From 859df0fbbaec08eded4a5c517b1995b8c43ca50c Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Tue, 27 Feb 2024 09:40:36 +0100
Subject: [PATCH 1/6] followup of #901, fix CI

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 69f40549..928a8d87 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -537,7 +537,7 @@ jobs:
     runs-on: ubuntu-20.04
     environment: production
     needs: [build, package, generate-sign-dmg]
-    permission:
+    permissions:
       contents: write
       id-token: write # This is required for requesting the JWT
 

From 934dd0bba7b93fe9ee4bc6dc9fec376cde5746a8 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Tue, 27 Feb 2024 09:57:14 +0100
Subject: [PATCH 2/6] fix permissions

---
 .github/workflows/release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 928a8d87..4c9ff599 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,6 +46,9 @@ jobs:
       CGO_ENABLED: 0
 
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: write
+      id-token: write # This is required for requesting the JWT
 
     steps:
       - name: Set env vars
@@ -231,6 +234,9 @@ jobs:
     env:
       GON_PATH: ${{ github.workspace }}/gon
     needs: [build, create-macos-bundle]
+    permissions:
+      contents: write
+      id-token: write # This is required for requesting the JWT
 
     steps:
       - name: Download artifact

From fc99916e292e6f084576c4146dac473c9fd0073b Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Tue, 27 Feb 2024 10:05:51 +0100
Subject: [PATCH 3/6] fix environment

---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4c9ff599..32e5c8e5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,6 +46,7 @@ jobs:
       CGO_ENABLED: 0
 
     runs-on: ${{ matrix.os }}
+    environment: production
     permissions:
       contents: write
       id-token: write # This is required for requesting the JWT
@@ -234,6 +235,7 @@ jobs:
     env:
       GON_PATH: ${{ github.workspace }}/gon
     needs: [build, create-macos-bundle]
+    environment: production
     permissions:
       contents: write
       id-token: write # This is required for requesting the JWT

From 09306c41499db89495a364d0ea4dc55221048393 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Tue, 27 Feb 2024 11:57:41 +0100
Subject: [PATCH 4/6] set permissions for the entire workflow

---
 .github/workflows/release.yml | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 32e5c8e5..3605b739 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - "[0-9]+.[0-9]+.[0-9]+*"
 
+permissions:
+  contents: write
+  id-token: write # This is required for requesting the JWT
+
 env:
   # As defined by the Taskfile's PROJECT_NAME variable
   PROJECT_NAME: arduino-create-agent
@@ -47,9 +51,6 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     environment: production
-    permissions:
-      contents: write
-      id-token: write # This is required for requesting the JWT
 
     steps:
       - name: Set env vars
@@ -236,9 +237,6 @@ jobs:
       GON_PATH: ${{ github.workspace }}/gon
     needs: [build, create-macos-bundle]
     environment: production
-    permissions:
-      contents: write
-      id-token: write # This is required for requesting the JWT
 
     steps:
       - name: Download artifact
@@ -545,9 +543,6 @@ jobs:
     runs-on: ubuntu-20.04
     environment: production
     needs: [build, package, generate-sign-dmg]
-    permissions:
-      contents: write
-      id-token: write # This is required for requesting the JWT
 
     steps:
       - name: Checkout

From 7d5a287a40655014f744816bb3fa0e3cbaa3459e Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Wed, 21 Feb 2024 11:19:51 +0100
Subject: [PATCH 5/6] replace create-release deprecated action with the same
 one used in the cli

---
 .github/workflows/release.yml | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3605b739..c36eb832 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -594,25 +594,16 @@ jobs:
           echo "</details>" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
 
-      - name: Create Github Release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create Github Release and upload artifacts
+        uses: ncipollo/release-action@v1
         with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           body: ${{ steps.release_body.outputs.RBODY}}
           draft: false
           prerelease: ${{ needs.build.outputs.prerelease }}
-
-      - name: Upload release files on Github
-        uses: svenstaro/upload-release-action@v2
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          tag: ${{ github.ref }}
-          file_glob: true # If set to true, the file argument can be a glob pattern
-          file: release/*
-
+          # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem
+          # (all the files we need are in the DIST_DIR root)
+          artifacts: release/*
 
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@v4

From 62052b0c2823eec535e22fc22151d449bf5dc1ee Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Tue, 27 Feb 2024 10:07:31 +0100
Subject: [PATCH 6/6] do not configure credentials when in pre-release (they
 are not used)

---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c36eb832..2ae2cf4e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -139,6 +139,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           role-session-name: "github_${{ env.PROJECT_NAME }}"
           aws-region: ${{ env.AWS_REGION }}
+        if: steps.prerelease.outputs.IS_PRE != 'true'
 
       - name: Upload autoupdate files to Arduino downloads servers
         run: |
@@ -333,6 +334,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           role-session-name: "github_${{ env.PROJECT_NAME }}"
           aws-region: ${{ env.AWS_REGION }}
+        if: ${{ needs.build.outputs.prerelease != 'true' }}
 
       - name: Upload autoupdate bundle to Arduino downloads servers
         run: aws s3 cp ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}${GITHUB_REF/refs\/tags\//}/ # the version should be created in th the build job
@@ -611,6 +613,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           role-session-name: "github_${{ env.PROJECT_NAME }}"
           aws-region: ${{ env.AWS_REGION }}
+        if: ${{ needs.build.outputs.prerelease != 'true' }}
 
       - name: Upload release files on Arduino downloads servers
         run: aws s3 sync release/ s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}