Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 156d77c

Browse files
umbynosumbynos
committedJun 16, 2022
update workflows to handle darwin_arm64 notarization
- the gon config is now hardcoded in the workflow (it allows customization) - the notarization step is run in parallel now - the updated checksum is passed to the `create-release` job - the `create-release` job handles the checksum update in `checksum.txt` file
1 parent c0c740b commit 156d77c

File tree

4 files changed

+103
-28
lines changed

4 files changed

+103
-28
lines changed
 

‎.github/workflows/publish-go-nightly-task.yml

+50-7
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,20 @@ jobs:
4545
path: ${{ env.DIST_DIR }}
4646

4747
notarize-macos:
48+
name: notarize-${{ matrix.artifact.name }}
4849
runs-on: macos-latest
4950
needs: create-nightly-artifacts
51+
outputs:
52+
checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
53+
checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
54+
55+
strategy:
56+
matrix:
57+
artifact:
58+
- name: darwin_amd64
59+
path: "macOS_64bit.tar.gz"
60+
- name: darwin_arm64
61+
path: "macOS_ARM64.tar.gz"
5062

5163
steps:
5264
- name: Checkout repository
@@ -86,27 +98,48 @@ jobs:
8698
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
8799
unzip gon_macos.zip -d /usr/local/bin
88100
101+
- name: Write gon config to file
102+
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
103+
run: |
104+
cat > gon.config.hcl <<EOF
105+
# See: https://github.com/mitchellh/gon#configuration-file
106+
source = ["dist/arduino-cli_osx_${{ matrix.artifact.name }}/arduino-cli"]
107+
bundle_id = "cc.arduino.arduino-cli"
108+
109+
sign {
110+
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
111+
}
112+
113+
# Ask Gon for zip output to force notarization process to take place.
114+
# The CI will ignore the zip output, using the signed binary only.
115+
zip {
116+
output_path = "unused.zip"
117+
}
118+
EOF
119+
89120
- name: Sign and notarize binary
90121
env:
91122
AC_USERNAME: ${{ secrets.AC_USERNAME }}
92123
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
93124
run: |
94125
gon gon.config.hcl
95126
96-
- name: Re-package binary and update checksum
127+
- name: Re-package binary and output checksum
128+
id: re-package
97129
# This step performs the following:
98130
# 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
99-
# 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file
131+
# 2. Recalculate package checksum
132+
# 3. Output the new checksum to include in the nnnnnn-checksums.txt file(it cannot be done there because of parallelization)
100133
run: |
101134
# GitHub's upload/download-artifact@v2 actions don't preserve file permissions,
102135
# so we need to add execution permission back until the action is made to do this.
103-
chmod +x "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/${{ env.PROJECT_NAME }}"
104-
PACKAGE_FILENAME="$(basename ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_nightly-*_macOS_64bit.tar.gz)"
136+
chmod +x "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"
137+
PACKAGE_FILENAME="$(basename ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_nightly-*${{ matrix.artifact.path }})"
105138
tar -czvf "${{ env.DIST_DIR }}/$PACKAGE_FILENAME" \
106-
-C "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/" "${{ env.PROJECT_NAME }}" \
139+
-C "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/" "${{ env.PROJECT_NAME }}" \
107140
-C ../../ LICENSE.txt
108-
CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/$PACKAGE_FILENAME | cut -d " " -f 1)"
109-
perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CHECKSUM} ${PACKAGE_FILENAME}/g;" ${{ env.DIST_DIR }}/*-checksums.txt
141+
CHECKSUM_LINE="$(shasum -a 256 ${{ env.DIST_DIR }}/$PACKAGE_FILENAME)"
142+
echo "::set-output name=checksum-${{ matrix.artifact.name }}::$CHECKSUM_LINE"
110143
111144
- name: Upload artifacts
112145
uses: actions/upload-artifact@v3
@@ -126,6 +159,16 @@ jobs:
126159
name: ${{ env.ARTIFACT_NAME }}
127160
path: ${{ env.DIST_DIR }}
128161

162+
- name: Update checksum
163+
run: |
164+
declare -a checksum_lines=("${{ needs.notarize-macos.outputs.checksum-darwin_amd64 }}", "${{ needs.notarize-macos.outputs.checksum-darwin_arm64 }}")
165+
for checksum_line in "${checksum_lines[@]}"
166+
do
167+
CHECKSUM=$(echo ${checksum_line} | cut -d " " -f 1)
168+
PACKAGE_FILENAME=$(echo ${checksum_line} | cut -d " " -f 2)
169+
perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CHECKSUM} ${PACKAGE_FILENAME}/g;" ${{ env.DIST_DIR }}/*-checksums.txt
170+
done
171+
129172
- name: Upload release files on Arduino downloads servers
130173
uses: docker://plugins/s3
131174
env:

