arduino · alessio-perugini · Dec 12, 2024 · Dec 17, 2024 · Dec 17, 2024
diff --git a/.github/workflows/release-go-crosscompile-task.yml b/.github/workflows/release-go-crosscompile-task.yml
@@ -11,6 +11,7 @@ env:
   ARTIFACT_PREFIX: dist-
   # See: https://github.com/actions/setup-go/tree/main#supported-version-syntax
   GO_VERSION: "1.17"
+  AWS_REGION: "us-east-1"
 
 on:
   push:
@@ -84,9 +85,8 @@ jobs:
     name: Notarize ${{ matrix.build.artifact-suffix }}
     runs-on: macos-latest
     needs: create-release-artifacts
-    outputs:
-      checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
-      checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
+    permissions:
+      contents: read
 
     env:
       GON_CONFIG_PATH: gon.config.hcl
@@ -118,16 +118,12 @@ jobs:
           name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
           path: ${{ env.DIST_DIR }}
 
-      - name: Remove non-notarized artifact
-        uses: geekyeggo/delete-artifact@v5
-        with:
-          name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
-
       - name: Import Code-Signing Certificates
         env:
           KEYCHAIN: "sign.keychain"
           INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
-          KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
+          # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
+          KEYCHAIN_PASSWORD: keychainpassword
         run: |
           echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
           security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
@@ -179,25 +175,31 @@ jobs:
           gon "${{ env.GON_CONFIG_PATH }}"
 
       - name: Re-package binary
-        id: re-package
         working-directory: ${{ env.DIST_DIR }}
         # Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
         run: |
           # GitHub's upload/download-artifact actions don't preserve file permissions,
           # so we need to add execution permission back until the action is made to do this.
           chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"
-          tar -czvf "${{ env.PACKAGE_FILENAME }}" "${{ env.BUILD_FOLDER }}/"
+          tar -czvf "${{ env.PACKAGE_FILENAME }}" \
+          -C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \
+          -C ../../ LICENSE.txt
 
-      - name: Upload notarized artifact
+      - name: Replace artifact with notarized build
         uses: actions/upload-artifact@v4
         with:
           if-no-files-found: error
           name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
+          overwrite: true
           path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
 
   create-release:
     runs-on: ubuntu-latest
+    environment: production
     needs: notarize-macos
+    permissions:
+      contents: write
+      id-token: write # This is required for requesting the JWT
 
     steps:
       - name: Download artifact
@@ -208,7 +210,7 @@ jobs:
           pattern: ${{ env.ARTIFACT_PREFIX }}*
 
       - name: Create checksum file
-        working-directory: ${{ env.DIST_DIR}}
+        working-directory: ${{ env.DIST_DIR }}
         run: |
           TAG="${GITHUB_REF/refs\/tags\//}"
           sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt
@@ -233,12 +235,12 @@ jobs:
           # (all the files we need are in the DIST_DIR root)
           artifacts: ${{ env.DIST_DIR }}/*
 
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: "github_${{ env.PROJECT_NAME }}"
+          aws-region: ${{ env.AWS_REGION }}
+
       - name: Upload release files on Arduino downloads servers
-        uses: docker://plugins/s3
-        env:
-          PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
-          PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}
-          PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
-          PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}
diff --git a/DistTasks.yml b/DistTasks.yml
@@ -1,4 +1,4 @@
 # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/release-go-crosscompile-task/DistTasks.yml
 version: "3"

