mirror of
https://github.com/arduino/arduino-ide.git
synced 2025-06-09 13:46:33 +00:00
chore: use AWS OpenID Connect for S3 publish
This commit is contained in:
parent
5ec1915000
commit
9ab87bf8b5
51
.github/workflows/build.yml
vendored
51
.github/workflows/build.yml
vendored
@ -203,7 +203,7 @@ jobs:
|
|||||||
echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
|
echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
|
||||||
echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
|
echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
|
||||||
# Only attempt upload to Amazon S3 if the credentials are available.
|
# Only attempt upload to Amazon S3 if the credentials are available.
|
||||||
echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT
|
echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
select-targets:
|
select-targets:
|
||||||
needs: build-type-determination
|
needs: build-type-determination
|
||||||
@ -284,8 +284,6 @@ jobs:
|
|||||||
- build-type-determination
|
- build-type-determination
|
||||||
- select-targets
|
- select-targets
|
||||||
env:
|
env:
|
||||||
# https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
|
||||||
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
|
|
||||||
# Location of artifacts generated by build.
|
# Location of artifacts generated by build.
|
||||||
BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
|
BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
|
||||||
# to skip passing signing credentials to electron-builder
|
# to skip passing signing credentials to electron-builder
|
||||||
@ -363,8 +361,6 @@ jobs:
|
|||||||
AC_USERNAME: ${{ secrets.AC_USERNAME }}
|
AC_USERNAME: ${{ secrets.AC_USERNAME }}
|
||||||
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
|
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
|
||||||
AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
|
AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
||||||
IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }}
|
IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }}
|
||||||
IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }}
|
IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }}
|
||||||
CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }}
|
CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }}
|
||||||
@ -588,6 +584,12 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
ARTIFACTS_FOLDER: build-artifacts
|
ARTIFACTS_FOLDER: build-artifacts
|
||||||
|
|
||||||
|
environment: production
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Download all job transfer artifacts
|
- name: Download all job transfer artifacts
|
||||||
uses: actions/download-artifact@v4
|
uses: actions/download-artifact@v4
|
||||||
@ -596,15 +598,15 @@ jobs:
|
|||||||
path: ${{ env.ARTIFACTS_FOLDER }}
|
path: ${{ env.ARTIFACTS_FOLDER }}
|
||||||
pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
|
pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
|
||||||
|
|
||||||
|
- name: Configure AWS Credentials for Nightly [S3]
|
||||||
|
uses: aws-actions/configure-aws-credentials@v4
|
||||||
|
with:
|
||||||
|
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
|
||||||
|
aws-region: us-east-1
|
||||||
|
|
||||||
- name: Publish Nightly [S3]
|
- name: Publish Nightly [S3]
|
||||||
uses: docker://plugins/s3
|
run: |
|
||||||
env:
|
aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly
|
||||||
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
|
|
||||||
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
|
|
||||||
PLUGIN_TARGET: '/arduino-ide/nightly'
|
|
||||||
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
|
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
||||||
|
|
||||||
release:
|
release:
|
||||||
needs:
|
needs:
|
||||||
@ -625,6 +627,12 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
ARTIFACTS_FOLDER: build-artifacts
|
ARTIFACTS_FOLDER: build-artifacts
|
||||||
|
|
||||||
|
environment: production
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Download all job transfer artifacts
|
- name: Download all job transfer artifacts
|
||||||
uses: actions/download-artifact@v4
|
uses: actions/download-artifact@v4
|
||||||
@ -648,16 +656,17 @@ jobs:
|
|||||||
file_glob: true
|
file_glob: true
|
||||||
body: ${{ needs.changelog.outputs.BODY }}
|
body: ${{ needs.changelog.outputs.BODY }}
|
||||||
|
|
||||||
|
- name: Configure AWS Credentials for Release [S3]
|
||||||
|
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
|
||||||
|
uses: aws-actions/configure-aws-credentials@v4
|
||||||
|
with:
|
||||||
|
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
|
||||||
|
aws-region: us-east-1
|
||||||
|
|
||||||
- name: Publish Release [S3]
|
- name: Publish Release [S3]
|
||||||
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
|
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
|
||||||
uses: docker://plugins/s3
|
run: |
|
||||||
env:
|
aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide
|
||||||
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
|
|
||||||
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
|
|
||||||
PLUGIN_TARGET: '/arduino-ide'
|
|
||||||
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
|
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
# This job must run after all jobs that use the transfer artifact.
|
# This job must run after all jobs that use the transfer artifact.
|
||||||
|
21
.github/workflows/compose-full-changelog.yml
vendored
21
.github/workflows/compose-full-changelog.yml
vendored
@ -14,6 +14,11 @@ jobs:
|
|||||||
create-changelog:
|
create-changelog:
|
||||||
if: github.repository == 'arduino/arduino-ide'
|
if: github.repository == 'arduino/arduino-ide'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
|
environment: production
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@ -44,12 +49,12 @@ jobs:
|
|||||||
# Compose changelog
|
# Compose changelog
|
||||||
yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME"
|
yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME"
|
||||||
|
|
||||||
|
- name: Configure AWS Credentials for Changelog [S3]
|
||||||
|
uses: aws-actions/configure-aws-credentials@v4
|
||||||
|
with:
|
||||||
|
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
|
||||||
|
aws-region: us-east-1
|
||||||
|
|
||||||
- name: Publish Changelog [S3]
|
- name: Publish Changelog [S3]
|
||||||
uses: docker://plugins/s3
|
run: |
|
||||||
env:
|
aws s3 sync ${{ env.CHANGELOG_ARTIFACTS }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/changelog
|
||||||
PLUGIN_SOURCE: '${{ env.CHANGELOG_ARTIFACTS }}/*'
|
|
||||||
PLUGIN_STRIP_PREFIX: '${{ env.CHANGELOG_ARTIFACTS }}/'
|
|
||||||
PLUGIN_TARGET: '/arduino-ide/changelog'
|
|
||||||
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
|
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
Loading…
x
Reference in New Issue
Block a user