From 3b68fc601a120e924600130eaacb487ee68825b3 Mon Sep 17 00:00:00 2001 From: per1234 Date: Thu, 12 Aug 2021 07:34:52 -0700 Subject: [PATCH 1/2] [skip changelog] Remove obsolete link footnotes from readme These have been replaced by more maintainable direct links. --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index c946de77875..30e67461101 100644 --- a/README.md +++ b/README.md @@ -45,10 +45,7 @@ policy] and report the bug to our Security Team 🛡️ Thank you! e-mail contact: security@arduino.cc -[tests-badge]: https://github.com/Arduino/arduino-cli/workflows/test/badge.svg [nightly-badge]: https://github.com/Arduino/arduino-cli/workflows/nightly/badge.svg -[docs-badge]: https://github.com/Arduino/arduino-cli/workflows/publish-docs/badge.svg -[codecov-badge]: https://codecov.io/gh/arduino/arduino-cli/branch/master/graph/badge.svg [install]: https://arduino.github.io/arduino-cli/latest/installation [user documentation]: https://arduino.github.io/arduino-cli/latest/ [getting started]: https://arduino.github.io/arduino-cli/latest/getting-started/ From 58a929600bbaa7081d73bca9107f5c192c9cde09 Mon Sep 17 00:00:00 2001 From: per1234 Date: Thu, 12 Aug 2021 07:37:32 -0700 Subject: [PATCH 2/2] [skip changelog] Sync "Publish Nightly Build" CI workflow with template We have assembled a collection of reusable GitHub Actions workflows: https://github.com/arduino/tooling-project-assets These workflows will be used in the repositories of all Arduino tooling projects. Some minor improvements and standardizations have been made in the upstream "template" workflow, and those are introduced to this repository via this pull request. Notable: - Improved failure reporting - Manual triggers to allow publishing on demand --- .github/workflows/nightly.yaml | 132 --------------- .github/workflows/publish-go-nightly-task.yml | 156 ++++++++++++++++++ README.md | 3 +- gon.config.hcl | 4 +- 4 files changed, 160 insertions(+), 135 deletions(-) delete mode 100644 .github/workflows/nightly.yaml create mode 100644 .github/workflows/publish-go-nightly-task.yml diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml deleted file mode 100644 index ce0daaf9f77..00000000000 --- a/.github/workflows/nightly.yaml +++ /dev/null @@ -1,132 +0,0 @@ -name: nightly - -on: - schedule: - # run every day at 1AM - - cron: "0 1 * * *" - -jobs: - create-nightly-artifacts: - # This workflow is only of value to the arduino/arduino-cli repository and - # would always fail in forks - if: github.repository == 'arduino/arduino-cli' - runs-on: ubuntu-latest - - steps: - - name: checkout - uses: actions/checkout@v1 - with: - fetch-depth: 0 - - - name: Install Taskfile - uses: arduino/setup-task@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - version: 3.x - - - name: Build - env: - NIGHTLY: true - run: task dist:all - - - name: Upload artifacts - uses: actions/upload-artifact@v2 - with: - name: dist - path: dist - - notarize-macos: - runs-on: macos-latest - needs: create-nightly-artifacts - - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Download artifacts - uses: actions/download-artifact@v2 - with: - name: dist - # to ensure compatibility with v1 - path: dist - - - name: Import Code-Signing Certificates - env: - KEYCHAIN: "sign.keychain" - INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" - run: | - echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" - security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - security default-keychain -s "${{ env.KEYCHAIN }}" - security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - security import "${{ env.INSTALLER_CERT_MAC_PATH }}" -k "${{ env.KEYCHAIN }}" -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" - security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" - - - name: Install gon for code signing and app notarization - run: | - wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip - unzip gon_macos.zip -d /usr/local/bin - - - name: Sign and notarize binary - env: - AC_USERNAME: ${{ secrets.AC_USERNAME }} - AC_PASSWORD: ${{ secrets.AC_PASSWORD }} - run: | - gon gon.config.hcl - - - name: Re-package binary and update checksum - # This step performs the following: - # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) - # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file - run: | - # GitHub's upload/download-artifact@v1 actions don't preserve file permissions, - # so we need to add execution permission back until @v2 actions are released. - chmod +x dist/arduino-cli_osx_darwin_amd64/arduino-cli - PACKAGE_FILENAME="$(basename dist/arduino-cli_${{ github.workflow }}-*_macOS_64bit.tar.gz)" - tar -czvf "dist/$PACKAGE_FILENAME" \ - -C dist/arduino-cli_osx_darwin_amd64/ arduino-cli \ - -C ../../ LICENSE.txt - CLI_CHECKSUM="$(shasum -a 256 "dist/$PACKAGE_FILENAME" | cut -d " " -f 1)" - perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CLI_CHECKSUM} ${PACKAGE_FILENAME}/g;" dist/*-checksums.txt - - - name: Upload artifacts - uses: actions/upload-artifact@v2 - with: - name: dist - path: dist - - publish-nightly: - runs-on: ubuntu-latest - needs: notarize-macos - - steps: - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: dist - # to ensure compatibility with v1 - path: dist - - - name: upload - uses: docker://plugins/s3 - env: - PLUGIN_SOURCE: "dist/*" - PLUGIN_TARGET: "/arduino-cli/nightly" - PLUGIN_STRIP_PREFIX: "dist/" - PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Report failure - if: failure() - uses: masci/datadog@v1 - with: - api-key: ${{ secrets.DD_API_KEY }} - events: | - - title: "Arduino CLI nighly build failed" - text: "Nightly build worfklow has failed" - alert_type: "error" - host: ${{ github.repository }} - tags: - - "project:arduino-cli" - - "workflow:${{ github.workflow }}" diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml new file mode 100644 index 00000000000..075654ceedd --- /dev/null +++ b/.github/workflows/publish-go-nightly-task.yml @@ -0,0 +1,156 @@ +# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/publish-go-nightly-task.md +name: Publish Nightly Build + +env: + # As defined by the Taskfile's PROJECT_NAME variable + PROJECT_NAME: arduino-cli + # As defined by the Taskfile's DIST_DIR variable + DIST_DIR: dist + # The project's folder on Arduino's download server for uploading builds + AWS_PLUGIN_TARGET: /arduino-cli/ + ARTIFACT_NAME: dist + +# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows +on: + schedule: + # run every day at 1AM + - cron: "0 1 * * *" + workflow_dispatch: + repository_dispatch: + +jobs: + create-nightly-artifacts: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Install Task + uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + + - name: Build + env: + NIGHTLY: true + run: task dist:all + + - name: Upload artifacts + uses: actions/upload-artifact@v2 + with: + if-no-files-found: error + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + notarize-macos: + runs-on: macos-latest + needs: create-nightly-artifacts + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Download artifacts + uses: actions/download-artifact@v2 + with: + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + - name: Import Code-Signing Certificates + env: + KEYCHAIN: "sign.keychain" + INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" + KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret + run: | + echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" + security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security default-keychain -s "${{ env.KEYCHAIN }}" + security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" + security import \ + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ + -k "${{ env.KEYCHAIN }}" \ + -f pkcs12 \ + -A \ + -T /usr/bin/codesign \ + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" + security set-key-partition-list \ + -S apple-tool:,apple: \ + -s \ + -k "${{ env.KEYCHAIN_PASSWORD }}" \ + "${{ env.KEYCHAIN }}" + + - name: Install gon for code signing and app notarization + run: | + wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip + unzip gon_macos.zip -d /usr/local/bin + + - name: Sign and notarize binary + env: + AC_USERNAME: ${{ secrets.AC_USERNAME }} + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} + run: | + gon gon.config.hcl + + - name: Re-package binary and update checksum + # This step performs the following: + # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) + # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file + run: | + # GitHub's upload/download-artifact@v2 actions don't preserve file permissions, + # so we need to add execution permission back until the action is made to do this. + chmod +x "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/${{ env.PROJECT_NAME }}" + PACKAGE_FILENAME="$(basename ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_nightly-*_macOS_64bit.tar.gz)" + tar -czvf "${{ env.DIST_DIR }}/$PACKAGE_FILENAME" \ + -C "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/" "${{ env.PROJECT_NAME }}" \ + -C ../../ LICENSE.txt + CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/$PACKAGE_FILENAME | cut -d " " -f 1)" + perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CHECKSUM} ${PACKAGE_FILENAME}/g;" ${{ env.DIST_DIR }}/*-checksums.txt + + - name: Upload artifacts + uses: actions/upload-artifact@v2 + with: + if-no-files-found: error + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + publish-nightly: + runs-on: ubuntu-latest + needs: notarize-macos + + steps: + - name: Download artifact + uses: actions/download-artifact@v2 + with: + name: ${{ env.ARTIFACT_NAME }} + path: ${{ env.DIST_DIR }} + + - name: Upload release files on Arduino downloads servers + uses: docker://plugins/s3 + env: + PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*" + PLUGIN_TARGET: "${{ env.AWS_PLUGIN_TARGET }}nightly" + PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/" + PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + report: + runs-on: ubuntu-latest + needs: publish-nightly + if: failure() # Run if publish-nightly or any of its job dependencies failed + + steps: + - name: Report failure + uses: masci/datadog@v1 + with: + api-key: ${{ secrets.DD_API_KEY }} + events: | + - title: "${{ env.PROJECT_NAME }} nightly build failed" + text: "Nightly build workflow has failed" + alert_type: "error" + host: ${{ github.repository }} + tags: + - "project:${{ env.PROJECT_NAME }}" + - "workflow:${{ github.workflow }}" diff --git a/README.md b/README.md index 30e67461101..bbc15c73e5a 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ and many other tools needed to use any Arduino compatible board and platform. [![Test Go status](https://github.com/arduino/arduino-cli/actions/workflows/test-go-task.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/test-go-task.yml) [![Test Integration status](https://github.com/arduino/arduino-cli/actions/workflows/test-go-integration-task.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/test-go-integration-task.yml) -[![nightly-badge]](https://github.com/Arduino/arduino-cli/actions?workflow=nightly) +[![Publish Nightly Build status](https://github.com/arduino/arduino-cli/actions/workflows/publish-go-nightly-task.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/publish-go-nightly-task.yml) [![Deploy Website status](https://github.com/arduino/arduino-cli/actions/workflows/deploy-cobra-mkdocs-versioned-poetry.yml/badge.svg)](https://github.com/arduino/arduino-cli/actions/workflows/deploy-cobra-mkdocs-versioned-poetry.yml) [![Codecov](https://codecov.io/gh/arduino/arduino-cli/branch/main/graph/badge.svg)](https://codecov.io/gh/arduino/arduino-cli) @@ -45,7 +45,6 @@ policy] and report the bug to our Security Team 🛡️ Thank you! e-mail contact: security@arduino.cc -[nightly-badge]: https://github.com/Arduino/arduino-cli/workflows/nightly/badge.svg [install]: https://arduino.github.io/arduino-cli/latest/installation [user documentation]: https://arduino.github.io/arduino-cli/latest/ [getting started]: https://arduino.github.io/arduino-cli/latest/getting-started/ diff --git a/gon.config.hcl b/gon.config.hcl index a73110a3d13..b2370ee5834 100644 --- a/gon.config.hcl +++ b/gon.config.hcl @@ -1,3 +1,5 @@ +# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/general/gon.config.hcl +# See: https://github.com/mitchellh/gon#configuration-file source = ["dist/arduino-cli_osx_darwin_amd64/arduino-cli"] bundle_id = "cc.arduino.arduino-cli" @@ -8,5 +10,5 @@ sign { # Ask Gon for zip output to force notarization process to take place. # The CI will ignore the zip output, using the signed binary only. zip { - output_path = "arduino-cli.zip" + output_path = "unused.zip" }