fix: Add safe dir to local windows runner #4940
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Arduino IDE | |
| on: | |
| create: | |
| push: | |
| branches: | |
| - main | |
| - '[0-9]+.[0-9]+.x' | |
| paths-ignore: | |
| - '.github/**' | |
| - '!.github/workflows/build.yml' | |
| - '.vscode/**' | |
| - 'docs/**' | |
| - 'scripts/**' | |
| - '!scripts/merge-channel-files.js' | |
| - 'static/**' | |
| - '*.md' | |
| tags: | |
| - '[0-9]+.[0-9]+.[0-9]+*' | |
| workflow_dispatch: | |
| inputs: | |
| paid-runners: | |
| description: Include builds on non-free runners | |
| type: boolean | |
| default: false | |
| pull_request: | |
| paths-ignore: | |
| - '.github/**' | |
| - '!.github/workflows/build.yml' | |
| - '.vscode/**' | |
| - 'docs/**' | |
| - 'scripts/**' | |
| - '!scripts/merge-channel-files.js' | |
| - 'static/**' | |
| - '*.md' | |
| schedule: | |
| - cron: '0 3 * * *' # run every day at 3AM (https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events-schedule) | |
| workflow_run: | |
| workflows: | |
| - Push Container Images | |
| branches: | |
| - main | |
| types: | |
| - completed | |
| env: | |
| # See vars.GO_VERSION field of https://github.com/arduino/arduino-cli/blob/master/DistTasks.yml | |
| GO_VERSION: '1.21' | |
| # See: https://github.com/actions/setup-node/#readme | |
| NODE_VERSION: '18.17' | |
| YARN_VERSION: '1.22' | |
| JOB_TRANSFER_ARTIFACT_PREFIX: build-artifacts- | |
| CHANGELOG_ARTIFACTS: changelog | |
| STAGED_CHANNEL_FILE_ARTIFACT_PREFIX: staged-channel-file- | |
| BASE_BUILD_DATA: | | |
| - config: | |
| # Human identifier for the job. | |
| name: Windows | |
| runs-on: [self-hosted, windows-sign-pc] | |
| # The value is a string representing a JSON document. | |
| # Setting this to null causes the job to run directly in the runner machine instead of in a container. | |
| container: | | |
| null | |
| # Name of the secret that contains the certificate. | |
| certificate-secret: INSTALLER_CERT_WINDOWS_CER | |
| # Name of the secret that contains the certificate password. | |
| certificate-password-secret: INSTALLER_CERT_WINDOWS_PASSWORD | |
| # File extension for the certificate. | |
| certificate-extension: pfx | |
| # Container for windows cert signing | |
| certificate-container: INSTALLER_CERT_WINDOWS_CONTAINER | |
| # Arbitrary identifier used to give the workflow artifact uploaded by each "build" matrix job a unique name. | |
| job-transfer-artifact-suffix: Windows_64bit | |
| # Quoting on the value is required here to allow the same comparison expression syntax to be used for this | |
| # and the companion needs.select-targets.outputs.merge-channel-files property (output values always have string | |
| # type). | |
| mergeable-channel-file: 'false' | |
| # as this runs on a self hosted runner, we need to avoid building with the default working directory path, | |
| # otherwise paths in the build job will be too long for `light.exe` | |
| # we use the below as a Symbolic link (just changing the wd will break the checkout action) | |
| # this is a work around (see: https://github.com/actions/checkout/issues/197). | |
| working-directory: 'C:\a' | |
| artifacts: | |
| - path: '*Windows_64bit.exe' | |
| name: Windows_X86-64_interactive_installer | |
| - path: '*Windows_64bit.msi' | |
| name: Windows_X86-64_MSI | |
| - path: '*Windows_64bit.zip' | |
| name: Windows_X86-64_zip | |
| - config: | |
| name: Linux | |
| runs-on: ubuntu-latest | |
| container: | | |
| { | |
| \"image\": \"ghcr.io/arduino/arduino-ide/linux:main\" | |
| } | |
| job-transfer-artifact-suffix: Linux_64bit | |
| mergeable-channel-file: 'false' | |
| artifacts: | |
| - path: '*Linux_64bit.zip' | |
| name: Linux_X86-64_zip | |
| - path: '*Linux_64bit.AppImage' | |
| name: Linux_X86-64_app_image | |
| - config: | |
