[skip changelog] Add release process

silvanocerza · silvanocerza · commit 4d525dd9016d · 2020-12-18T17:38:00.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,156 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+*"
+
+jobs:
+  create-release-artifacts:
+    runs-on: ubuntu-latest
+
+    container:
+      image: arduino/arduino-cli:builder-1
+      volumes:
+        # cache go dependencies across pipeline's steps
+        - ${{ github.workspace }}/go:/go
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+        with:
+          fetch-depth: 0
+
+      - name: Build
+        run: goreleaser
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: dist
+          path: dist
+
+  notarize-macos:
+    runs-on: macos-latest
+    needs: create-release-artifacts
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: dist
+          # to ensure compatibility with v1
+          path: dist
+
+      - name: Import Code-Signing Certificates
+        env:
+          KEYCHAIN: "sign.keychain"
+          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
+          KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
+          security create-keychain -p ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security default-keychain -s ${{ env.KEYCHAIN }}
+          security unlock-keychain -p ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ env.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+
+      - name: Install gon for code signing and app notarization
+        run: |
+          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
+          unzip gon_macos.zip -d /usr/local/bin
+
+      - name: Sign and notarize binary
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+        run: |
+          gon gon.config.hcl
+
+      - name: Re-package binary and update checksum
+        # This step performs the following:
+        # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
+        # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
+        run: |
+          # GitHub's upload/download-artifact@v2 action doen't preserve file permissions,
+          # so we need to add execution permission back until the action is made to do this.
+          chmod +x dist/arduino_lint_osx_darwin_amd64/arduino-lint
+          TAG=${GITHUB_REF/refs\/tags\//}
+          tar -czvf dist/arduino-lint_${TAG}_macOS_64bit.tar.gz \
+          -C dist/arduino_lint_osx_darwin_amd64/  arduino-lint   \
+          -C ../../ LICENSE.txt
+          LINT_CHECKSUM=$(shasum -a 256 dist/arduino-lint_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)
+          perl -pi -w -e "s/.*arduino-lint_${TAG}_macOS_64bit.tar.gz/${LINT_CHECKSUM}  arduino-lint_${TAG}_macOS_64bit.tar.gz/g;" dist/*-checksums.txt
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: dist
+          path: dist
+
+  create-release:
+    runs-on: ubuntu-latest
+    needs: notarize-macos
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Download artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: dist
+          # to ensure compatibility with v1
+          path: dist
+
+      - name: Read CHANGELOG
+        id: changelog
+        run: |
+          body=$(cat dist/CHANGELOG.md)
+          body="${body//'%'/'%25'}"
+          body="${body//$'\n'/'%0A'}"
+          body="${body//$'\r'/'%0D'}"
+          echo $body
+          echo "::set-output name=BODY::$body"
+
+      - name: Identify Prerelease
+        # This is a workaround while waiting for create-release action
+        # to implement auto pre-release based on tag
+        id: prerelease
+        run: |
+          wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.0.0.zip
+          unzip -p /tmp/3.0.0.zip semver-tool-3.0.0/src/semver >/tmp/semver && chmod +x /tmp/semver
+          if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "::set-output name=IS_PRE::true"; fi
+
+      - name: Create Github Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: ${{ github.ref }}
+          body: ${{ steps.changelog.outputs.BODY }}
+          draft: false
+          prerelease: ${{ steps.prerelease.outputs.IS_PRE }}
+
+      - name: Upload release files on Github
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: dist/*
+          tag: ${{ github.ref }}
+          file_glob: true
+
+      - name: Upload release files on Arduino downloads servers
+        uses: docker://plugins/s3
+        env:
+          PLUGIN_SOURCE: "dist/*"
+          PLUGIN_TARGET: "/arduino-lint/"
+          PLUGIN_STRIP_PREFIX: "dist/"
+          PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,5 @@ coverage_unit.txt
 /docsgen/arduino-cli
 /docsgen/arduino-cli.exe
 /docs/commands/*.md
+
+/dist
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -0,0 +1,121 @@
+# Global section
+checksum:
+  name_template: '{{ .Tag }}-{{ time "20060102" }}-checksums.txt'
+
+snapshot:
+  name_template: '{{ .Env.PACKAGE_NAME_PREFIX }}-{{ time "20060102" }}'
+
+release:
+  disable: true
+
+changelog:
+  filters:
+    exclude:
+      # [skip changelog], [skip-changelog], [changelog skip], [changelog-skip]
+      - '^(?i)\[(skip|changelog)[ ,-](skip|changelog)\].*'
+
+# We have multiple builds in order to fine tune
+# cross compilations.
