From 859df0fbbaec08eded4a5c517b1995b8c43ca50c Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Tue, 27 Feb 2024 09:40:36 +0100 Subject: [PATCH 1/6] followup of #901, fix CI --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69f40549..928a8d87 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -537,7 +537,7 @@ jobs: runs-on: ubuntu-20.04 environment: production needs: [build, package, generate-sign-dmg] - permission: + permissions: contents: write id-token: write # This is required for requesting the JWT From 934dd0bba7b93fe9ee4bc6dc9fec376cde5746a8 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Tue, 27 Feb 2024 09:57:14 +0100 Subject: [PATCH 2/6] fix permissions --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 928a8d87..4c9ff599 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,6 +46,9 @@ jobs: CGO_ENABLED: 0 runs-on: ${{ matrix.os }} + permissions: + contents: write + id-token: write # This is required for requesting the JWT steps: - name: Set env vars @@ -231,6 +234,9 @@ jobs: env: GON_PATH: ${{ github.workspace }}/gon needs: [build, create-macos-bundle] + permissions: + contents: write + id-token: write # This is required for requesting the JWT steps: - name: Download artifact From fc99916e292e6f084576c4146dac473c9fd0073b Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Tue, 27 Feb 2024 10:05:51 +0100 Subject: [PATCH 3/6] fix environment --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c9ff599..32e5c8e5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,6 +46,7 @@ jobs: CGO_ENABLED: 0 runs-on: ${{ matrix.os }} + environment: production permissions: contents: write id-token: write # This is required for requesting the JWT @@ -234,6 +235,7 @@ jobs: env: GON_PATH: ${{ github.workspace }}/gon needs: [build, create-macos-bundle] + environment: production permissions: contents: write id-token: write # This is required for requesting the JWT From 09306c41499db89495a364d0ea4dc55221048393 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Tue, 27 Feb 2024 11:57:41 +0100 Subject: [PATCH 4/6] set permissions for the entire workflow --- .github/workflows/release.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 32e5c8e5..3605b739 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,10 @@ on: tags: - "[0-9]+.[0-9]+.[0-9]+*" +permissions: + contents: write + id-token: write # This is required for requesting the JWT + env: # As defined by the Taskfile's PROJECT_NAME variable PROJECT_NAME: arduino-create-agent @@ -47,9 +51,6 @@ jobs: runs-on: ${{ matrix.os }} environment: production - permissions: - contents: write - id-token: write # This is required for requesting the JWT steps: - name: Set env vars @@ -236,9 +237,6 @@ jobs: GON_PATH: ${{ github.workspace }}/gon needs: [build, create-macos-bundle] environment: production - permissions: - contents: write - id-token: write # This is required for requesting the JWT steps: - name: Download artifact @@ -545,9 +543,6 @@ jobs: runs-on: ubuntu-20.04 environment: production needs: [build, package, generate-sign-dmg] - permissions: - contents: write - id-token: write # This is required for requesting the JWT steps: - name: Checkout From 7d5a287a40655014f744816bb3fa0e3cbaa3459e Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 21 Feb 2024 11:19:51 +0100 Subject: [PATCH 5/6] replace create-release deprecated action with the same one used in the cli --- .github/workflows/release.yml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3605b739..c36eb832 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -594,25 +594,16 @@ jobs: echo "" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT - - name: Create Github Release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create Github Release and upload artifacts + uses: ncipollo/release-action@v1 with: - tag_name: ${{ github.ref }} - release_name: ${{ github.ref }} + token: ${{ secrets.GITHUB_TOKEN }} body: ${{ steps.release_body.outputs.RBODY}} draft: false prerelease: ${{ needs.build.outputs.prerelease }} - - - name: Upload release files on Github - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - tag: ${{ github.ref }} - file_glob: true # If set to true, the file argument can be a glob pattern - file: release/* - + # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem + # (all the files we need are in the DIST_DIR root) + artifacts: release/* - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v4 From 62052b0c2823eec535e22fc22151d449bf5dc1ee Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Tue, 27 Feb 2024 10:07:31 +0100 Subject: [PATCH 6/6] do not configure credentials when in pre-release (they are not used) --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c36eb832..2ae2cf4e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -139,6 +139,7 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} role-session-name: "github_${{ env.PROJECT_NAME }}" aws-region: ${{ env.AWS_REGION }} + if: steps.prerelease.outputs.IS_PRE != 'true' - name: Upload autoupdate files to Arduino downloads servers run: | @@ -333,6 +334,7 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} role-session-name: "github_${{ env.PROJECT_NAME }}" aws-region: ${{ env.AWS_REGION }} + if: ${{ needs.build.outputs.prerelease != 'true' }} - name: Upload autoupdate bundle to Arduino downloads servers run: aws s3 cp ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}${GITHUB_REF/refs\/tags\//}/ # the version should be created in th the build job @@ -611,6 +613,7 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} role-session-name: "github_${{ env.PROJECT_NAME }}" aws-region: ${{ env.AWS_REGION }} + if: ${{ needs.build.outputs.prerelease != 'true' }} - name: Upload release files on Arduino downloads servers run: aws s3 sync release/ s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}