| name: macOS x86 | |
| runs-on: macos-13 | |
| container: | | |
| null | |
| # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from: | |
| # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate | |
| certificate-secret: APPLE_SIGNING_CERTIFICATE_P12 | |
| certificate-password-secret: KEYCHAIN_PASSWORD | |
| certificate-extension: p12 | |
| job-transfer-artifact-suffix: macOS_64bit | |
| mergeable-channel-file: 'true' | |
| artifacts: | |
| - path: '*macOS_64bit.dmg' | |
| name: macOS_X86-64_dmg | |
| - path: '*macOS_64bit.zip' | |
| name: macOS_X86-64_zip | |
| - config: | |
| name: macOS ARM | |
| runs-on: macos-latest | |
| container: | | |
| null | |
| certificate-secret: APPLE_SIGNING_CERTIFICATE_P12 | |
| certificate-password-secret: KEYCHAIN_PASSWORD | |
| certificate-extension: p12 | |
| job-transfer-artifact-suffix: macOS_arm64 | |
| mergeable-channel-file: 'true' | |
| artifacts: | |
| - path: '*macOS_arm64.dmg' | |
| name: macOS_arm64_dmg | |
| - path: '*macOS_arm64.zip' | |
| name: macOS_arm64_zip | |
| PAID_RUNNER_BUILD_DATA: | | |
| # This system was implemented to allow selective use of paid GitHub-hosted runners, due to the Apple Silicon runner | |
| # incurring a charge at that time. Free Apple Silicon runners are now available so the configuration was moved to | |
| # `BASE_BUILD_DATA`, but the system was left in place for future use. | |
| jobs: | |
| run-determination: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| result: ${{ steps.determination.outputs.result }} | |
| permissions: {} | |
| steps: | |
| - name: Determine if the rest of the workflow should run | |
| id: determination | |
| run: | | |
| RELEASE_BRANCH_REGEX="refs/heads/[0-9]+.[0-9]+.x" | |
| # The `create` event trigger doesn't support `branches` filters, so it's necessary to use Bash instead. | |
| if [[ | |
| "${{ github.event_name }}" != "create" || | |
| "${{ github.ref }}" =~ $RELEASE_BRANCH_REGEX | |
| ]]; then | |
| # Run the other jobs. | |
| RESULT="true" | |
| else | |
| # There is no need to run the other jobs. | |
| RESULT="false" | |
| fi | |
| echo "result=$RESULT" >> $GITHUB_OUTPUT | |
| build-type-determination: | |
| needs: run-determination | |
| if: needs.run-determination.outputs.result == 'true' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is-release: ${{ steps.determination.outputs.is-release }} | |
| is-nightly: ${{ steps.determination.outputs.is-nightly }} | |
| channel-name: ${{ steps.determination.outputs.channel-name }} | |
| publish-to-s3: ${{ steps.determination.outputs.publish-to-s3 }} | |
| permissions: {} | |
| steps: | |
| - name: Determine the type of build | |
| id: determination | |
| run: | | |
| if [[ | |
| "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" | |
| ]]; then | |
| is_release="true" | |
| is_nightly="false" | |
| channel_name="stable" | |
| elif [[ | |
| "${{ github.event_name }}" == "schedule" || | |
| ( | |
| "${{ github.event_name }}" == "workflow_dispatch" && | |
| "${{ github.ref }}" == "refs/heads/main" | |
| ) | |
| ]]; then | |
| is_release="false" | |
| is_nightly="true" | |
| channel_name="nightly" | |
| else | |
| is_release="false" | |
| is_nightly="false" | |
| channel_name="nightly" | |
| fi | |
| echo "is-release=$is_release" >> $GITHUB_OUTPUT | |
| echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT | |
| echo "channel-name=$channel_name" >> $GITHUB_OUTPUT | |
| # Only attempt upload to Amazon S3 if the credentials are available. | |
| echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT | |
| select-targets: | |
| needs: build-type-determination | |
| runs-on: ubuntu-latest | |
| outputs: | |
| artifact-matrix: ${{ steps.assemble.outputs.artifact-matrix }} | |
| build-matrix: ${{ steps.assemble.outputs.build-matrix }} | |
