|
6 | 6 | - cron: '0 1 * * *' |
7 | 7 |
|
8 | 8 | jobs: |
9 | | - publish-nightly: |
| 9 | + |
| 10 | + create-nightly-artifacts: |
10 | 11 | runs-on: ubuntu-latest |
11 | 12 |
|
12 | 13 | container: |
|
24 | 25 | PACKAGE_NAME_PREFIX: ${{ github.workflow }} |
25 | 26 | run: goreleaser --snapshot |
26 | 27 |
|
| 28 | + - name: Upload artifacts |
| 29 | + uses: actions/upload-artifact@v1 |
| 30 | + with: |
| 31 | + name: dist |
| 32 | + path: dist |
| 33 | + |
| 34 | + notarize-macos: |
| 35 | + runs-on: macos-latest |
| 36 | + needs: create-nightly-artifacts |
| 37 | + |
| 38 | + steps: |
| 39 | + - name: Checkout |
| 40 | + uses: actions/checkout@v1 |
| 41 | + |
| 42 | + - name: Download artifacts |
| 43 | + uses: actions/download-artifact@v1 |
| 44 | + with: |
| 45 | + name: dist |
| 46 | + |
| 47 | + - name: Download Gon |
| 48 | + run: | |
| 49 | + wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip |
| 50 | + unzip gon_0.2.2_macos.zip -d /usr/local/bin |
| 51 | + rm -f gon_0.2.2_macos.zip |
| 52 | +
|
| 53 | + - name: Notarize binary, re-package it and update checksum |
| 54 | + env: |
| 55 | + AC_USERNAME: ${{ secrets.AC_USERNAME }} |
| 56 | + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} |
| 57 | + # This step performs the following: |
| 58 | + # 1. Download keychain from GH secrets and decode it from base64 |
| 59 | + # 2. Add the keychain to the system keychains and unlock it |
| 60 | + # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD) |
| 61 | + # 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file) |
| 62 | + # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file |
| 63 | + run: | |
| 64 | + echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db |
| 65 | + security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db |
| 66 | + security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db |
| 67 | + gon gon.config.hcl |
| 68 | + # GitHub's upload/download-artifact@v1 actions don't preserve file permissions, |
| 69 | + # so we need to add execution permission back until @v2 actions are released. |
| 70 | + chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli |
| 71 | + PACKAGE_FILENAME="$(basename dist/arduino-cli_${{ github.workflow }}-*_macOS_64bit.tar.gz)" |
| 72 | + tar -czvf dist/$PACKAGE_FILENAME \ |
| 73 | + -C dist/arduino_cli_osx_darwin_amd64/ arduino-cli \ |
| 74 | + -C ../../ LICENSE.txt |
| 75 | + CLI_CHECKSUM=$(shasum -a 256 dist/$PACKAGE_FILENAME | cut -d " " -f 1) |
| 76 | + perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CLI_CHECKSUM} ${PACKAGE_FILENAME}/g;" dist/*-checksums.txt |
| 77 | +
|
| 78 | + - name: Upload artifacts |
| 79 | + uses: actions/upload-artifact@v1 |
| 80 | + with: |
| 81 | + name: dist |
| 82 | + path: dist |
| 83 | + |
| 84 | + publish-nightly: |
| 85 | + runs-on: ubuntu-latest |
| 86 | + needs: notarize-macos |
| 87 | + |
| 88 | + steps: |
| 89 | + - name: Download artifact |
| 90 | + uses: actions/download-artifact@v1 |
| 91 | + with: |
| 92 | + name: dist |
| 93 | + |
27 | 94 | - name: upload |
28 | 95 | uses: docker://plugins/s3 |
29 | 96 | env: |
|
0 commit comments