://github.com/lxn/walk/issues/28) | |
# rsrc will produce a *.syso file that should get automatically recognized by go build command and linked into an executable. | |
- name: Download tool to embed manifest in win binary | |
run: go install github.com/akavel/rsrc@latest | |
if: matrix.os == 'windows-2019' | |
# building the agent for win requires a different task because of an extra flag | |
- name: Build the Agent for win32 | |
env: | |
GOARCH: 386 # 32bit architecture (for support) | |
run: task go:build-win | |
if: matrix.os == 'windows-2019' && matrix.arch == '386' | |
- name: Build the Agent for win64 | |
run: task go:build-win # GOARCH=amd64 by default on the runners | |
if: matrix.os == 'windows-2019' && matrix.arch == 'amd64' | |
- name: Build the Agent for macos amd64 | |
env: | |
CGO_ENABLED: 1 | |
MACOSX_DEPLOYMENT_TARGET: 10.15 # minimum supported version for mac | |
CGO_CFLAGS: -mmacosx-version-min=10.15 | |
CGO_LDFLAGS: -mmacosx-version-min=10.15 | |
run: | | |
task go:build | |
mv ${{ env.PROJECT_NAME }} ${{ env.PROJECT_NAME }}_amd64 | |
if: matrix.os == 'macos-12' | |
- name: Build the Agent for macos arm64 | |
env: | |
CGO_ENABLED: 1 | |
MACOSX_DEPLOYMENT_TARGET: 10.15 # minimum supported version for mac | |
CGO_CFLAGS: -mmacosx-version-min=10.15 | |
CGO_LDFLAGS: -mmacosx-version-min=10.15 | |
GOARCH: arm64 | |
run: | | |
task go:build | |
mv ${{ env.PROJECT_NAME }} ${{ env.PROJECT_NAME }}_arm64 | |
if: matrix.os == 'macos-12' | |
- name: Create universal macos executable | |
run: | | |
lipo -create -output ${{ env.PROJECT_NAME }} ${{ env.PROJECT_NAME }}_amd64 ${{ env.PROJECT_NAME }}_arm64 | |
rm ${{ env.PROJECT_NAME }}_amd64 ${{ env.PROJECT_NAME }}_arm64 | |
if: matrix.os == 'macos-12' | |
# this will create `public/` dir with compressed full bin (<version>/<os>-<arch>.gz) and a json file | |
- name: Create autoupdate files | |
run: go-selfupdate ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION} | |
if: matrix.arch != '386' && steps.prerelease.outputs.IS_PRE != 'true' | |
- name: Copy autoupdate file for darwin-arm64 (m1 arch) | |
working-directory: public/ | |
run: | | |
cp darwin-amd64.json darwin-arm64.json | |
cp ${TAG_VERSION}/darwin-amd64.gz ${TAG_VERSION}/darwin-arm64.gz | |
if: matrix.os == 'macos-12' && steps.prerelease.outputs.IS_PRE != 'true' | |
- name: Create autoupdate files for win32 | |
run: go-selfupdate -platform windows-${{ matrix.arch }} ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION} | |
if: matrix.arch == '386' && matrix.os == 'windows-2019' && steps.prerelease.outputs.IS_PRE != 'true' | |
- name: configure aws credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: "github_${{ env.PROJECT_NAME }}" | |
aws-region: ${{ env.AWS_REGION }} | |
if: steps.prerelease.outputs.IS_PRE != 'true' | |
- name: Upload autoupdate files to Arduino downloads servers | |
run: | | |
aws s3 sync public/ s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }} | |
if: steps.prerelease.outputs.IS_PRE != 'true' | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }} | |
path: | | |
${{ env.PROJECT_NAME }}* | |
if-no-files-found: error | |
create-macos-bundle: | |
needs: build | |
# for now they are exaclty the same | |
strategy: | |
matrix: | |
arch: [amd64, arm64] | |
runs-on: macos-12 | |
env: | |
EXE_PATH: "skel/ArduinoCloudAgent.app/Contents/MacOS/" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
repository: "bcmi-labs/arduino-create-agent-installer" # the repo which contains the bundle structure and icons | |
token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ env.PROJECT_NAME }}-macos-12-amd64 # if we want to support darwin-arm64 in the future for real this has to change. | |
path: ${{ env.EXE_PATH }} | |
- name: Remove placeholder file | |
run: rm -rf ${{ env.EXE_PATH }}.empty | |
# zip artifacts do not mantain executable permission | |
- name: Make executable | |
run: chmod -v +x ${{ env.EXE_PATH }}${{ env.PROJECT_NAME }} | |
- name: Rename executable to Arduino_Cloud_Agent | |
run: mv -v ${{ env.EXE_PATH }}${{ env.PROJECT_NAME }} ${{ env.EXE_PATH }}Arduino_Cloud_Agent | |