 # This taskfile is ideally meant to be project agnostic and could be dropped in
@@ -28,8 +28,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt
+        zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_386"
       PACKAGE_PLATFORM: "Windows_32bit"
@@ -44,8 +43,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt
+        zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_amd64"
       PACKAGE_PLATFORM: "Windows_64bit"
@@ -61,8 +59,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd32"
       PACKAGE_PLATFORM: "Linux_32bit"
@@ -77,8 +74,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd64"
       PACKAGE_PLATFORM: "Linux_64bit"
@@ -94,8 +90,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_7"
       PACKAGE_PLATFORM: "Linux_ARMv7"
@@ -111,8 +106,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_6"
       PACKAGE_PLATFORM: "Linux_ARMv6"
@@ -127,8 +121,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_64"
       PACKAGE_PLATFORM: "Linux_ARM64"
@@ -143,8 +136,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_amd64"
       PACKAGE_PLATFORM: "macOS_64bit"
@@ -159,8 +151,7 @@
       - |
         go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
         cd {{.DIST_DIR}}
-        cp ../LICENSE.txt {{.PLATFORM_DIR}}/
-        tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
+        tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt  -f {{.PACKAGE_NAME}}
     vars:
       PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_arm64"
       PACKAGE_PLATFORM: "macOS_ARM64"

diff --git a/.licensed.yml b/.licensed.yml
 sources:
  go: true

 # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies/GPL-3.0/.licensed.yml
 allowed:
  # The following are based on: https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses
  - gpl-1.0-or-later
diff --git a/Taskfile.yml b/Taskfile.yml
  dist: ./DistTasks.yml

 vars:
  # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/release-go-task/Taskfile.yml
  PROJECT_NAME: "arduinoOTA"
  DIST_DIR: "dist"
  # build vars
    sh: echo "{{now | date "20060102"}}"
  TAG:
    sh: echo "$(git tag --points-at=HEAD 2> /dev/null | head -n1)"
  VERSION: "{{if .NIGHTLY}}nightly-{{.TIMESTAMP_SHORT}}{{else if .TAG}}{{.TAG}}{{else}}{{.PACKAGE_NAME_PREFIX}}git-snapshot{{end}}"
  CONFIGURATION_PACKAGE: "github.com/arduino/arduinoOTA/version"
  LDFLAGS: >-
    -ldflags
  DEFAULT_GO_MODULE_PATH: ./
  DEFAULT_GO_PACKAGES:
    sh: |
      echo $(cd {{default .DEFAULT_GO_MODULE_PATH .GO_MODULE_PATH}} && go list ./... | tr '\n' ' ' || echo '"ERROR: Unable to discover Go packages"')
  # Last version of ajv-cli with support for the JSON schema "Draft 4" specification
  SCHEMA_DRAFT_4_AJV_CLI_VERSION: 3.3.0

 tasks:
  # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-workflows-task/Taskfile.yml
  ci:validate:
    desc: Validate GitHub Actions workflows against their JSON schema
    vars:
    # This is an "umbrella" task used to call any documentation generation processes the project has.
    # It can be left empty if there are none.

  # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-general-formatting-task/Taskfile.yml
  general:check-formatting:
    desc: Check basic formatting style of all files
    cmds:
        fi
      - ec

  # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-prettier-formatting-task/Taskfile.yml
  general:format-prettier:
    desc: Format all supported files with Prettier
    deps:
    cmds:
      - npx prettier --write .

  # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies-task/Taskfile.yml
  general:cache-dep-licenses:
    desc: Cache dependency license metadata
    cmds:
        fi
      - licensed cache

  # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies-task/Taskfile.yml
  general:check-dep-licenses:
    desc: Check for unapproved dependency licenses
    deps:
	sources:
	go: true

	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies/GPL-3.0/.licensed.yml
Check warning on line 5 in .licensed.yml GitHub Actions / Generate problem matcher output `5:121 [line-length] line too long (136 > 120 characters)` Check warning on line 5 in .licensed.yml GitHub Actions / Generate problem matcher output `5:121 [line-length] line too long (136 > 120 characters)`
	allowed:
	# The following are based on: https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses
	- gpl-1.0-or-later
	dist: ./DistTasks.yml

