From 6590f5676c92a37aa6369e7db37818e2d15babf0 Mon Sep 17 00:00:00 2001 From: per1234 Date: Thu, 12 Aug 2021 08:28:33 -0700 Subject: [PATCH] [skip changelog] Sync "Release" workflow with template We have assembled a collection of reusable GitHub Actions workflows: https://github.com/arduino/tooling-project-assets These workflows will be used in the repositories of all Arduino tooling projects. Some minor improvements and standardizations have been made in the upstream "template" workflow, and those are introduced to this repository via this pull request. Notable: - Replace changelog file read, deprecated `actions/create-release`, and asset upload steps with the comprehensive `ncipollo/release-action` action --- .../{release.yaml => release-go-task.yml} | 117 +++++++++--------- 1 file changed, 58 insertions(+), 59 deletions(-) rename .github/workflows/{release.yaml => release-go-task.yml} (53%) diff --git a/.github/workflows/release.yaml b/.github/workflows/release-go-task.yml similarity index 53% rename from .github/workflows/release.yaml rename to .github/workflows/release-go-task.yml index ab125b614a4..1cb3f6438be 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release-go-task.yml @@ -1,4 +1,14 @@ -name: release +# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/release-go-task.md +name: Release + +env: + # As defined by the Taskfile's PROJECT_NAME variable + PROJECT_NAME: arduino-cli + # As defined by the Taskfile's DIST_DIR variable + DIST_DIR: dist + # The project's folder on Arduino's download server for uploading builds + AWS_PLUGIN_TARGET: /arduino-cli/ + ARTIFACT_NAME: dist on: push: @@ -10,8 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v1 + - name: Checkout repository + uses: actions/checkout@v2 with: fetch-depth: 0 @@ -21,9 +31,9 @@ jobs: tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+.*$' filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*' case-insensitive-regex: true - changelog-file-path: "dist/CHANGELOG.md" + changelog-file-path: "${{ env.DIST_DIR }}/CHANGELOG.md" - - name: Install Taskfile + - name: Install Task uses: arduino/setup-task@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -35,35 +45,46 @@ jobs: - name: Upload artifacts uses: actions/upload-artifact@v2 with: - name: dist - path: dist + if-no-files-found: error + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} notarize-macos: runs-on: macos-latest needs: create-release-artifacts steps: - - name: Checkout + - name: Checkout repository uses: actions/checkout@v2 - name: Download artifacts uses: actions/download-artifact@v2 with: - name: dist - # to ensure compatibility with v1 - path: dist + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} - name: Import Code-Signing Certificates env: KEYCHAIN: "sign.keychain" INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" + KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret run: | echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" - security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" security default-keychain -s "${{ env.KEYCHAIN }}" - security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - security import "${{ env.INSTALLER_CERT_MAC_PATH }}" -k "${{ env.KEYCHAIN }}" -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" - security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security import \ + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ + -k "${{ env.KEYCHAIN }}" \ + -f pkcs12 \ + -A \ + -T "/usr/bin/codesign" \ + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" + security set-key-partition-list \ + -S apple-tool:,apple: \ + -s \ + -k "${{ env.KEYCHAIN_PASSWORD }}" \ + "${{ env.KEYCHAIN }}" - name: Install gon for code signing and app notarization run: | @@ -82,46 +103,33 @@ jobs: # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file run: | - # GitHub's upload/download-artifact@v1 actions don't preserve file permissions, - # so we need to add execution permission back until @v2 actions are released. - chmod +x dist/arduino-cli_osx_darwin_amd64/arduino-cli + # GitHub's upload/download-artifact@v2 actions don't preserve file permissions, + # so we need to add execution permission back until the action is made to do this. + chmod +x ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/${{ env.PROJECT_NAME }} TAG="${GITHUB_REF/refs\/tags\//}" - tar -czvf "dist/arduino-cli_${TAG}_macOS_64bit.tar.gz" \ - -C dist/arduino-cli_osx_darwin_amd64/ arduino-cli \ + tar -czvf "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz" \ + -C ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/ ${{ env.PROJECT_NAME }} \ -C ../../ LICENSE.txt - CLI_CHECKSUM="$(shasum -a 256 "dist/arduino-cli_${TAG}_macOS_64bit.tar.gz" | cut -d " " -f 1)" - perl -pi -w -e "s/.*arduino-cli_${TAG}_macOS_64bit.tar.gz/${CLI_CHECKSUM} arduino-cli_${TAG}_macOS_64bit.tar.gz/g;" dist/*-checksums.txt + CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)" + perl -pi -w -e "s/.*${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/${CHECKSUM} ${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/g;" ${{ env.DIST_DIR }}/*-checksums.txt - name: Upload artifacts uses: actions/upload-artifact@v2 with: - name: dist - path: dist + if-no-files-found: error + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} create-release: runs-on: ubuntu-latest needs: notarize-macos steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Download artifact uses: actions/download-artifact@v2 with: - name: dist - # to ensure compatibility with v1 - path: dist - - - name: Read CHANGELOG - id: changelog - run: | - body="$(cat dist/CHANGELOG.md)" - body="${body//'%'/'%25'}" - body="${body//$'\n'/'%0A'}" - body="${body//$'\r'/'%0D'}" - echo "$body" - echo "::set-output name=BODY::$body" + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} - name: Identify Prerelease # This is a workaround while waiting for create-release action @@ -132,32 +140,23 @@ jobs: unzip -p /tmp/3.0.0.zip semver-tool-3.0.0/src/semver >/tmp/semver && chmod +x /tmp/semver if [[ "$(/tmp/semver get prerel "${GITHUB_REF/refs\/tags\//}")" ]]; then echo "::set-output name=IS_PRE::true"; fi - - name: Create Github Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create Github Release and upload artifacts + uses: ncipollo/release-action@v1 with: - tag_name: ${{ github.ref }} - release_name: ${{ github.ref }} - body: ${{ steps.changelog.outputs.BODY }} + token: ${{ secrets.GITHUB_TOKEN }} + bodyFile: ${{ env.DIST_DIR }}/CHANGELOG.md draft: false prerelease: ${{ steps.prerelease.outputs.IS_PRE }} - - - name: Upload release files on Github - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: dist/* - tag: ${{ github.ref }} - file_glob: true + # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem + # (all the files we need are in the DIST_DIR root) + artifacts: ${{ env.DIST_DIR }}/* - name: Upload release files on Arduino downloads servers uses: docker://plugins/s3 env: - PLUGIN_SOURCE: "dist/*" - PLUGIN_TARGET: "/arduino-cli/" - PLUGIN_STRIP_PREFIX: "dist/" + PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*" + PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }} + PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/" PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}