ArduinoCore-zephyr/.github/workflows/package_tool.yml at main · arduino/ArduinoCore-zephyr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Copyright (c) Arduino s.r.l. and/or its affiliated companies
# SPDX-License-Identifier: Apache-2.0

# CI workflow to build, package and upload a specific tool.

name: Package and upload tool

# Trigger on any pull request that modifies files in the tools/ directory or
# the packaging script, or on any tag that starts with tools/ and has the
# format tools/<tool>/<version>, e.g. tools/gen-rodata-ld/0.1.0.
#
# For tag pushes, only build the specific tool and version indicated by the
# tag, and only publish if the repository is the official Arduino one.

on:
  push:
    tags:
      - 'tools/**'
  pull_request:
    paths:
      - 'tools/**'
      - 'extra/package_tool.sh'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.actor }}
  cancel-in-progress: true

jobs:

  # Set up the build matrix based on the event type. For tag pushes, the matrix
  # will contain only the tool and version specified by the tag. For pull
  # requests, the matrix will include all tools with the version set to the
  # commit SHA. Also determine if this is a release build on the main
  # repository, and if so, set the tool artifact name for later use.

  setup:
    name: Set up build matrix
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
      is_release: ${{ steps.set-matrix.outputs.is_release }}
      tool_artifact: ${{ steps.set-matrix.outputs.tool_artifact }}
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
          submodules: 'ignore'

      - name: Set build matrix
        id: set-matrix
        run: |
          if [[ "$GITHUB_REF" == refs/tags/tools/* ]]; then
            # single tool, release build on main repo
            TAG="${GITHUB_REF#refs/tags/tools/}"
            TOOL="${TAG%%/*}"
            VERSION="${TAG#*/}"
            MATRIX=$(jq -cn --arg tool "$TOOL" --arg version "$VERSION" \
              '{include: [{tool: $tool, version: $version}]}')
            echo "tool_artifact=$TOOL-$VERSION" >> "$GITHUB_OUTPUT"
            echo "is_release=${{ github.repository == 'arduino/ArduinoCore-zephyr' }}" >> "$GITHUB_OUTPUT"
          else
            # build all tools using commit SHA as version
            VERSION=$(git rev-parse --short ${{ github.event.pull_request.head.sha || 'HEAD' }})
            MATRIX=$(for d in tools/*/; do [ -f "$d/go.mod" ] && basename "$d"; done \
              | jq -Rnc --arg version "$VERSION" '{include: [inputs | {tool: ., version: $version}]}')
            echo "tool_artifact=" >> "$GITHUB_OUTPUT"
            echo "is_release=false" >> "$GITHUB_OUTPUT"
          fi
          echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"

  # Build and package the tools in parallel according to the matrix, uploading
  # the resulting packages and metadata as artifacts for later use.

  build-tool:
    name: Build ${{ matrix.tool }} ${{ matrix.version }}
    needs: setup
    runs-on: ubuntu-latest
    strategy:
      matrix: ${{ fromJSON(needs.setup.outputs.matrix) }}
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          fetch-tags: true
          persist-credentials: false
          submodules: 'ignore'
      - uses: actions/setup-go@v6
        with:
          go-version: stable
          cache: false

      - name: Build and package tool
        run: extra/package_tool.sh tools/${{ matrix.tool }} ${{ matrix.version }}

      - name: Upload tool artifact
        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.tool }}-${{ matrix.version }}
          path: |
            distrib/*.tar.gz
            distrib/*.zip
          retention-days: 7

      - name: Upload JSON artifact
        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.tool }}-${{ matrix.version }}.json
          path: distrib/*.json
          archive: false

  # Upload the built tool packages to the S3 bucket for public distribution.

  publish-tool:
    name: Publish tool
    runs-on: ubuntu-latest
    if: fromJSON(needs.setup.outputs.is_release)
    needs:
      - setup
      - build-tool
    environment: production
    permissions:
      id-token: write
      contents: read
    steps:

      - uses: actions/download-artifact@v8
        with:
          name: ${{ needs.setup.outputs.tool_artifact }}
          path: .

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v6
        with:
          role-to-assume: ${{ secrets.IAM_ROLE }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Upload tool files to S3
        run: |
          for f in *.tar.gz *.zip ; do
            [ -f "$f" ] || continue
            aws s3 cp "$f" s3://${{ secrets.S3_TOOLS_BUCKET }}/
          done

  # The final verification step always runs to properly get the overall job status.

  verify-tool:
    runs-on: ubuntu-latest
    if: always()
    needs:
     - build-tool
     - publish-tool
    steps:
      - name: Check build result
        run: |
          # A failure here means either the build or publish step failed when it was expected to run.
          [ ${{ needs.build-tool.result }} == "success" ] && \
            ( [ ${{ needs.publish-tool.result }} == "success" ] || [ ${{ needs.publish-tool.result }} == "skipped" ] )