	vars:
	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/release-go-task/Taskfile.yml
Check warning on line 8 in Taskfile.yml GitHub Actions / Generate problem matcher output `8:121 [line-length] line too long (126 > 120 characters)` Check warning on line 8 in Taskfile.yml GitHub Actions / Generate problem matcher output `8:121 [line-length] line too long (126 > 120 characters)`
	PROJECT_NAME: "arduinoOTA"
	DIST_DIR: "dist"
	# build vars
	sh: echo "{{now \| date "20060102"}}"
	TAG:
	sh: echo "$(git tag --points-at=HEAD 2> /dev/null \| head -n1)"
	VERSION: "{{if .NIGHTLY}}nightly-{{.TIMESTAMP_SHORT}}{{else if .TAG}}{{.TAG}}{{else}}{{.PACKAGE_NAME_PREFIX}}git-snapshot{{end}}"
Check warning on line 20 in Taskfile.yml GitHub Actions / Generate problem matcher output `20:121 [line-length] line too long (131 > 120 characters)` Check warning on line 20 in Taskfile.yml GitHub Actions / Generate problem matcher output `20:121 [line-length] line too long (131 > 120 characters)`
	CONFIGURATION_PACKAGE: "github.com/arduino/arduinoOTA/version"
	LDFLAGS: >-
	-ldflags
	DEFAULT_GO_MODULE_PATH: ./
	DEFAULT_GO_PACKAGES:
	sh: \|
	echo $(cd {{default .DEFAULT_GO_MODULE_PATH .GO_MODULE_PATH}} && go list ./... \| tr '\n' ' ' \|\| echo '"ERROR: Unable to discover Go packages"')
Check warning on line 33 in Taskfile.yml GitHub Actions / Generate problem matcher output `33:121 [line-length] line too long (149 > 120 characters)` Check warning on line 33 in Taskfile.yml GitHub Actions / Generate problem matcher output `33:121 [line-length] line too long (149 > 120 characters)`
	# Last version of ajv-cli with support for the JSON schema "Draft 4" specification
	SCHEMA_DRAFT_4_AJV_CLI_VERSION: 3.3.0

	tasks:
	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-workflows-task/Taskfile.yml
Check warning on line 38 in Taskfile.yml GitHub Actions / Generate problem matcher output `38:121 [line-length] line too long (131 > 120 characters)` Check warning on line 38 in Taskfile.yml GitHub Actions / Generate problem matcher output `38:121 [line-length] line too long (131 > 120 characters)`
	ci:validate:
	desc: Validate GitHub Actions workflows against their JSON schema
	vars:
	# This is an "umbrella" task used to call any documentation generation processes the project has.
	# It can be left empty if there are none.

	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-general-formatting-task/Taskfile.yml
Check warning on line 71 in Taskfile.yml GitHub Actions / Generate problem matcher output `71:121 [line-length] line too long (140 > 120 characters)` Check warning on line 71 in Taskfile.yml GitHub Actions / Generate problem matcher output `71:121 [line-length] line too long (140 > 120 characters)`
	general:check-formatting:
	desc: Check basic formatting style of all files
	cmds:
	fi
	- ec

	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-prettier-formatting-task/Taskfile.yml
Check warning on line 82 in Taskfile.yml GitHub Actions / Generate problem matcher output `82:121 [line-length] line too long (141 > 120 characters)` Check warning on line 82 in Taskfile.yml GitHub Actions / Generate problem matcher output `82:121 [line-length] line too long (141 > 120 characters)`
	general:format-prettier:
	desc: Format all supported files with Prettier
	deps:
	cmds:
	- npx prettier --write .

	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies-task/Taskfile.yml
Check warning on line 90 in Taskfile.yml GitHub Actions / Generate problem matcher output `90:121 [line-length] line too long (134 > 120 characters)` Check warning on line 90 in Taskfile.yml GitHub Actions / Generate problem matcher output `90:121 [line-length] line too long (134 > 120 characters)`
	general:cache-dep-licenses:
	desc: Cache dependency license metadata
	cmds:
	fi
	- licensed cache

	# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies-task/Taskfile.yml
Check warning on line 106 in Taskfile.yml GitHub Actions / Generate problem matcher output `106:121 [line-length] line too long (134 > 120 characters)` Check warning on line 106 in Taskfile.yml GitHub Actions / Generate problem matcher output `106:121 [line-length] line too long (134 > 120 characters)`
	general:check-dep-licenses:
	desc: Check for unapproved dependency licenses
	deps: