From ad9a0f7f712712589725724b9b5ae34ad3f80422 Mon Sep 17 00:00:00 2001 From: Alessio Perugini Date: Thu, 12 Dec 2024 10:39:59 +0100 Subject: [PATCH 1/3] github: Use IAM Roles to push files on AWS S3 For security reasons long lived credentials are not considered secure. To overcome this issue we can configure Github Workflows to use AWS OpenID Connect instead: For further details: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect --- .../release-go-crosscompile-task.yml | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-go-crosscompile-task.yml b/.github/workflows/release-go-crosscompile-task.yml index 78dd996..9056ce0 100644 --- a/.github/workflows/release-go-crosscompile-task.yml +++ b/.github/workflows/release-go-crosscompile-task.yml @@ -11,6 +11,7 @@ env: ARTIFACT_PREFIX: dist- # See: https://github.com/actions/setup-go/tree/main#supported-version-syntax GO_VERSION: "1.17" + AWS_REGION: "us-east-1" on: push: @@ -197,7 +198,11 @@ jobs: create-release: runs-on: ubuntu-latest + environment: production needs: notarize-macos + permissions: + contents: write + id-token: write # This is required for requesting the JWT steps: - name: Download artifact @@ -233,12 +238,12 @@ jobs: # (all the files we need are in the DIST_DIR root) artifacts: ${{ env.DIST_DIR }}/* + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + role-session-name: "github_${{ env.PROJECT_NAME }}" + aws-region: ${{ env.AWS_REGION }} + - name: Upload release files on Arduino downloads servers - uses: docker://plugins/s3 - env: - PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*" - PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }} - PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/" - PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }} From cfef6a1b6e08c499a51e62cf2e83550fdf6f396a Mon Sep 17 00:00:00 2001 From: Alessio Perugini Date: Tue, 17 Dec 2024 12:36:10 +0100 Subject: [PATCH 2/3] update workflow to match the workflow-template --- .../release-go-crosscompile-task.yml | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release-go-crosscompile-task.yml b/.github/workflows/release-go-crosscompile-task.yml index 9056ce0..1b1b719 100644 --- a/.github/workflows/release-go-crosscompile-task.yml +++ b/.github/workflows/release-go-crosscompile-task.yml @@ -85,9 +85,8 @@ jobs: name: Notarize ${{ matrix.build.artifact-suffix }} runs-on: macos-latest needs: create-release-artifacts - outputs: - checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} - checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read env: GON_CONFIG_PATH: gon.config.hcl @@ -119,16 +118,12 @@ jobs: name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }} path: ${{ env.DIST_DIR }} - - name: Remove non-notarized artifact - uses: geekyeggo/delete-artifact@v5 - with: - name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }} - - name: Import Code-Signing Certificates env: KEYCHAIN: "sign.keychain" INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" - KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret + # Arbitrary password for a keychain that exists only for the duration of the job, so not secret + KEYCHAIN_PASSWORD: keychainpassword run: | echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}" security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}" @@ -180,20 +175,22 @@ jobs: gon "${{ env.GON_CONFIG_PATH }}" - name: Re-package binary - id: re-package working-directory: ${{ env.DIST_DIR }} # Repackage the signed binary replaced in place by Gon (ignoring the output zip file) run: | # GitHub's upload/download-artifact actions don't preserve file permissions, # so we need to add execution permission back until the action is made to do this. chmod +x "${{ env.BUILD_FOLDER }}/${{ env.PROJECT_NAME }}" - tar -czvf "${{ env.PACKAGE_FILENAME }}" "${{ env.BUILD_FOLDER }}/" + tar -czvf "${{ env.PACKAGE_FILENAME }}" \ + -C "${{ env.BUILD_FOLDER }}/" "${{ env.PROJECT_NAME }}" \ + -C ../../ LICENSE.txt - - name: Upload notarized artifact + - name: Replace artifact with notarized build uses: actions/upload-artifact@v4 with: if-no-files-found: error name: ${{ env.ARTIFACT_PREFIX }}${{ matrix.build.artifact-suffix }} + overwrite: true path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }} create-release: @@ -213,7 +210,7 @@ jobs: pattern: ${{ env.ARTIFACT_PREFIX }}* - name: Create checksum file - working-directory: ${{ env.DIST_DIR}} + working-directory: ${{ env.DIST_DIR }} run: | TAG="${GITHUB_REF/refs\/tags\//}" sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt From c48120108d2a0211d4560bd89b179c695cf1c6e8 Mon Sep 17 00:00:00 2001 From: Alessio Perugini Date: Tue, 17 Dec 2024 12:41:32 +0100 Subject: [PATCH 3/3] update DistTasks.yml to match workflow-template --- DistTasks.yml | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/DistTasks.yml b/DistTasks.yml index 5abc844..9274993 100644 --- a/DistTasks.yml +++ b/DistTasks.yml @@ -28,8 +28,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt + zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_386" PACKAGE_PLATFORM: "Windows_32bit" @@ -44,8 +43,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe {{.PLATFORM_DIR}}/LICENSE.txt + zip {{.PACKAGE_NAME}} {{.PLATFORM_DIR}}/{{.PROJECT_NAME}}.exe ../LICENSE.txt -j vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_windows_amd64" PACKAGE_PLATFORM: "Windows_64bit" @@ -61,8 +59,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd32" PACKAGE_PLATFORM: "Linux_32bit" @@ -77,8 +74,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_amd64" PACKAGE_PLATFORM: "Linux_64bit" @@ -94,8 +90,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_7" PACKAGE_PLATFORM: "Linux_ARMv7" @@ -111,8 +106,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_6" PACKAGE_PLATFORM: "Linux_ARMv6" @@ -127,8 +121,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_linux_arm_64" PACKAGE_PLATFORM: "Linux_ARM64" @@ -143,8 +136,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_amd64" PACKAGE_PLATFORM: "macOS_64bit" @@ -159,8 +151,7 @@ tasks: - | go build -o {{.DIST_DIR}}/{{.PLATFORM_DIR}}/{{.PROJECT_NAME}} {{.LDFLAGS}} cd {{.DIST_DIR}} - cp ../LICENSE.txt {{.PLATFORM_DIR}}/ - tar cz {{.PLATFORM_DIR}} -f {{.PACKAGE_NAME}} + tar cz -C {{.PLATFORM_DIR}} {{.PROJECT_NAME}} -C ../.. LICENSE.txt -f {{.PACKAGE_NAME}} vars: PLATFORM_DIR: "{{.PROJECT_NAME}}_osx_darwin_arm64" PACKAGE_PLATFORM: "macOS_ARM64"