Skip to content

github: Use IAM Roles to push files on AWS S3 #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 23 additions & 21 deletions .github/workflows/release-go-crosscompile-task.yml
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ env:
ARTIFACT_PREFIX: dist-
# See: https://github.com/actions/setup-go/tree/main#supported-version-syntax
GO_VERSION: "1.17"
AWS_REGION: "us-east-1"

on:
push:
@@ -84,9 +85,8 @@ jobs:
name: Notarize ${{ matrix.build.artifact-suffix }}
runs-on: macos-latest
needs: create-release-artifacts
outputs:
checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
permissions:
contents: read

env:
GON_CONFIG_PATH: gon.config.hcl
@@ -118,16 +118,12 @@ jobs:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
path: ${{ env.DIST_DIR }}

- name: Remove non-notarized artifact
uses: geekyeggo/delete-artifact@v5
with:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}

- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
# Arbitrary password for a keychain that exists only for the duration of the job, so not secret
KEYCHAIN_PASSWORD: keychainpassword
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
@@ -179,25 +175,31 @@ jobs:
gon "${{ env.GON_CONFIG_PATH }}"
- name: Re-package binary
id: re-package
working-directory: ${{ env.DIST_DIR }}
# Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
run: |
# GitHub's upload/download-artifact actions don't preserve file permissions,
# so we need to add execution permission back until the action is made to do this.
chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"
tar -czvf "${{ env.PACKAGE_FILENAME }}" "${{ env.BUILD_FOLDER }}/"
tar -czvf "${{ env.PACKAGE_FILENAME }}" \
-C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \
-C ../../ LICENSE.txt
- name: Upload notarized artifact
- name: Replace artifact with notarized build
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
overwrite: true
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}

create-release:
runs-on: ubuntu-latest
environment: production
needs: notarize-macos
permissions:
contents: write
id-token: write # This is required for requesting the JWT

steps:
- name: Download artifact
@@ -208,7 +210,7 @@ jobs:
pattern: ${{ env.ARTIFACT_PREFIX }}*

- name: Create checksum file
working-directory: ${{ env.DIST_DIR}}
working-directory: ${{ env.DIST_DIR }}
run: |
TAG="${GITHUB_REF/refs\/tags\//}"
sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt
@@ -233,12 +235,12 @@ jobs:
# (all the files we need are in the DIST_DIR root)
artifacts: ${{ env.DIST_DIR }}/*

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: "github_${{ env.PROJECT_NAME }}"
aws-region: ${{ env.AWS_REGION }}

- name: Upload release files on Arduino downloads servers
uses: docker://plugins/s3
env:
PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}
PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}
27 changes: 9 additions & 18 deletions DistTasks.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/release-go-crosscompile-task/DistTasks.yml

Check warning on line 1 in DistTasks.yml

GitHub Actions / Generate problem matcher output

1:121 [line-length] line too long (138 > 120 characters)

Check warning on line 1 in DistTasks.yml

GitHub Actions / Generate problem matcher output

1:121 [line-length] line too long (138 > 120 characters)
version: "3"

# This taskfile is ideally meant to be project agnostic and could be dropped in
@@ -28,8 +28,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_386"
PACKAGE_PLATFORM: "Windows_32bit"
@@ -44,8 +43,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt
zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_amd64"
PACKAGE_PLATFORM: "Windows_64bit"
@@ -61,8 +59,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd32"
PACKAGE_PLATFORM: "Linux_32bit"
@@ -77,8 +74,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd64"
PACKAGE_PLATFORM: "Linux_64bit"
@@ -94,8 +90,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_7"
PACKAGE_PLATFORM: "Linux_ARMv7"
@@ -111,8 +106,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_6"
PACKAGE_PLATFORM: "Linux_ARMv6"
@@ -127,8 +121,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_64"
PACKAGE_PLATFORM: "Linux_ARM64"
@@ -143,8 +136,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_amd64"
PACKAGE_PLATFORM: "macOS_64bit"
@@ -159,8 +151,7 @@
- |
go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}}
cd {{.DIST_DIR}}
cp ../LICENSE.txt {{.PLATFORM_DIR}}/
tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}}
tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}}
vars:
PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_arm64"
PACKAGE_PLATFORM: "macOS_ARM64"

Unchanged files with check annotations Beta

sources:
go: true
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies/GPL-3.0/.licensed.yml

Check warning on line 5 in .licensed.yml

GitHub Actions / Generate problem matcher output

5:121 [line-length] line too long (136 > 120 characters)

