github: Use IAM Roles to push files on AWS S3 #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/release-go-crosscompile-task.md | |
| name: Release | |
| env: | |
| # As defined by the Taskfile's PROJECT_NAME variable | |
| PROJECT_NAME: arduino101load | |
| # As defined by the Taskfile's DIST_DIR variable | |
| DIST_DIR: dist | |
| # The project's folder on Arduino's download server for uploading builds | |
| AWS_PLUGIN_TARGET: /tools/ | |
| ARTIFACT_NAME: dist | |
| # See: https://github.com/actions/setup-go/tree/main#supported-version-syntax | |
| GO_VERSION: "1.17" | |
| AWS_REGION: "us-east-1" | |
| on: | |
| push: | |
| tags: | |
| - "[0-9]+.[0-9]+.[0-9]+*" | |
| jobs: | |
| create-release-artifacts: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| os: | |
| - Windows_32bit | |
| - Windows_64bit | |
| - Linux_32bit | |
| - Linux_64bit | |
| - Linux_ARMv6 | |
| - Linux_ARMv7 | |
| - Linux_ARM64 | |
| - macOS_64bit | |
| - macOS_ARM64 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Create changelog | |
| # Avoid creating the same changelog for each os | |
| if: matrix.os == 'Windows_32bit' | |
| uses: arduino/create-changelog@v1 | |
| with: | |
| tag-regex: '^[0-9]+\.[0-9]+\.[0-9]+.*$' | |
| filter-regex: '^\[(skip|changelog)[ ,-](skip|changelog)\].*' | |
| case-insensitive-regex: true | |
| changelog-file-path: "${{ env.DIST_DIR }}/CHANGELOG.md" | |
| - name: Install Go | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install Task | |
| uses: arduino/setup-task@v1 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: 3.x | |
| - name: Build | |
| run: task dist:${{ matrix.os }} | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| if-no-files-found: error | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: ${{ env.DIST_DIR }} | |
| create-release: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| needs: create-release-artifacts | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: ${{ env.DIST_DIR }} | |
| - name: Create checksum file | |
| working-directory: ${{ env.DIST_DIR}} | |
| run: | | |
| TAG="${GITHUB_REF/refs\/tags\//}" | |
| sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt | |
| - name: Identify Prerelease | |
| # This is a workaround while waiting for create-release action | |
| # to implement auto pre-release based on tag | |
| id: prerelease | |
| run: | | |
| wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.2.0.zip | |
| unzip -p /tmp/3.2.0.zip semver-tool-3.2.0/src/semver >/tmp/semver && chmod +x /tmp/semver | |
| if [[ "$(/tmp/semver get prerel "${GITHUB_REF/refs\/tags\//}")" ]]; then echo "IS_PRE=true" >> $GITHUB_OUTPUT; fi | |
| - name: Create Github Release and upload artifacts | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| bodyFile: ${{ env.DIST_DIR }}/CHANGELOG.md | |
| draft: false | |
| prerelease: ${{ steps.prerelease.outputs.IS_PRE }} | |
| # NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem | |
| # (all the files we need are in the DIST_DIR root) | |
| artifacts: ${{ env.DIST_DIR }}/* | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: "github_${{ env.PROJECT_NAME }}" | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Upload release files on Arduino downloads servers | |
| run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }} |