Move nightly build checksum generation to dedicated job

per1234 · per1234 · commit c130eaab7683 · 2025-11-02T05:23:11.000-08:00
The "Publish Nightly Build" GitHub Actions workflow calculates checksums of the generated builds and writes them to a
file. This file may be used to validate downloads of the builds.

In addition to uploading the builds to Arduino's downloads server, the workflow also uploads them to GitHub Actions
workflow artifacts. These artifacts may serve as an alternative source of the nightly builds (similar to the tester
builds).

Previously the checksum generation was performed in the workflow's "publish-nightly" job, which is used to upload the
builds to Arduino's downloads server. In addition to being outside the stated scope of that job, this also meant that
the checksum file was only available from Arduino's downloads server, and not from the workflow artifacts.

Moving the checksum generation code to a dedicated job limits the operations in the important "publish-nightly" job
exclusively to its stated scope. This also results in the checksum file being available as a workflow artifact.
diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
@@ -219,13 +219,11 @@ jobs:
           overwrite: true
           path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
 
-  publish-nightly:
-    runs-on: ubuntu-latest
-    environment: production
+  checksums:
     needs: notarize-macos
+    runs-on: ubuntu-latest
     permissions:
-      contents: write
-      id-token: write # This is required for requesting the JWT
+      contents: read
 
     steps:
       - name: Download artifact
@@ -241,6 +239,28 @@ jobs:
           TAG="nightly-$(date -u +"%Y%m%d")"
           sha256sum ${{ env.PROJECT_NAME }}_${TAG}* >${TAG}-checksums.txt
 
+      - name: Upload checksum artifact
+        uses: actions/upload-artifact@v5
+        with:
+          path: ./*checksums.txt
+          name: ${{ env.ARTIFACT_PREFIX }}checksums
+
+  publish-nightly:
+    runs-on: ubuntu-latest
+    environment: production
+    needs: checksums
+    permissions:
+      contents: write
+      id-token: write # This is required for requesting the JWT
+
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v6
+        with:
+          pattern: ${{ env.ARTIFACT_PREFIX }}*
+          merge-multiple: true
+          path: ${{ env.DIST_DIR }}
+
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