| merge-channel-files: ${{ steps.assemble.outputs.merge-channel-files }} | |
| permissions: {} | |
| steps: | |
| - name: Assemble target data | |
| id: assemble | |
| run: | | |
| # Only run the builds that incur runner charges on release or select manually triggered runs. | |
| if [[ | |
| "${{ needs.build-type-determination.outputs.is-release }}" == "true" || | |
| "${{ github.event.inputs.paid-runners }}" == "true" | |
| ]]; then | |
| build_matrix="$( | |
| ( | |
| echo "${{ env.BASE_BUILD_DATA }}"; | |
| echo "${{ env.PAID_RUNNER_BUILD_DATA }}" | |
| ) | \ | |
| yq \ | |
| --output-format json \ | |
| '[.[].config]' | |
| )" | |
| artifact_matrix="$( | |
| ( | |
| echo "${{ env.BASE_BUILD_DATA }}"; | |
| echo "${{ env.PAID_RUNNER_BUILD_DATA }}" | |
| ) | \ | |
| yq \ | |
| --output-format json \ | |
| 'map(.artifacts[] + (.config | pick(["job-transfer-artifact-suffix"])))' | |
| )" | |
| # The build matrix produces two macOS jobs (x86 and ARM) so the "channel update info files" | |
| # generated by each must be merged. | |
| merge_channel_files="true" | |
| else | |
| build_matrix="$( | |
| echo "${{ env.BASE_BUILD_DATA }}" | \ | |
| yq \ | |
| --output-format json \ | |
| '[.[].config]' | |
| )" | |
| artifact_matrix="$( | |
| echo "${{ env.BASE_BUILD_DATA }}" | \ | |
| yq \ | |
| --output-format json \ | |
| 'map(.artifacts[] + (.config | pick(["job-transfer-artifact-suffix"])))' | |
| )" | |
| merge_channel_files="false" | |
| fi | |
| # Set workflow step outputs. | |
| # See: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings | |
| delimiter="$RANDOM" | |
| echo "build-matrix<<$delimiter" >> $GITHUB_OUTPUT | |
| echo "$build_matrix" >> $GITHUB_OUTPUT | |
| echo "$delimiter" >> $GITHUB_OUTPUT | |
| delimiter="$RANDOM" | |
| echo "artifact-matrix<<$delimiter" >> $GITHUB_OUTPUT | |
| echo "$artifact_matrix" >> $GITHUB_OUTPUT | |
| echo "$delimiter" >> $GITHUB_OUTPUT | |
| echo "merge-channel-files=$merge_channel_files" >> $GITHUB_OUTPUT | |
| build: | |
| name: build (${{ matrix.config.name }}) | |
| needs: | |
| - build-type-determination | |
| - select-targets | |
| env: | |
| # Location of artifacts generated by build. | |
| BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts | |
| # to skip passing signing credentials to electron-builder | |
| IS_WINDOWS_CONFIG: ${{ matrix.config.name == 'Windows' }} | |
| INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer" | |
| # We are hardcoding the path for signtool because is not present on the windows PATH env var by default. | |
| # Keep in mind that this path could change when upgrading to a new runner version | |
| SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe" | |
| WIN_CERT_PASSWORD: ${{ secrets[matrix.config.certificate-password-secret] }} | |
| WIN_CERT_CONTAINER_NAME: ${{ secrets[matrix.config.certificate-container] }} | |
| strategy: | |
| matrix: | |
| config: ${{ fromJson(needs.select-targets.outputs.build-matrix) }} | |
| runs-on: ${{ matrix.config.runs-on }} | |
| container: ${{ fromJSON(matrix.config.container) }} | |
| defaults: | |
| run: | |
| # Avoid problems caused by different default shell for container jobs (sh) vs non-container jobs (bash). | |
| shell: bash | |
| timeout-minutes: 90 | |
| steps: | |
| - name: Symlink custom working directory (Window local runner) | |
| shell: cmd | |
| if: runner.os == 'Windows' && matrix.config.working-directory | |
| run: | | |
| if not exist "${{ matrix.config.working-directory }}" mklink /d "${{ matrix.config.working-directory }}" "C:\actions-runner\_work\arduino-ide\arduino-ide" | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Node.js | |
| if: runner.name != 'WINDOWS-SIGN-PC' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| registry-url: 'https://registry.npmjs.org' | |