- name: get year | |
run: echo "YEAR=$(date "+%Y")" >> $GITHUB_ENV | |
- name: Generate Info.plist for MacOS | |
run: | | |
cat > skel/ArduinoCloudAgent.app/Contents/Info.plist <<EOF | |
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string> | |
<key>CFBundleIconFile</key> <string>AppIcon.icns</string> | |
<key>CFBundleName</key> <string>Arduino Cloud Agent</string> | |
<key>CFBundleExecutable</key> <string>Arduino_Cloud_Agent</string> | |
<key>CFBundleIdentifier</key> <string>create.arduino.cc</string> | |
<key>CFBundleVersion</key> <string>${GITHUB_REF##*/}</string> | |
<key>NSHumanReadableCopyright</key> <string>© Copyright ${{ env.YEAR }} Arduino LLC</string> | |
<key>CFBundleShortVersionString</key> <string>${GITHUB_REF##*/}</string> | |
<key>LSUIElement</key> <true/> | |
<!-- Needed for Apache Callback --> | |
<key>NSPrincipalClass</key><string>NSApplication</string> | |
<key>NSMainNibFile</key><string>MainMenu</string> | |
</dict></plist> | |
EOF | |
- name: Tar bundle to keep permissions | |
run: tar -cvf ArduinoCloudAgent.app_${{ matrix.arch }}.tar -C skel/ . | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: error | |
name: ArduinoCloudAgent.app_${{ matrix.arch }} | |
path: ArduinoCloudAgent.app_${{ matrix.arch }}.tar | |
# The notarize-macos job will download the macos bundle from the previous job, sign, notarize and re-upload it, uploading it also on s3 download servers for the autoupdate. | |
notarize-macos: | |
name: Notarize bundle | |
# for now they are exaclty the same | |
strategy: | |
matrix: | |
arch: [amd64, arm64] | |
runs-on: macos-12 | |
env: | |
GON_PATH: ${{ github.workspace }}/gon | |
needs: [build, create-macos-bundle] | |
environment: production | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ArduinoCloudAgent.app_${{ matrix.arch }} | |
- name: un-Tar bundle | |
run: tar -xvf ArduinoCloudAgent.app_${{ matrix.arch }}.tar | |
- name: Import Code-Signing Certificates | |
run: | | |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" | |
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
security default-keychain -s "${{ env.KEYCHAIN }}" | |
security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
security import \ | |
"${{ env.INSTALLER_CERT_MAC_PATH }}" \ | |
-k "${{ env.KEYCHAIN }}" \ | |
-f pkcs12 \ | |
-A \ | |
-T "/usr/bin/codesign" \ | |
-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" | |
security set-key-partition-list \ | |
-S apple-tool:,apple: \ | |
-s \ | |
-k "${{ env.KEYCHAIN_PASSWORD }}" \ | |
"${{ env.KEYCHAIN }}" | |
- name: Install gon for code signing | |
uses: actions/checkout@v4 | |
with: | |
repository: darkvertex/gon #this fork has support for --deep notarization | |
path: ${{ env.GON_PATH }} | |
ref: deep_sign_support | |
- name: Build gon | |
working-directory: ${{ env.GON_PATH }}/cmd/gon/ | |
run: | | |
ls -lah | |
go build | |
mv gon /usr/local/bin | |
- name: Write gon config to file | |
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) | |
run: | | |
cat > "${{ env.GON_CONFIG_PATH }}" <<EOF | |
# See: https://github.com/mitchellh/gon#configuration-file | |
source = ["ArduinoCloudAgent.app"] | |
bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}" | |
sign { | |
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" | |
deep = true | |
} | |
EOF | |
- name: Sign app bundle | |
run: gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}" | |
# the zip name must not change because it would interfere with the autoupdate process on macos | |
- name: Zip output app bundle | |
run: ditto -c -k ArduinoCloudAgent.app/ ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
- name: Remove gon used for code signing | |
run: | | |
rm /usr/local/bin/gon | |
rm ${{ env.GON_CONFIG_PATH }} | |
- name: Install gon for app notarization | |
run: | | |
wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip | |
unzip gon_macos.zip -d /usr/local/bin | |
- name: Write gon config to file | |
run: | | |
cat > "${{ env.GON_CONFIG_PATH }}" <<EOF | |
