What:

This PR Integrates the Notarization process in the Arduino CLI Relese pipeline.

Why:

As perApple announcement:

Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized.

How:

The PR moves the responsibility of GitHub release creation and Arduino servers upload, fromgoreleaser to GH Actions steps, and adds the notarization step leveragingGon (Thanks to@mitchellh and to@zmoog who discovered the tool 😄 )

Thenotarize-macos job must run on amacos-latest VM, in order to allowgon to orchestrate all the required notarization tools, this means that container steps cannot be used in the same job.
This is why the release pipeline is split in 3 jobs that share artifacts via theartifacts Github Actions feature.

A detailed explanation is required for theNotarize binary, re-package it and update checksum step, that configures the MacOskeychain with obscure osx commands and callsgon doing the following:

1. Download keychain from GH secrets and decode it from base64
2. Add the keychain to the system keychains and unlock it
3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD secrets)
4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
5. Recalculate package checksum and replace it in the goreleasernnnnnn-checksums.txt file

Pros:

This way we do not lose:

1. the "build reproducibility", because we still usegoreleaser plusmultiarch/crossbuild container to produce the artifacts
2. the automatic changelog generation fromgoreleaser
3. the automatic checksum file generation fromgoreleaser

Cons:

• We add a bit of complexity to therelease workflow (that is acceptable in the end, having handy GitHub actions ready to use).
• We lost a portion of my mental health 😸