| # Yarn is a prerequisite for the action's cache feature, so caching should be disabled when running in the | |
| # container where Yarn is not pre-installed. | |
| cache: ${{ fromJSON(matrix.config.container) == null && 'yarn' || null }} | |
| - name: Install Yarn | |
| if: runner.name != 'WINDOWS-SIGN-PC' | |
| run: | | |
| npm \ | |
| install \ | |
| --global \ | |
| "yarn@${{ env.YARN_VERSION }}" | |
| - name: Install Python 3.x | |
| if: fromJSON(matrix.config.container) == null && runner.name != 'WINDOWS-SIGN-PC' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11.x' | |
| - name: Install Go | |
| if: runner.name != 'WINDOWS-SIGN-PC' | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install Taskfile | |
| if: runner.name != 'WINDOWS-SIGN-PC' | |
| uses: arduino/setup-task@v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: 3.x | |
| - name: Package | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AC_USERNAME: ${{ secrets.AC_USERNAME }} | |
| AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
| AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }} | |
| IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }} | |
| IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }} | |
| CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }} | |
| working-directory: ${{ matrix.config.working-directory || './' }} | |
| run: | | |
| # See: https://www.electron.build/code-signing | |
| if [ $CAN_SIGN = false ] || [ $IS_WINDOWS_CONFIG = true ]; then | |
| echo "Skipping the app signing: certificate not provided." | |
| else | |
| export CSC_LINK="${{ runner.temp }}/signing_certificate.${{ matrix.config.certificate-extension }}" | |
| echo "${{ secrets[matrix.config.certificate-secret] }}" | base64 --decode > "$CSC_LINK" | |
| export CSC_KEY_PASSWORD="${{ secrets[matrix.config.certificate-password-secret] }}" | |
| export CSC_FOR_PULL_REQUEST=true | |
| fi | |
| yarn install | |
| yarn --cwd arduino-ide-extension build | |
| yarn --cwd electron-app rebuild | |
| yarn --cwd electron-app build | |
| yarn --cwd electron-app package | |
| # Both macOS jobs generate a "channel update info file" with same path and name. The second job to complete would | |
| # overwrite the file generated by the first in the workflow artifact. | |
| - name: Stage channel file for merge | |
| if: > | |
| needs.select-targets.outputs.merge-channel-files == 'true' && | |
| matrix.config.mergeable-channel-file == 'true' | |
| working-directory: ${{ matrix.config.working-directory || './' }} | |
| run: | | |
| staged_channel_files_path="${{ runner.temp }}/staged-channel-files" | |
| mkdir "$staged_channel_files_path" | |
| mv \ | |
| "${{ env.BUILD_ARTIFACTS_PATH }}/${{ needs.build-type-determination.outputs.channel-name }}-mac.yml" \ | |
| "${staged_channel_files_path}/${{ needs.build-type-determination.outputs.channel-name }}-mac-${{ runner.arch }}.yml" | |
| # Set workflow environment variable for use in other steps. | |
| # See: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable | |
| echo "STAGED_CHANNEL_FILES_PATH=$staged_channel_files_path" >> "$GITHUB_ENV" | |
| - name: Upload staged-for-merge channel file artifact | |
| uses: actions/upload-artifact@v4 | |
| if: > | |
| needs.select-targets.outputs.merge-channel-files == 'true' && | |
| matrix.config.mergeable-channel-file == 'true' | |
| with: | |
| if-no-files-found: error | |
| name: ${{ env.STAGED_CHANNEL_FILE_ARTIFACT_PREFIX }}${{ matrix.config.job-transfer-artifact-suffix }} | |
| path: ${{ matrix.config.working-directory && format('{0}/{1}', matrix.config.working-directory, env.STAGED_CHANNEL_FILES_PATH) || env.STAGED_CHANNEL_FILES_PATH }} | |
| - name: Upload builds to job transfer artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}${{ matrix.config.job-transfer-artifact-suffix }} | |
