Skip to content

github: Use IAM Roles to push files on AWS S3 #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

github: Use IAM Roles to push files on AWS S3 #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ad9a0f7
github: Use IAM Roles to push files on AWS S3
alessio-perugini Dec 12, 2024
cfef6a1
update workflow to match the workflow-template
alessio-perugini Dec 17, 2024
c481201
update DistTasks.yml to match workflow-template
alessio-perugini Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 23 additions & 21 deletions .github/workflows/release-go-crosscompile-task.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ env:
ARTIFACT_PREFIX: dist-
# See: https://github.com/actions/setup-go/tree/main#supported-version-syntax
GO_VERSION: "1.17"
AWS_REGION: "us-east-1"

on:
push:
Expand Down Expand Up @@ -84,9 +85,8 @@ jobs:
name: Notarize ${{ matrix.build.artifact-suffix }}
runs-on: macos-latest
needs: create-release-artifacts
outputs:
checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
permissions:
contents: read

env:
GON_CONFIG_PATH: gon.config.hcl
Expand Down Expand Up @@ -118,16 +118,12 @@ jobs:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
path: ${{ env.DIST_DIR }}

- name: Remove non-notarized artifact
uses: geekyeggo/delete-artifact@v5
with:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}

- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
# Arbitrary password for a keychain that exists only for the duration of the job, so not secret
KEYCHAIN_PASSWORD: keychainpassword
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
Expand Down Expand Up @@ -179,25 +175,31 @@ jobs:
gon "${{ env.GON_CONFIG_PATH }}"

- name: Re-package binary
id: re-package
working-directory: ${{ env.DIST_DIR }}
# Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
run: |
# GitHub's upload/download-artifact actions don't preserve file permissions,
# so we need to add execution permission back until the action is made to do this.
chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"
tar -czvf "${{ env.PACKAGE_FILENAME }}" "${{ env.BUILD_FOLDER }}/"
tar -czvf "${{ env.PACKAGE_FILENAME }}" \
-C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \
-C ../../ LICENSE.txt

- name: Upload notarized artifact
- name: Replace artifact with notarized build
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
overwrite: true
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}

create-release:
runs-on: ubuntu-latest
environment: production
needs: notarize-macos
permissions:
contents: write
id-token: write # This is required for requesting the JWT

steps:
- name: Download artifact
Expand All @@ -208,7 +210,7 @@ jobs:
pattern: ${{ env.ARTIFACT_PREFIX }}*

- name: Create checksum file
working-directory: ${{ env.DIST_DIR}}
working-directory: ${{ env.DIST_DIR }}
run: |
TAG="${GITHUB_REF/refs\/tags\//}"
sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt
Expand All @@ -233,12 +235,12 @@ jobs:
# (all the files we need are in the DIST_DIR root)
artifacts: ${{ env.DIST_DIR }}/*

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: "github_${{ env.PROJECT_NAME }}"
aws-region: ${{ env.AWS_REGION }}

- name: Upload release files on Arduino downloads servers
uses: docker://plugins/s3
env:
PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}
PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}
27 changes: 9 additions & 18 deletions DistTasks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/release-go-crosscompile-task/DistTasks.yml

Check warning on line 1 in DistTasks.yml

View workflow job for this annotation

GitHub Actions / Generate problem matcher output 

1:121 [line-length] line too long (138 > 120 characters)

Check warning on line 1 in DistTasks.yml

View workflow job for this annotation

GitHub Actions / Generate problem matcher output 

1:121 [line-length] line too long (138 > 120 characters)
version: "3"

# This taskfile is ideally meant to be project agnostic and could be dropped in
Expand Down Expand Up @@ -28,8 +28,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_386"
PACKAGE_PLATFORM: "Windows_32bit"
Expand All @@ -44,8 +43,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_amd64"
PACKAGE_PLATFORM: "Windows_64bit"
Expand All @@ -61,8 +59,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd32"
PACKAGE_PLATFORM: "Linux_32bit"
Expand All @@ -77,8 +74,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd64"
PACKAGE_PLATFORM: "Linux_64bit"
Expand All @@ -94,8 +90,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_7"
PACKAGE_PLATFORM: "Linux_ARMv7"
Expand All @@ -111,8 +106,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_6"
PACKAGE_PLATFORM: "Linux_ARMv6"
Expand All @@ -127,8 +121,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_64"
PACKAGE_PLATFORM: "Linux_ARM64"
Expand All @@ -143,8 +136,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_amd64"
PACKAGE_PLATFORM: "macOS_64bit"
Expand All @@ -159,8 +151,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_arm64"
PACKAGE_PLATFORM: "macOS_ARM64"
Expand Down
Loading