NotificationsYou must be signed in to change notification settings
Fork436
Star4.7k

Commit1569a5f

Roberto Sora

authored

Integrate Apple notarization process into Github Actions release pipeline (#578)

* Migrate release creation responsibility from goreleaser to GH actions* replace s3 pointer with secret* Cosmetics on .goreleaser.yml* Cosmetics on .goreleaser.yml again* Cleanup and cosmetics

1 parentc1dcf01 commit1569a5fCopy full SHA for 1569a5f

File tree

4 files changed

+120

-16

lines changed

.github/workflows
- nightly.yaml
- release.yaml
.goreleaser.yml
gon.config.hcl

4 files changed

+120

-16

lines changed

`‎.github/workflows/nightly.yaml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,6 @@ jobs:`
`30`	`30`	`PLUGIN_SOURCE:'dist/*'`
`31`	`31`	`PLUGIN_TARGET:'/arduino-cli/nightly'`
`32`	`32`	`PLUGIN_STRIP_PREFIX:'dist/'`
`33`		`-PLUGIN_BUCKET:'arduino-downloads-prod-beagle'`
	`33`	`+PLUGIN_BUCKET:${{ secrets.DOWNLOADS_BUCKET }}`
`34`	`34`	`AWS_ACCESS_KEY_ID:${{ secrets.AWS_ACCESS_KEY_ID }}`
`35`	`35`	`AWS_SECRET_ACCESS_KEY:${{ secrets.AWS_SECRET_ACCESS_KEY }}`