Check warning on line 5 in .licensed.yml

GitHub Actions / Generate problem matcher output

5:121 [line-length] line too long (136 > 120 characters)
allowed:
# The following are based on: https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses
- gpl-1.0-or-later
dist: ./DistTasks.yml
vars:
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/release-go-task/Taskfile.yml

Check warning on line 8 in Taskfile.yml

GitHub Actions / Generate problem matcher output

8:121 [line-length] line too long (126 > 120 characters)

Check warning on line 8 in Taskfile.yml

GitHub Actions / Generate problem matcher output

8:121 [line-length] line too long (126 > 120 characters)
PROJECT_NAME: "arduinoOTA"
DIST_DIR: "dist"
# build vars
sh: echo "{{now | date "20060102"}}"
TAG:
sh: echo "$(git tag --points-at=HEAD 2> /dev/null | head -n1)"
VERSION: "{{if .NIGHTLY}}nightly-{{.TIMESTAMP_SHORT}}{{else if .TAG}}{{.TAG}}{{else}}{{.PACKAGE_NAME_PREFIX}}git-snapshot{{end}}"

Check warning on line 20 in Taskfile.yml

GitHub Actions / Generate problem matcher output

20:121 [line-length] line too long (131 > 120 characters)

Check warning on line 20 in Taskfile.yml

GitHub Actions / Generate problem matcher output

20:121 [line-length] line too long (131 > 120 characters)
CONFIGURATION_PACKAGE: "github.com/arduino/arduinoOTA/version"
LDFLAGS: >-
-ldflags
DEFAULT_GO_MODULE_PATH: ./
DEFAULT_GO_PACKAGES:
sh: |
echo $(cd {{default .DEFAULT_GO_MODULE_PATH .GO_MODULE_PATH}} && go list ./... | tr '\n' ' ' || echo '"ERROR: Unable to discover Go packages"')

Check warning on line 33 in Taskfile.yml

GitHub Actions / Generate problem matcher output

33:121 [line-length] line too long (149 > 120 characters)

Check warning on line 33 in Taskfile.yml

GitHub Actions / Generate problem matcher output

33:121 [line-length] line too long (149 > 120 characters)
# Last version of ajv-cli with support for the JSON schema "Draft 4" specification
SCHEMA_DRAFT_4_AJV_CLI_VERSION: 3.3.0
tasks:
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-workflows-task/Taskfile.yml

Check warning on line 38 in Taskfile.yml

GitHub Actions / Generate problem matcher output

38:121 [line-length] line too long (131 > 120 characters)

Check warning on line 38 in Taskfile.yml

GitHub Actions / Generate problem matcher output

38:121 [line-length] line too long (131 > 120 characters)
ci:validate:
desc: Validate GitHub Actions workflows against their JSON schema
vars:
# This is an "umbrella" task used to call any documentation generation processes the project has.
# It can be left empty if there are none.
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-general-formatting-task/Taskfile.yml

Check warning on line 71 in Taskfile.yml

GitHub Actions / Generate problem matcher output

71:121 [line-length] line too long (140 > 120 characters)

Check warning on line 71 in Taskfile.yml

GitHub Actions / Generate problem matcher output

71:121 [line-length] line too long (140 > 120 characters)
general:check-formatting:
desc: Check basic formatting style of all files
cmds:
fi
- ec
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-prettier-formatting-task/Taskfile.yml

Check warning on line 82 in Taskfile.yml

GitHub Actions / Generate problem matcher output

82:121 [line-length] line too long (141 > 120 characters)

Check warning on line 82 in Taskfile.yml

GitHub Actions / Generate problem matcher output

82:121 [line-length] line too long (141 > 120 characters)
general:format-prettier:
desc: Format all supported files with Prettier
deps:
cmds:
- npx prettier --write .
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies-task/Taskfile.yml

Check warning on line 90 in Taskfile.yml

GitHub Actions / Generate problem matcher output

90:121 [line-length] line too long (134 > 120 characters)

Check warning on line 90 in Taskfile.yml

GitHub Actions / Generate problem matcher output

90:121 [line-length] line too long (134 > 120 characters)
general:cache-dep-licenses:
desc: Cache dependency license metadata
cmds:
fi
- licensed cache
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies-task/Taskfile.yml

Check warning on line 106 in Taskfile.yml

GitHub Actions / Generate problem matcher output

106:121 [line-length] line too long (134 > 120 characters)

Check warning on line 106 in Taskfile.yml

GitHub Actions / Generate problem matcher output

106:121 [line-length] line too long (134 > 120 characters)
general:check-dep-licenses:
desc: Check for unapproved dependency licenses
deps: