Refactor signing certificate handling in "Arduino IDE" workflow

Previously, there was some code duplication of the complex code signing certificate handling commands, which made the related code more difficult to understand, maintain, and develop. The cause of this duplication is that there is a separate certificate for each operating system, each of which is stored in separate repository secrets, as well as a different certificate file extension for each OS. Since the secret names and file extensions are associated with the operating system, it is most logical to define them via attributes alongside the operating system definition in the job matrix configuration already used to generate the parallel job runs for native build on each OS. That done, the certificate handling commands are universal and the system can easily expand to additional host targets (e.g., Apple M1) as time goes on.
2025-07-08 11:56:36 +00:00 · 2022-06-25 13:30:54 -07:00 · 2022-06-25 13:30:54 -07:00 · d1aa446c89
commit d1aa446c89
parent e454acba41
1 changed files with 15 additions and 15 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -17,13 +17,22 @@ env:
 jobs:
  build:
    name: build (${{ matrix.config.os }})
    if: github.repository == 'arduino/arduino-ide'
    strategy:
      matrix:
        config:
          - os: windows-2019
            certificate-secret: WINDOWS_SIGNING_CERTIFICATE_PFX # Name of the secret that contains the certificate.
            certificate-password-secret: WINDOWS_SIGNING_CERTIFICATE_PASSWORD # Name of the secret that contains the certificate password.
            certificate-extension: pfx  # File extension for the certificate.
          - os: ubuntu-18.04 # https://github.com/arduino/arduino-ide/issues/259
          - os: macos-latest
            # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from:
            # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate
            certificate-secret: APPLE_SIGNING_CERTIFICATE_P12
            certificate-password-secret: KEYCHAIN_PASSWORD
            certificate-extension: p12
    runs-on: ${{ matrix.config.os }}
    timeout-minutes: 90
@ -59,23 +68,14 @@ jobs:
          if [ $IS_FORK = true ]; then
            echo "Skipping the app signing: building from a fork."
          else
-            if [ "${{ runner.OS }}" = "macOS" ]; then
+            export CSC_LINK="${{ runner.temp }}/signing_certificate.${{ matrix.config.certificate-extension }}"
-              export CSC_LINK="${{ runner.temp }}/signing_certificate.p12"
+            echo "${{ secrets[matrix.config.certificate-secret] }}" | base64 --decode > "$CSC_LINK"
-              # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from:
+            export CSC_KEY_PASSWORD="${{ secrets[matrix.config.certificate-password-secret] }}"
-              # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate
+          fi
              echo "${{ secrets.APPLE_SIGNING_CERTIFICATE_P12 }}" | base64 --decode > "$CSC_LINK"
-              export CSC_KEY_PASSWORD="${{ secrets.KEYCHAIN_PASSWORD }}"
+          if [ "${{ runner.OS }}" = "Windows" ]; then
            elif [ "${{ runner.OS }}" = "Windows" ]; then
              export CSC_LINK="${{ runner.temp }}/signing_certificate.pfx"
            npm config set msvs_version 2017 --global
              echo "${{ secrets.WINDOWS_SIGNING_CERTIFICATE_PFX }}" | base64 --decode > "$CSC_LINK"
              export CSC_KEY_PASSWORD="${{ secrets.WINDOWS_SIGNING_CERTIFICATE_PASSWORD }}"
          fi
          fi
          npx node-gyp install
          yarn --cwd ./electron/packager/
          yarn --cwd ./electron/packager/ package