5050 path : ${{ env.DIST_DIR }}
5151
5252 notarize-macos :
53+ name : Notarize ${{ matrix.artifact.name }}
5354 runs-on : macos-latest
5455 needs : create-release-artifacts
56+ outputs :
57+ checksum-darwin_amd64 : ${{ steps.re-package.outputs.checksum-darwin_amd64 }}
58+ checksum-darwin_arm64 : ${{ steps.re-package.outputs.checksum-darwin_arm64 }}
59+
60+ env :
61+ GON_CONFIG_PATH : gon.config.hcl
62+
63+ strategy :
64+ matrix :
65+ artifact :
66+ - name : darwin_amd64
67+ path : " macOS_64bit.tar.gz"
68+ - name : darwin_arm64
69+ path : " macOS_ARM64.tar.gz"
5570
5671 steps :
5772 - name : Checkout repository
@@ -91,38 +106,59 @@ jobs:
91106 wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
92107 unzip gon_macos.zip -d /usr/local/bin
93108
109+ name : Write gon config to file
110+ # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
111+ run : |
112+ cat > "${{ env.GON_CONFIG_PATH }}" <<EOF
113+ # See: https://github.com/mitchellh/gon#configuration-file
114+ source = ["${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"]
115+ bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
116+
117+ sign {
118+ application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
119+ }
120+
121+ # Ask Gon for zip output to force notarization process to take place.
122+ # The CI will ignore the zip output, using the signed binary only.
123+ zip {
124+ output_path = "unused.zip"
125+ }
126+ EOF
127+
94128name : Sign and notarize binary
95129 env :
96130 AC_USERNAME : ${{ secrets.AC_USERNAME }}
97131 AC_PASSWORD : ${{ secrets.AC_PASSWORD }}
98132 run : |
99- gon gon.config.hcl
133+ gon "${{ env.GON_CONFIG_PATH }}"
100134
101- name : Re-package binary and update checksum
135+ name : Re-package binary and output checksum
136+ id : re-package
137+ working-directory : ${{ env.DIST_DIR }}
102138 # This step performs the following:
103139 # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
104- # 2. Recalculate package checksum and replace it in the nnnnnn-checksums.txt file
140+ # 2. Recalculate package checksum
141+ # 3. Output the new checksum to include in the nnnnnn-checksums.txt file
142+ # (it cannot be done there because of workflow job parallelization)
105143 run : |
106- # GitHub's upload/download-artifact@v2 actions don't preserve file permissions,
144+ # GitHub's upload/download-artifact actions don't preserve file permissions,
107145 # so we need to add execution permission back until the action is made to do this.
108- chmod +x ${{ env.DIST_DIR }}/ ${{ env.PROJECT_NAME }}_osx_darwin_amd64 /${{ env.PROJECT_NAME }}
146+ chmod +x " ${{ env.PROJECT_NAME }}_osx_ ${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"
109147 TAG="${GITHUB_REF/refs\/tags\//}"
110- tar -czvf "${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz" \
111- -C ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_darwin_amd64/ ${{ env.PROJECT_NAME }} \
112- -C ../../ LICENSE.txt
113- CHECKSUM="$(shasum -a 256 ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)"
114- perl \
115- -pi \
116- -w \
117- -e "s/.*${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/${CHECKSUM} ${{ env.PROJECT_NAME }}_${TAG}_macOS_64bit.tar.gz/g;" \
118- ${{ env.DIST_DIR }}/*-checksums.txt
148+ PACKAGE_FILENAME="${{ env.PROJECT_NAME }}_${TAG}_${{ matrix.artifact.path }}"
149+ tar -czvf "$PACKAGE_FILENAME" \
150+ -C "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/" "${{ env.PROJECT_NAME }}" \
151+ -C ../../ LICENSE.txt
152+ CHECKSUM_LINE="$(shasum -a 256 $PACKAGE_FILENAME)"
153+ echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV
154+ echo "::set-output name=checksum-${{ matrix.artifact.name }}::$CHECKSUM_LINE"
119155
120156name : Upload artifacts
121157 uses : actions/upload-artifact@v3
122158 with :
123159 if-no-files-found : error
124160 name : ${{ env.ARTIFACT_NAME }}
125- path : ${{ env.DIST_DIR }}
161+ path : ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
126162
127163 create-release :
128164 runs-on : ubuntu-latest
@@ -135,13 +171,23 @@ jobs:
135171 name : ${{ env.ARTIFACT_NAME }}
136172 path : ${{ env.DIST_DIR }}
137173
174+ - name : Update checksum
175+ run : |
176+ declare -a checksum_lines=("${{ needs.notarize-macos.outputs.checksum-darwin_amd64 }}" "${{ needs.notarize-macos.outputs.checksum-darwin_arm64 }}")
177+ for checksum_line in "${checksum_lines[@]}"
178+ do
179+ CHECKSUM=$(echo ${checksum_line} | cut -d " " -f 1)
180+ PACKAGE_FILENAME=$(echo ${checksum_line} | cut -d " " -f 2)
181+ perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CHECKSUM} ${PACKAGE_FILENAME}/g;" ${{ env.DIST_DIR }}/*-checksums.txt
182+ done
183+
138184name : Identify Prerelease
139185 # This is a workaround while waiting for create-release action
140186 # to implement auto pre-release based on tag
141187 id : prerelease
142188 run : |
143- wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.0 .0.zip
144- unzip -p /tmp/3.0 .0.zip semver-tool-3.0 .0/src/semver >/tmp/semver && chmod +x /tmp/semver
189+ wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.2 .0.zip
190+ unzip -p /tmp/3.2 .0.zip semver-tool-3.2 .0/src/semver >/tmp/semver && chmod +x /tmp/semver
145191 if [[ "$(/tmp/semver get prerel "${GITHUB_REF/refs\/tags\//}")" ]]; then echo "::set-output name=IS_PRE::true"; fi
146192
147193name : Create Github Release and upload artifacts
0 commit comments