‎.github/workflows/publish-go-tester-task.yml

+2
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,8 @@ jobs:
108108
name: Linux_ARMv7
109109
- path: "*macOS_64bit.tar.gz"
110110
name: macOS_64
111+
- path: "*macOS_ARM64.tar.gz"
112+
name: macOS_ARM64
111113
- path: "*Windows_32bit.zip"
112114
name: Windows_X86-32
113115
- path: "*Windows_64bit.zip"

‎.github/workflows/release-go-task.yml

+51-7
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,20 @@ jobs:
5050
path: ${{ env.DIST_DIR }}
5151

5252
notarize-macos:
53+
name: notarize-${{ matrix.artifact.name }}
5354
runs-on: macos-latest
5455
needs: create-release-artifacts
56+
outputs:
57+
checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
58+
checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
59+
60+
strategy:
61+
matrix:
62+
artifact:
63+
- name: darwin_amd64
64+
path: "macOS_64bit.tar.gz"
65+
- name: darwin_arm64
66+
path: "macOS_ARM64.tar.gz"
5567

5668
steps:
5769
- name: Checkout repository
@@ -91,27 +103,49 @@ jobs:
91103
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
92104
unzip gon_macos.zip -d /usr/local/bin
93105
106+
- name: Write gon config to file
107+
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
108+
run: |
109+
cat > gon.config.hcl <<EOF
110+
# See: https://github.com/mitchellh/gon#configuration-file
111+
source = ["dist/arduino-cli_osx_${{ matrix.artifact.name }}/arduino-cli"]
112+
bundle_id = "cc.arduino.arduino-cli"
113+
114+
sign {
115+
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
116+
}
117+
118+
# Ask Gon for zip output to force notarization process to take place.
119+
# The CI will ignore the zip output, using the signed binary only.
120+
zip {
121+
output_path = "unused.zip"
122+
}
123+
EOF
124+
94125
- name: Sign and notarize binary
95126
env:
96127
AC_USERNAME: ${{ secrets.AC_USERNAME }}
97128
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
98129
run: |
99130
gon gon.config.hcl
100131
101-
- name: Re-package binary and update checksum
132+
- name: Re-package binary and output checksum
133+
id: re-package
102134
# This step performs the following:
103135
# 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
104-
# 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file
136+
# 2. Recalculate package checksum
137+
# 3. Output the new checksum to include in the nnnnnn-checksums.txt file(it cannot be done there because of parallelization)
105138
run: |
106139
# GitHub's upload/download-artifact@v2 actions don't preserve file permissions,
107140
# so we need to add execution permission back until the action is made to do this.
108-
chmod +x ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/${{ env.PROJECT_NAME }}
141+
chmod +x "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"
109142
TAG="${GITHUB_REF/refs\/tags\//}"
110-
tar -czvf "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz" \
111-
-C ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/ ${{ env.PROJECT_NAME }} \
143+
PACKAGE_FILENAME="$(basename ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_${{ matrix.artifact.path }})"
144+
tar -czvf "${{ env.DIST_DIR }}/$PACKAGE_FILENAME" \
145+
-C "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/" "${{ env.PROJECT_NAME }}" \
112146
-C ../../ LICENSE.txt
113-
CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)"
114-
perl -pi -w -e "s/.*${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/${CHECKSUM} ${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/g;" ${{ env.DIST_DIR }}/*-checksums.txt
147+
CHECKSUM_LINE="$(shasum -a 256 ${{ env.DIST_DIR }}/$PACKAGE_FILENAME)"
148+
echo "::set-output name=checksum-${{ matrix.artifact.name }}::$CHECKSUM_LINE"
115149
116150
- name: Upload artifacts
117151
uses: actions/upload-artifact@v3
@@ -131,6 +165,16 @@ jobs:
131165
name: ${{ env.ARTIFACT_NAME }}
132166
path: ${{ env.DIST_DIR }}
133167

168+
- name: Update checksum
169+
run: |
170+
declare -a checksum_lines=("${{ needs.notarize-macos.outputs.checksum-darwin_amd64 }}", "${{ needs.notarize-macos.outputs.checksum-darwin_arm64 }}")
171+
for checksum_line in "${checksum_lines[@]}"
172+
do
173+
CHECKSUM=$(echo ${checksum_line} | cut -d " " -f 1)
174+
PACKAGE_FILENAME=$(echo ${checksum_line} | cut -d " " -f 2)
175+
perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CHECKSUM} ${PACKAGE_FILENAME}/g;" ${{ env.DIST_DIR }}/*-checksums.txt
176+
done
177+
134178
- name: Identify Prerelease
135179
# This is a workaround while waiting for create-release action
136180
# to implement auto pre-release based on tag

‎gon.config.hcl

-14
This file was deleted.

0 commit comments

Comments
 (0)
Please sign in to comment.