| path: ${{ matrix.config.working-directory && format('{0}/{1}', matrix.config.working-directory, env.BUILD_ARTIFACTS_PATH) || env.BUILD_ARTIFACTS_PATH }} | |
| - name: Manual Clean up for self-hosted runners | |
| if: runner.os == 'Windows' && matrix.config.working-directory | |
| shell: cmd | |
| run: | | |
| rmdir /s /q "${{ matrix.config.working-directory }}\${{ env.BUILD_ARTIFACTS_PATH }}" | |
| merge-channel-files: | |
| needs: | |
| - build-type-determination | |
| - select-targets | |
| - build | |
| if: needs.select-targets.outputs.merge-channel-files == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| steps: | |
| - name: Set environment variables | |
| run: | | |
| # See: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable | |
| echo "CHANNEL_FILES_PATH=${{ runner.temp }}/channel-files" >> "$GITHUB_ENV" | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Download staged-for-merge channel file artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| merge-multiple: true | |
| path: ${{ env.CHANNEL_FILES_PATH }} | |
| pattern: ${{ env.STAGED_CHANNEL_FILE_ARTIFACT_PREFIX }}* | |
| - name: Remove no longer needed artifacts | |
| uses: geekyeggo/delete-artifact@v5 | |
| with: | |
| name: ${{ env.STAGED_CHANNEL_FILE_ARTIFACT_PREFIX }}* | |
| - name: Install Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| registry-url: 'https://registry.npmjs.org' | |
| cache: 'yarn' | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install Task | |
| uses: arduino/setup-task@v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: 3.x | |
| - name: Install dependencies | |
| run: yarn | |
| - name: Merge "channel update info files" | |
| run: | | |
| node \ | |
| ./scripts/merge-channel-files.js \ | |
| --channel "${{ needs.build-type-determination.outputs.channel-name }}" \ | |
| --input "${{ env.CHANNEL_FILES_PATH }}" | |
| - name: Upload merged channel files job transfer artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| if-no-files-found: error | |
| name: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}channel-files | |
| path: ${{ env.CHANNEL_FILES_PATH }} | |
| artifacts: | |
| name: ${{ matrix.artifact.name }} artifact | |
| needs: | |
| - select-targets | |
| - build | |
| if: always() && needs.build.result != 'skipped' | |
| runs-on: ubuntu-latest | |
| env: | |
| BUILD_ARTIFACTS_FOLDER: build-artifacts | |
| strategy: | |
| matrix: | |
| artifact: ${{ fromJson(needs.select-targets.outputs.artifact-matrix) }} | |
| steps: | |
| - name: Download job transfer artifact that contains ${{ matrix.artifact.name }} tester build | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}${{ matrix.artifact.job-transfer-artifact-suffix }} | |
| path: ${{ env.BUILD_ARTIFACTS_FOLDER }} | |
| - name: Upload tester build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.artifact.name }} | |
| path: ${{ env.BUILD_ARTIFACTS_FOLDER }}/${{ matrix.artifact.path }} | |
| changelog: | |
| needs: | |
| - build-type-determination | |
| - build | |
| runs-on: ubuntu-latest | |
| outputs: | |
| BODY: ${{ steps.changelog.outputs.BODY }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # To fetch all history for all branches and tags. | |
| - name: Generate Changelog | |
| id: changelog | |
| env: | |
| IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }} | |
| run: | | |
| export LATEST_TAG=$(git describe --abbrev=0) | |
| export GIT_LOG=$(git log --pretty=" - %s [%h]" $LATEST_TAG..HEAD | sed 's/ *$//g') | |
| if [ "$IS_RELEASE" = true ]; then | |
| export BODY=$(echo -e "$GIT_LOG") | |
| else | |
| export LATEST_TAG_WITH_LINK=$(echo "[$LATEST_TAG](https://github.com/arduino/arduino-ide/releases/tag/$LATEST_TAG)") | |
| if [ -z "$GIT_LOG" ]; then | |
| export BODY="There were no changes since version $LATEST_TAG_WITH_LINK." | |