# See: https://github.com/Bearer/gon#configuration-file | |
notarize { | |
path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip" | |
bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}" | |
} | |
EOF | |
- name: Notarize app bundle | |
run: | | |
gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}" | |
- name: configure aws credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: "github_${{ env.PROJECT_NAME }}" | |
aws-region: ${{ env.AWS_REGION }} | |
if: ${{ needs.build.outputs.prerelease != 'true' }} | |
- name: Upload autoupdate bundle to Arduino downloads servers | |
run: aws s3 cp ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}${GITHUB_REF/refs\/tags\//}/ # the version should be created in th the build job | |
if: ${{ needs.build.outputs.prerelease != 'true' }} | |
- name: Generate json file used for the new autoupdate | |
run: | | |
cat > darwin-${{ matrix.arch }}-bundle.json <<EOF | |
{ | |
"Version": "${GITHUB_REF/refs\/tags\//}", | |
"Sha256": "$(shasum -a 256 ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | awk '{print $1}' | xxd -r -p | base64)" | |
} | |
EOF | |
if: ${{ needs.build.outputs.prerelease != 'true' }} | |
- name: Upload autoupdate files to Arduino downloads servers | |
run: | | |
aws s3 cp darwin-${{ matrix.arch }}-bundle.json s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }} | |
if: ${{ needs.build.outputs.prerelease != 'true' }} | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ArduinoCloudAgent.app_${{ matrix.arch }}_notarized | |
path: ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
if-no-files-found: error | |
# This job is responsible for generating the installers (using installbuilder) | |
package: | |
needs: build | |
runs-on: ubuntu-20.04 | |
env: | |
# vars used by installbuilder | |
INSTALLBUILDER_PATH: "/opt/installbuilder-23.11.0/bin/builder" | |
INSTALLER_VARS: "project.outputDirectory=$PWD project.version=${GITHUB_REF##*/} workspace=$PWD realname=Arduino_Cloud_Agent" | |
strategy: | |
fail-fast: false # if one os is failing continue nonetheless | |
matrix: # used to generate installers for different OS and not for runs-on | |
os: [ubuntu-20.04, windows-2019] | |
arch: [amd64] | |
include: | |
- os: ubuntu-20.04 | |
platform-name: linux | |
installbuilder-name: linux-x64 | |
installer-extension: .run | |
- os: windows-2019 | |
arch: 386 | |
platform-name: windows | |
installbuilder-name: windows | |
extension: .exe | |
installer-extension: .exe | |
- os: windows-2019 | |
platform-name: windows | |
installbuilder-name: windows | |
extension: .exe | |
installer-extension: .exe | |
container: | |
image: floydpink/ubuntu-install-builder:23.11.0 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
repository: "bcmi-labs/arduino-create-agent-installer" # the repo which contains install.xml | |
token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }} | |
path: artifacts/${{ matrix.platform-name }}/ # path expected by installbuilder | |
# zip artifacts do not mantain executable permission | |
- name: Make executable | |
run: chmod -v +x artifacts/${{ matrix.platform-name }}/${{ env.PROJECT_NAME }}* | |
if: matrix.os == 'ubuntu-20.04' | |
- name: Rename executable to Arduino_Cloud_Agent | |
run: mv -v artifacts/${{ matrix.platform-name }}/${{ env.PROJECT_NAME }}${{ matrix.extension }} artifacts/${{ matrix.platform-name }}/Arduino_Cloud_Agent${{ matrix.extension }} | |
- name: Save InstallBuilder license to file | |
run: echo "${{ secrets.INSTALLER_LICENSE }}" > /tmp/license.xml | |
- name: Launch Bitrock installbuilder | |
run: ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.installbuilder-name }} --verbose --license /tmp/license.xml --setvars ${{ env.INSTALLER_VARS }} architecture=${{ matrix.arch }} | |
- name: Generate archive | |
run: tar -czvf ArduinoCloudAgent-${GITHUB_REF##*/}-${{ matrix.platform-name }}-${{ matrix.arch }}-installer.tar.gz ArduinoCloudAgent-${GITHUB_REF##*/}-${{ matrix.platform-name }}-${{ matrix.arch }}-installer${{matrix.installer-extension}} | |
