jeans/arduino-ide
jeans/arduino-ide
1
0
Fork 0
mirror of https://github.com/arduino/arduino-ide.git synced 2025-06-12 23:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: use AWS OpenID Connect for S3 publish

Browse Source
This commit is contained in:
Giacomo Cusinato 2025-03-05 21:46:08 +07:00
parent 5ec1915000
commit 9ab87bf8b5
2 changed files with 43 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
.github/workflows/build.yml vendored
View File

@ -203,7 +203,7 @@ jobs:
echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
echo "channel-name=$channel_name" >> $GITHUB_OUTPUT echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
# Only attempt upload to Amazon S3 if the credentials are available. # Only attempt upload to Amazon S3 if the credentials are available.
echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT
select-targets: select-targets:
needs: build-type-determination needs: build-type-determination
@ -284,8 +284,6 @@ jobs:
- build-type-determination - build-type-determination
- select-targets - select-targets
env: env:
# https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
# Location of artifacts generated by build. # Location of artifacts generated by build.
BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
# to skip passing signing credentials to electron-builder # to skip passing signing credentials to electron-builder
@ -363,8 +361,6 @@ jobs:
AC_USERNAME: ${{ secrets.AC_USERNAME }} AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }} AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }} IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }}
IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }} IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }}
CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }} CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }}
@ -588,6 +584,12 @@ jobs:
env: env:
ARTIFACTS_FOLDER: build-artifacts ARTIFACTS_FOLDER: build-artifacts
environment: production
permissions:
id-token: write
contents: read
steps: steps:
- name: Download all job transfer artifacts - name: Download all job transfer artifacts
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
@ -596,15 +598,15 @@ jobs:
path: ${{ env.ARTIFACTS_FOLDER }} path: ${{ env.ARTIFACTS_FOLDER }}
pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}* pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
- name: Configure AWS Credentials for Nightly [S3]
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Publish Nightly [S3] - name: Publish Nightly [S3]
uses: docker://plugins/s3 run: |
env: aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
PLUGIN_TARGET: '/arduino-ide/nightly'
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
release: release:
needs: needs:
@ -625,6 +627,12 @@ jobs:
env: env:
ARTIFACTS_FOLDER: build-artifacts ARTIFACTS_FOLDER: build-artifacts
environment: production
permissions:
id-token: write
contents: read
steps: steps:
- name: Download all job transfer artifacts - name: Download all job transfer artifacts
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
@ -648,16 +656,17 @@ jobs:
file_glob: true file_glob: true
body: ${{ needs.changelog.outputs.BODY }} body: ${{ needs.changelog.outputs.BODY }}
- name: Configure AWS Credentials for Release [S3]
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Publish Release [S3] - name: Publish Release [S3]
if: needs.build-type-determination.outputs.publish-to-s3 == 'true' if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
uses: docker://plugins/s3 run: |
env: aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
PLUGIN_TARGET: '/arduino-ide'
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
clean: clean:
# This job must run after all jobs that use the transfer artifact. # This job must run after all jobs that use the transfer artifact.

21
.github/workflows/compose-full-changelog.yml vendored
View File

@ -14,6 +14,11 @@ jobs:
create-changelog: create-changelog:
if: github.repository == 'arduino/arduino-ide' if: github.repository == 'arduino/arduino-ide'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
environment: production
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -44,12 +49,12 @@ jobs:
# Compose changelog # Compose changelog
yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME" yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME"
- name: Configure AWS Credentials for Changelog [S3]
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Publish Changelog [S3] - name: Publish Changelog [S3]
uses: docker://plugins/s3 run: |
env: aws s3 sync ${{ env.CHANGELOG_ARTIFACTS }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/changelog
PLUGIN_SOURCE: '${{ env.CHANGELOG_ARTIFACTS }}/*'
PLUGIN_STRIP_PREFIX: '${{ env.CHANGELOG_ARTIFACTS }}/'
PLUGIN_TARGET: '/arduino-ide/changelog'
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}