| else | |
| export BODY=$(echo -e "Changes since version $LATEST_TAG_WITH_LINK:\n$GIT_LOG") | |
| fi | |
| fi | |
| echo -e "$BODY" | |
| # Set workflow step output | |
| # See: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings | |
| DELIMITER="$RANDOM" | |
| echo "BODY<<$DELIMITER" >> $GITHUB_OUTPUT | |
| echo "$BODY" >> $GITHUB_OUTPUT | |
| echo "$DELIMITER" >> $GITHUB_OUTPUT | |
| echo "$BODY" > CHANGELOG.txt | |
| - name: Upload changelog job transfer artifact | |
| if: needs.build-type-determination.outputs.is-nightly == 'true' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}changelog | |
| path: CHANGELOG.txt | |
| publish: | |
| needs: | |
| - build-type-determination | |
| - merge-channel-files | |
| - changelog | |
| if: > | |
| always() && | |
| needs.build-type-determination.result == 'success' && | |
| ( | |
| needs.merge-channel-files.result == 'skipped' || | |
| needs.merge-channel-files.result == 'success' | |
| ) && | |
| needs.changelog.result == 'success' && | |
| needs.build-type-determination.outputs.publish-to-s3 == 'true' && | |
| needs.build-type-determination.outputs.is-nightly == 'true' | |
| runs-on: ubuntu-latest | |
| env: | |
| ARTIFACTS_FOLDER: build-artifacts | |
| environment: production | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Download all job transfer artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| merge-multiple: true | |
| path: ${{ env.ARTIFACTS_FOLDER }} | |
| pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}* | |
| - name: Configure AWS Credentials for Nightly [S3] | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: Publish Nightly [S3] | |
| run: | | |
| aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly | |
| release: | |
| needs: | |
| - build-type-determination | |
| - merge-channel-files | |
| - changelog | |
| if: > | |
| always() && | |
| needs.build-type-determination.result == 'success' && | |
| ( | |
| needs.merge-channel-files.result == 'skipped' || | |
| needs.merge-channel-files.result == 'success' | |
| ) && | |
| needs.changelog.result == 'success' && | |
| needs.build-type-determination.outputs.is-release == 'true' | |
| runs-on: ubuntu-latest | |
| env: | |
| ARTIFACTS_FOLDER: build-artifacts | |
| environment: production | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Download all job transfer artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| merge-multiple: true | |
| path: ${{ env.ARTIFACTS_FOLDER }} | |
| pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}* | |
| - name: Get Tag | |
| id: tag_name | |
| run: | | |
| echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| - name: Publish Release [GitHub] | |
| uses: svenstaro/[email protected] | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| release_name: ${{ steps.tag_name.outputs.TAG_NAME }} | |
| file: ${{ env.ARTIFACTS_FOLDER }}/* | |
| tag: ${{ github.ref }} | |
| file_glob: true | |
| body: ${{ needs.changelog.outputs.BODY }} | |
| - name: Configure AWS Credentials for Release [S3] | |
| if: needs.build-type-determination.outputs.publish-to-s3 == 'true' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: Publish Release [S3] | |
| if: needs.build-type-determination.outputs.publish-to-s3 == 'true' | |
| run: | | |
| aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide | |
| clean: | |
| # This job must run after all jobs that use the transfer artifact. | |
| needs: | |
| - build | |
| - merge-channel-files | |
| - publish | |
| - release | |
| - artifacts | |
| if: always() && needs.build.result != 'skipped' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Remove unneeded job transfer artifacts | |
| uses: geekyeggo/delete-artifact@v5 | |
| with: | |
| name: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}* |