+builds:
+  - # OSX
+    id: arduino_lint_osx
+    binary: arduino-lint
+    env:
+      - CGO_ENABLED=1
+      - CXXFLAGS="-mmacosx-version-min=10.10"
+      - CC=/usr/x86_64-apple-darwin14/bin/cc
+    goos:
+      - darwin
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w
+      - -X github.com/arduino/arduino-lint/configuration.version={{.Tag}}
+      - -X github.com/arduino/arduino-lint/configuration.commit={{ .ShortCommit }}
+      - -X github.com/arduino/arduino-lint/configuration.buildTimestamp={{.Date}}
+  - # ARM
+    id: arduino_lint_arm
+    binary: arduino-lint
+    env:
+      - CGO_ENABLED=1
+      - CC=/usr/arm-linux-gnueabi/bin/cc
+    goos:
+      - linux
+    goarch:
+      - arm
+    goarm:
+      - 6
+    ldflags:
+      - -s -w
+      - -X github.com/arduino/arduino-lint/configuration.version={{.Tag}}
+      - -X github.com/arduino/arduino-lint/configuration.commit={{ .ShortCommit }}
+      - -X github.com/arduino/arduino-lint/configuration.buildTimestamp={{.Date}}
+      - "-extldflags '-static'"
+  - # ARMv7
+    id: arduino_lint_armv7
+    binary: arduino-lint
+    env:
+      - CGO_ENABLED=1
+      - CC=/usr/arm-linux-gnueabihf/bin/cc
+    goos:
+      - linux
+    goarch:
+      - arm
+    goarm:
+      - 7
+    ldflags:
+      - -s -w
+      - -X github.com/arduino/arduino-lint/configuration.version={{.Tag}}
+      - -X github.com/arduino/arduino-lint/configuration.commit={{ .ShortCommit }}
+      - -X github.com/arduino/arduino-lint/configuration.buildTimestamp={{.Date}}
+      - "-extldflags '-static'"
+  - # ARM64
+    id: arduino_lint_arm64
+    binary: arduino-lint
+    env:
+      - CGO_ENABLED=1
+      - CC=/usr/aarch64-linux-gnu/bin/cc
+    goos:
+      - linux
+    goarch:
+      - arm64
+    ldflags:
+      - -s -w
+      - -X github.com/arduino/arduino-lint/configuration.version={{.Tag}}
+      - -X github.com/arduino/arduino-lint/configuration.commit={{ .ShortCommit }}
+      - -X github.com/arduino/arduino-lint/configuration.buildTimestamp={{.Date}}
+      - "-extldflags '-static'"
+  - # All the other platforms
+    id: arduino_lint
+    binary: arduino-lint
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - 386
+    ldflags:
+      - -s -w
+      - -X github.com/arduino/arduino-lint/configuration.version={{.Tag}}
+      - -X github.com/arduino/arduino-lint/configuration.commit={{ .ShortCommit }}
+      - -X github.com/arduino/arduino-lint/configuration.buildTimestamp={{.Date}}
+      - "-extldflags '-static'"
+
+archives:
+  - id: "arduino_lint"
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    replacements:
+      amd64: 64bit
+      darwin: macOS
+      386: 32bit
+      arm: ARM
+      arm64: ARM64
+      linux: Linux
+      windows: Windows
+    files:
+      - LICENSE.txt
diff --git a/gon.config.hcl b/gon.config.hcl
@@ -0,0 +1,12 @@
+source = ["dist/arduino_lint_osx_darwin_amd64/arduino-lint"]
+bundle_id = "cc.arduino.arduino-lint"
+
+sign {
+  application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
+}
+
+# Ask Gon for zip output to force notarization process to take place.
+# The CI will ignore the zip output, using the signed binary only.
+zip {
+  output_path = "arduino-lint.zip"
+}
