github: Use IAM Roles to push files on AWS S3 #9

Workflow file for this run

.github/workflows/release-go-task.yml at ce84b48

	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/release-go-task.md
	name: Release

	env:
	# As defined by the Taskfile's PROJECT_NAME variable
	PROJECT_NAME: bhy
	# As defined by the Taskfile's DIST_DIR variable
	DIST_DIR: tools/bhy-controller/src/dist
	# The project's folder on Arduino's download server for uploading builds
	AWS_PLUGIN_TARGET: /unisense/tools/bhy-controller/
	AWS_REGION: "us-east-1"
	ARTIFACT_NAME: dist

	on:
	push:
	tags:
	- "[0-9]+.[0-9]+.[0-9]+*"

	jobs:
	create-release-artifacts:
	runs-on: ubuntu-latest
	permissions:
	contents: read

	strategy:
	matrix:
	os:
	- Windows_32bit
	- Windows_64bit
	- Linux_32bit
	- Linux_64bit
	- macOS_64bit

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Create changelog
	# Avoid creating the same changelog for each os
	if: matrix.os == 'Windows_32bit'
	uses: arduino/create-changelog@v1
	with:
	tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+.*$'
	filter-regex: '^\[(skip\|changelog)[ ,-](skip\|changelog)\].*'
	case-insensitive-regex: true
	changelog-file-path: "${{ env.DIST_DIR }}/CHANGELOG.md"

	- name: Install Task
	uses: arduino/setup-task@v2
	with:
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	version: 3.x

	- name: Build
	run: task dist:${{ matrix.os }}

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	if-no-files-found: error
	name: ${{ env.ARTIFACT_NAME }}
	path: ${{ env.DIST_DIR }}

	notarize-macos:
	name: Notarize ${{ matrix.artifact.name }}
	runs-on: macos-latest
	needs: create-release-artifacts
	outputs:
	checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
	permissions:
	contents: read

	env:
	GON_CONFIG_PATH: gon.config.hcl

	strategy:
	matrix:
	artifact:
	- name: darwin_amd64
	path: "macOS_64bit.tar.gz"

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: ${{ env.DIST_DIR }}

	- name: Import Code-Signing Certificates
	env:
	KEYCHAIN: "sign.keychain"
	INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
	# Arbitrary password for a keychain that exists only for the duration of the job, so not secret
	KEYCHAIN_PASSWORD: keychainpassword
	run: \|
	echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" \| base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
	security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
	security default-keychain -s "${{ env.KEYCHAIN }}"
	security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
	security import \
	"${{ env.INSTALLER_CERT_MAC_PATH }}" \
	-k "${{ env.KEYCHAIN }}" \
	-f pkcs12 \
	-A \
	-T "/usr/bin/codesign" \
	-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
	security set-key-partition-list \
	-S apple-tool:,apple: \
	-s \
	-k "${{ env.KEYCHAIN_PASSWORD }}" \
	"${{ env.KEYCHAIN }}"

	- name: Install gon for code signing and app notarization
	run: \|
	wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip
	unzip gon_macos.zip -d /usr/local/bin

	- name: Write gon config to file
	# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
	run: \|
	cat > "${{ env.GON_CONFIG_PATH }}" <<EOF
	# See: https://github.com/Bearer/gon#configuration-file
	source = ["${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"]
	bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"

	sign {
	application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
	}

	# Ask Gon for zip output to force notarization process to take place.
	# The CI will ignore the zip output, using the signed binary only.
	zip {
	output_path = "unused.zip"
	}
	EOF

	- name: Sign and notarize binary
	env:
	AC_USERNAME: ${{ secrets.AC_USERNAME }}
	AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
	AC_PROVIDER: ${{ secrets.AC_PROVIDER }}
	run: \|
	gon "${{ env.GON_CONFIG_PATH }}"

	- name: Re-package binary
	id: re-package
	working-directory: ${{ env.DIST_DIR }}
	# Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
	run: \|
	# GitHub's upload/download-artifact actions don't preserve file permissions,
	# so we need to add execution permission back until the action is made to do this.
	chmod +x "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"
	TAG="${GITHUB_REF/refs\/tags\//}"
	PACKAGE_FILENAME="${{ env.PROJECT_NAME }}_${TAG}_${{ matrix.artifact.path }}"
	tar -czvf "$PACKAGE_FILENAME" \
	-C "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/" "${{ env.PROJECT_NAME }}" \
	-C ../../ LICENSE.txt
	echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	if-no-files-found: error
	name: ${{ env.ARTIFACT_NAME }}
	path: ${{ env.DIST_DIR }}

	create-release:
	runs-on: ubuntu-latest
	environment: production
	needs: notarize-macos
	permissions:
	contents: write
	id-token: write # This is required for requesting the JWT

	steps:
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: ${{ env.DIST_DIR }}

	- name: Create checksum file
	working-directory: ${{ env.DIST_DIR}}
	run: \|
	TAG="${GITHUB_REF/refs\/tags\//}"
	sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt

	- name: Identify Prerelease
	# This is a workaround while waiting for create-release action
	# to implement auto pre-release based on tag
	id: prerelease
	run: \|
	wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.2.0.zip
	unzip -p /tmp/3.2.0.zip semver-tool-3.2.0/src/semver >/tmp/semver && chmod +x /tmp/semver
	if [[ \
	"$(
	/tmp/semver get prerel \
	"${GITHUB_REF/refs\/tags\//}"
	)" != \
	"" \
	]]; then
	echo "IS_PRE=true" >> $GITHUB_OUTPUT
	fi

	- name: Create Github Release and upload artifacts
	uses: ncipollo/release-action@v1
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	bodyFile: ${{ env.DIST_DIR }}/CHANGELOG.md
	draft: false
	prerelease: ${{ steps.prerelease.outputs.IS_PRE }}
	# NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem
	# (all the files we need are in the DIST_DIR root)
	artifacts: ${{ env.DIST_DIR }}/*

	- name: configure aws credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
	role-session-name: "github_${{ env.PROJECT_NAME }}"
	aws-region: ${{ env.AWS_REGION }}

	- name: Upload release files on Arduino downloads servers
	run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

github: Use IAM Roles to push files on AWS S3 #9

Workflow file

github: Use IAM Roles to push files on AWS S3 #9

Jobs

Run details

Workflow file for this run