Skip to content

github: Use IAM Roles to push files on AWS S3 #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

github: Use IAM Roles to push files on AWS S3 #106

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ad9a0f7
github: Use IAM Roles to push files on AWS S3
alessio-perugini Dec 12, 2024
cfef6a1
update workflow to match the workflow-template
alessio-perugini Dec 17, 2024
c481201
update DistTasks.yml to match workflow-template
alessio-perugini Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update workflow to match the workflow-template
  • Loading branch information
@alessio-perugini
alessio-perugini committed Dec 17, 2024
commit cfef6a1b6e08c499a51e62cf2e83550fdf6f396a
23 changes: 10 additions & 13 deletions .github/workflows/release-go-crosscompile-task.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,8 @@ jobs:
name: Notarize ${{ matrix.build.artifact-suffix }}
runs-on: macos-latest
needs: create-release-artifacts
outputs:
checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
permissions:
contents: read

env:
GON_CONFIG_PATH: gon.config.hcl
Expand Down Expand Up @@ -119,16 +118,12 @@ jobs:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
path: ${{ env.DIST_DIR }}

- name: Remove non-notarized artifact
uses: geekyeggo/delete-artifact@v5
with:
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}

- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
# Arbitrary password for a keychain that exists only for the duration of the job, so not secret
KEYCHAIN_PASSWORD: keychainpassword
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
Expand Down Expand Up @@ -180,20 +175,22 @@ jobs:
gon "${{ env.GON_CONFIG_PATH }}"

- name: Re-package binary
id: re-package
working-directory: ${{ env.DIST_DIR }}
# Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
run: |
# GitHub's upload/download-artifact actions don't preserve file permissions,
# so we need to add execution permission back until the action is made to do this.
chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}"
tar -czvf "${{ env.PACKAGE_FILENAME }}" "${{ env.BUILD_FOLDER }}/"
tar -czvf "${{ env.PACKAGE_FILENAME }}" \
-C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \
-C ../../ LICENSE.txt

- name: Upload notarized artifact
- name: Replace artifact with notarized build
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }}
overwrite: true
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}

create-release:
Expand All @@ -213,7 +210,7 @@ jobs:
pattern: ${{ env.ARTIFACT_PREFIX }}*

- name: Create checksum file
working-directory: ${{ env.DIST_DIR}}
working-directory: ${{ env.DIST_DIR }}
run: |
TAG="${GITHUB_REF/refs\/tags\//}"
sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt
Expand Down
Loading