`‎.github/workflows/release.yaml‎`

Lines changed: 112 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,8 @@ on:`
`6`	`6`	`-'[0-9].[0-9].[0-9]*'`
`7`	`7`
`8`	`8`	`jobs:`
`9`		`-publish-release:`
	`9`	`+`
	`10`	`+create-release-artifacts:`
`10`	`11`	`runs-on:ubuntu-latest`
`11`	`12`
`12`	`13`	`container:`
`@@ -16,13 +17,118 @@ jobs:`
`16`	`17`	`-$PWD/go:/go`
`17`	`18`
`18`	`19`	`steps:`
`19`		`- -name:checkout`
	`20`	`+ -name:Checkout`
`20`	`21`	`uses:actions/checkout@v1`
`21`	`22`
`22`		`- -name:build`
	`23`	`+ -name:Build`
	`24`	`+run:goreleaser`
	`25`	`+`
	`26`	`+ -name:Upload artifacts`
	`27`	`+uses:actions/upload-artifact@v1`
	`28`	`+with:`
	`29`	`+name:dist`
	`30`	`+path:dist`
	`31`	`+`
	`32`	`+notarize-macos:`
	`33`	`+runs-on:macos-latest`
	`34`	`+needs:create-release-artifacts`
	`35`	`+`
	`36`	`+steps:`
	`37`	`+ -name:Checkout`
	`38`	`+uses:actions/checkout@v1`
	`39`	`+`
	`40`	`+ -name:Download artifacts`
	`41`	`+uses:actions/download-artifact@v1`
	`42`	`+with:`
	`43`	`+name:dist`
	`44`	`+`
	`45`	`+ -name:Get the current release tag`
	`46`	`+id:get_tag`
	`47`	`+run:echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}`
	`48`	`+`
	`49`	`+ -name:Download Gon`
	`50`	`+run:\|`
	`51`	`+ wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip`
	`52`	`+ unzip gon_0.2.2_macos.zip -d /usr/local/bin`
	`53`	`+ rm -f gon_0.2.2_macos.zip`
	`54`	`+`
	`55`	`+ -name:Notarize binary, re-package it and update checksum`
`23`	`56`	`env:`
`24`		`-GITHUB_TOKEN:${{ secrets.GH_TOKEN }}`
	`57`	`+TAG:${{ steps.get_tag.outputs.VERSION }}`
	`58`	`+AC_USERNAME:${{ secrets.AC_USERNAME }}`
	`59`	`+AC_PASSWORD:${{ secrets.AC_PASSWORD }}`
	`60`	`+# This step performs the following:`
	`61`	`+# 1. Download keychain from GH secrets and decode it from base64`
	`62`	`+# 2. Add the keychain to the system keychains and unlock it`
	`63`	`+# 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)`
	`64`	`+# 4. Repackage the signed binary replaced in place by Gon`
	`65`	`+# 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file`
	`66`	`+run:\|`
	`67`	`+ echo "${{ secrets.KEYCHAIN }}" \| base64 --decode > ~/Library/Keychains/apple-developer.keychain-db`
	`68`	`+ security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db`
	`69`	`+ security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db`
	`70`	`+ gon gon.config.hcl`
	`71`	`+ tar -czvf dist/arduino-cli_${TAG}_macOS_64bit.tar.gz \`
	`72`	`+ -C dist/arduino_cli_osx_darwin_amd64/ arduino-cli \`
	`73`	`+ -C ../../ LICENSE.txt`
	`74`	`+ CLI_CHECKSUM=$(shasum -a 256 dist/arduino-cli_${TAG}_macOS_64bit.tar.gz \| cut -d " " -f 1)`
	`75`	`+ perl -pi -w -e "s/.arduino-cli_${TAG}_macOS_64bit.tar.gz/${CLI_CHECKSUM} arduino-cli_${TAG}_macOS_64bit.tar.gz/g;" dist/-checksums.txt`
	`76`	`+`
	`77`	`+ -name:Upload artifacts`
	`78`	`+uses:actions/upload-artifact@v1`
	`79`	`+with:`
	`80`	`+name:dist`
	`81`	`+path:dist`
	`82`	`+`
	`83`	`+create-release:`
	`84`	`+runs-on:ubuntu-latest`
	`85`	`+needs:notarize-macos`
	`86`	`+`
	`87`	`+steps:`
	`88`	`+ -name:Checkout`
	`89`	`+uses:actions/checkout@v1`
	`90`	`+`
	`91`	`+ -name:Download artifact`
	`92`	`+uses:actions/download-artifact@v1`
	`93`	`+with:`
	`94`	`+name:dist`
	`95`	`+`
	`96`	`+ -name:Read CHANGELOG`
	`97`	`+id:changelog`
	`98`	`+run:\|`
	`99`	`+ body=$(cat dist/CHANGELOG.md)`
	`100`	`+ body="${body//'%'/'%25'}"`
	`101`	`+ body="${body//$'\n'/'%0A'}"`
	`102`	`+ body="${body//$'\r'/'%0D'}"`
	`103`	`+ echo $body`
	`104`	`+ echo "::set-output name=BODY::$body"`
	`105`	`+`
	`106`	`+ -name:Create Github Release`
	`107`	`+id:create_release`
	`108`	`+uses:actions/create-release@master`
	`109`	`+env:`
	`110`	`+GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}`
	`111`	`+with:`
	`112`	`+tag_name:${{ github.ref }}`
	`113`	`+release_name:${{ github.ref }}`
	`114`	`+body:${{ steps.changelog.outputs.BODY }}`
	`115`	`+draft:false`
	`116`	`+prerelease:false`
	`117`	`+`
	`118`	`+ -name:Upload release files on Github`
	`119`	`+uses:svenstaro/upload-release-action@v1-release`
	`120`	`+with:`
	`121`	`+repo_token:${{ secrets.GITHUB_TOKEN }}`
	`122`	`+file:dist/*`
	`123`	`+tag:${{ github.ref }}`
	`124`	`+file_glob:true`
	`125`	`+`
	`126`	`+ -name:Upload release files on Arduino downloads servers`
	`127`	`+uses:docker://plugins/s3`
	`128`	`+env:`
	`129`	`+PLUGIN_SOURCE:'dist/*'`
	`130`	`+PLUGIN_TARGET:'/arduino-cli/'`
	`131`	`+PLUGIN_STRIP_PREFIX:'dist/'`
	`132`	`+PLUGIN_BUCKET:${{ secrets.DOWNLOADS_BUCKET }}`
`25`	`133`	`AWS_ACCESS_KEY_ID:${{ secrets.AWS_ACCESS_KEY_ID }}`
`26`	`134`	`AWS_SECRET_ACCESS_KEY:${{ secrets.AWS_SECRET_ACCESS_KEY }}`
`27`		`-AWS_DEFAULT_REGION:'us-east-1'`
`28`		`-run:goreleaser`

`‎.goreleaser.yml‎`

Lines changed: 1 addition & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ snapshot:`
`6`	`6`	`name_template:'{{ .Env.PACKAGE_NAME_PREFIX }}-{{ time "20060102" }}'`
`7`	`7`
`8`	`8`	`release:`
`9`		`-prerelease:auto`
	`9`	`+disable:true`
`10`	`10`
`11`	`11`	`changelog:`
`12`	`12`	`filters:`
`@@ -112,11 +112,3 @@ archives:`
`112`	`112`	`windows:Windows`
`113`	`113`	`files:`
`114`	`114`	`-LICENSE.txt`
`115`		`-`
`116`		`-blob:`
`117`		`- -`
`118`		`-provider:s3`
`119`		`-bucket:arduino-downloads-prod-beagle`
`120`		`-ids:`
`121`		`- -arduino_cli`
`122`		`-folder:"{{ .ProjectName }}"`

`‎gon.config.hcl‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+source=["dist/arduino_cli_osx_darwin_amd64/arduino-cli"]`
	`2`	`+bundle_id="cc.arduino.arduino-cli"`
	`3`	`+`
	`4`	`+sign {`
	`5`	`+application_identity="Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"`
	`6`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit1569a5f

File tree

4 files changed

4 files changed

`‎.github/workflows/nightly.yaml‎`

`‎.github/workflows/release.yaml‎`

`‎.goreleaser.yml‎`

`‎gon.config.hcl‎`

0 commit comments