if: matrix.os == 'ubuntu-20.04' | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ArduinoCloudAgent-${{ matrix.platform-name }}-${{ matrix.arch }} | |
path: ArduinoCloudAgent* | |
if-no-files-found: error | |
# This job will sign the Windows installer | |
sign-windows: | |
runs-on: [self-hosted, windows-sign-pc] | |
needs: package | |
defaults: | |
run: | |
shell: bash | |
env: | |
INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer" | |
# We are hardcoding the path for signtool because is not present on the windows PATH env var by default. | |
# Keep in mind that this path could change when upgrading to a new runner version | |
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe" | |
strategy: | |
matrix: | |
arch: [amd64, 386] | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ArduinoCloudAgent-windows-${{ matrix.arch }} | |
- name: Save Win signing certificate to file | |
run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}} | |
- name: Sign EXE | |
env: | |
CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }} | |
CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }} | |
# https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken | |
run: | | |
"${{ env.SIGNTOOL_PATH }}" sign -d "Arduino Cloud Agent" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "ArduinoCloudAgent-${GITHUB_REF##*/}-windows-${{ matrix.arch }}-installer.exe" | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: error | |
name: ArduinoCloudAgent-windows-${{ matrix.arch }}-signed | |
path: ArduinoCloudAgent-*-windows-${{ matrix.arch }}-installer.exe | |
# This step is needed because the self hosted runner does not delete files automatically | |
- name: Clean up EXE | |
run: rm ArduinoCloudAgent-*-windows-${{ matrix.arch }}-installer.exe | |
# This job will generate a dmg mac installer, sign/notarize it. | |
generate-sign-dmg: | |
needs: notarize-macos | |
strategy: | |
matrix: | |
arch: [amd64] | |
runs-on: macos-12 | |
steps: | |
- name: Checkout repo with icons/background | |
uses: actions/checkout@v4 | |
with: | |
repository: "bcmi-labs/arduino-create-agent-installer" # the repo which contains the icons/background | |
token: ${{ secrets.ARDUINO_CREATE_AGENT_CI_PAT }} | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ArduinoCloudAgent.app_${{ matrix.arch }}_notarized | |
path: ArduinoCloudAgent.app | |
- name: unzip artifact | |
working-directory: ArduinoCloudAgent.app | |
run: | | |
unzip ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
rm ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip | |
- name: Install create-dmg | |
run: brew install create-dmg | |
- name: Generate DMG | |
run: | | |
create-dmg \ | |
--volname "ArduinoCloudAgent" \ | |
--background "installer_icons/background.tiff" \ | |
--window-pos 200 120 \ | |
--window-size 500 320 \ | |
--icon-size 80 \ | |
--icon "ArduinoCloudAgent.app" 125 150 \ | |
--app-drop-link 375 150 \ | |
"ArduinoCloudAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg" \ | |
"ArduinoCloudAgent.app" | |
- name: Import Code-Signing Certificates | |
run: | | |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" | |
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
security default-keychain -s "${{ env.KEYCHAIN }}" | |
security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" | |
security import \ | |
"${{ env.INSTALLER_CERT_MAC_PATH }}" \ | |
-k "${{ env.KEYCHAIN }}" \ | |
-f pkcs12 \ | |
-A \ | |
-T "/usr/bin/codesign" \ | |
-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" | |
security set-key-partition-list \ | |
-S apple-tool:,apple: \ | |
-s \ | |
-k "${{ env.KEYCHAIN_PASSWORD }}" \ | |
"${{ env.KEYCHAIN }}" | |
- name: Install gon for code signing and app notarization | |
run: | | |
wget -q https://github.com/Bearer/gon/releases/download/v0.0.36/gon_macos.zip | |
unzip gon_macos.zip -d /usr/local/bin | |
- name: Write gon config to file | |
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) | |
run: | | |
cat > gon.config_installer.hcl <<EOF | |
source = ["ArduinoCloudAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg"] | |
bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}-installer" | |
sign { | |
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" | |
} | |
# Ask Gon for zip output to force notarization process to take place. | |
zip { | |
output_path = "ArduinoCloudAgent.app_${{ matrix.arch }}_notarized.zip" | |
} | |
EOF | |
- name: Code sign and notarize app | |
run: gon -log-level=debug -log-json gon.config_installer.hcl | |
# tar dmg file to keep executable permission | |
- name: Tar files to keep permissions | |
run: tar -cvf ArduinoCloudAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.tar ArduinoCloudAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ArduinoCloudAgent-osx-${{ matrix.arch }} | |
path: ArduinoCloudAgent*.tar | |
if-no-files-found: error | |
create-release: | |
runs-on: ubuntu-20.04 | |
environment: production | |
needs: [build, generate-sign-dmg, sign-windows] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # fetch all history for the create changelog step to work properly | |
- name: Download artifact | |
uses: actions/download-artifact@v4 # download all the artifacts | |
# mandatory step because upload-release-action does not support multiple folders | |
- name: prepare artifacts for the release | |
run: | | |
mkdir release | |
chmod -v +x ArduinoCloudAgent-linux-amd64/*.run | |
mv -v ArduinoCloudAgent-linux-amd64/* release/ | |
cat ArduinoCloudAgent-osx-amd64/*.tar | tar -xvf - -i -C release/ | |
rm -v release/._ArduinoCloudAgent*.dmg | |
mv -v ArduinoCloudAgent-windows*-signed/* release/ | |
- name: VirusTotal Scan | |
id: virustotal_step | |
uses: crazy-max/ghaction-virustotal@v4 | |
with: | |
vt_api_key: ${{ secrets.VIRUSTOTAL_API_KEY }} | |
update_release_body: false # `true` won't work because trigger type is not release | |
files: | | |
release/*.exe | |
${{ env.PROJECT_NAME }}-windows-2019-386/${{ env.PROJECT_NAME }}.exe | |
${{ env.PROJECT_NAME }}-windows-2019-amd64/${{ env.PROJECT_NAME }}.exe | |
- name: Create changelog | |
uses: arduino/create-changelog@v1 | |
with: | |
tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+.*$' | |
filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*' | |
case-insensitive-regex: true | |
changelog-file-path: "CHANGELOG.md" | |
- name: Organize release body message #use sed to clean and format the output markdown style | |
id: release_body | |
run: | | |
echo "RBODY<<EOF" >> $GITHUB_OUTPUT | |
echo "$(cat CHANGELOG.md)" >> $GITHUB_OUTPUT | |
echo "<details close>" >> $GITHUB_OUTPUT | |
echo "<summary>VirusTotal analysis 🛡</summary>" >> $GITHUB_OUTPUT | |
echo "" >> $GITHUB_OUTPUT | |
echo "$(echo ${{ steps.virustotal_step.outputs.analysis}} | sed 's/release\///g' | sed 's/,/\n/g' | sed 's/^/- [/' | sed 's/=/](/' | sed 's/$/)/')" >> $GITHUB_OUTPUT | |
echo "</details>" >> $GITHUB_OUTPUT | |
echo "EOF" >> $GITHUB_OUTPUT | |
- name: Create Github Release and upload artifacts | |
uses: ncipollo/release-action@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
body: ${{ steps.release_body.outputs.RBODY}} | |
draft: false | |
prerelease: ${{ needs.build.outputs.prerelease }} | |
# NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem | |
# (all the files we need are in the DIST_DIR root) | |
artifacts: release/* | |
- name: configure aws credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: "github_${{ env.PROJECT_NAME }}" | |
aws-region: ${{ env.AWS_REGION }} | |
if: ${{ needs.build.outputs.prerelease != 'true' }} | |
- name: Upload release files on Arduino downloads servers | |
run: aws s3 sync release/ s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }} | |
if: ${{ needs.build.outputs.prerelease != 'true' }} | |
- name: Update version file (used by frontend to trigger autoupdate and create filename) | |
run: | | |
echo {\"Version\": \"${GITHUB_REF##*/}\"} > /tmp/agent-version.json | |
# TODO remove this when we will have a new frontend | |
aws s3 cp /tmp/agent-version.json s3://${{ env.VERSION_TARGET }} | |
aws s3 cp /tmp/agent-version.json s3://${{ secrets.DOWNLOADS_BUCKET }}/agent-metadata/ | |
if: ${{ needs.build.outputs.prerelease != 'true' }} |