ci: upload build snippets to ci-builds

pillo79 · pillo79 · commit 0259ebfd8d66 · 2026-05-22T17:43:58.000+02:00
Add logic to upload the generated snippets to ci-builds, so that they
can be used to populate the boards manager index and tool index in the
Arduino IDE.
diff --git a/.github/workflows/ci_builds_upload.yml b/.github/workflows/ci_builds_upload.yml
@@ -0,0 +1,77 @@
+# Copyright (c) Arduino s.r.l. and/or its affiliated companies
+# SPDX-License-Identifier: Apache-2.0
+
+# Reusable workflow to upload the generated snippets to the ci-builds repo.
+# Must be called with 'id-token: write' permissions.
+
+name: Upload snippets to ci-builds
+
+on:
+  workflow_call:
+    secrets:
+      # PAT with 'actions: write' permissions on the ci-builds repo.
+      ci-builds-token:
+        required: true
+    inputs:
+      # Name of the artifact containing the snippets to upload
+      artifact:
+        required: true
+        type: string
+      # Version to be associated with this snippet upload
+      version:
+        required: true
+        type: string
+      # Repository branch to be associated with this snippet upload
+      base-branch:
+        required: true
+        type: string
+      # Repo hosting the ci-builds workflow to call for storing the snippets.
+      # Not required; useful for testing the workflow with a fork.
+      ci-builds-repo-owner:
+        required: false
+        type: string
+        default: 'arduino'
+      ci-builds-repo-name:
+        required: false
+        type: string
+        default: 'core-ci-builds'
+
+jobs:
+  ci-builds-upload:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v8
+        with:
+          name: ${{ inputs.artifact }}
+          path: snippets/
+
+      - run: |
+          echo "SNIPPETS<<EOF" >> $GITHUB_ENV
+          (cd snippets && jq -cn 'reduce inputs as $i ({}; .[input_filename] = $i)' $(find * -name '*.json')) >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      - name: Get OIDC identity token
+        id: oidc
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const token = await core.getIDToken('${{ inputs.ci-builds-repo-owner }}/${{ inputs.ci-builds-repo-name }}');
+            core.setOutput('token', token)
+
+      - name: Store snippets in ci-builds
+        uses: actions/github-script@v9
+        with:
+          github-token: ${{ secrets.ci-builds-token }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: '${{ inputs.ci-builds-repo-owner }}',
+              repo: '${{ inputs.ci-builds-repo-name }}',
+              workflow_id: 'store-snippets.yml',
+              ref: 'main',
+              inputs: {
+                oidc_token: '${{ steps.oidc.outputs.token }}',
+                base_branch: '${{ inputs.base-branch }}',
+                version: '${{ inputs.version }}',
+                snippets: '${{ env.SNIPPETS }}',
+              },
+            });
diff --git a/.github/workflows/package_core.yml b/.github/workflows/package_core.yml
@@ -469,6 +469,14 @@ jobs:
           # errors due to race conditions with parallel branch runs should not fail the job
           extra/ci_calc_size_reports.py ${GITHUB_BASE_SHA} sketches-reports/ || true
 
+      # upload build metadata artifact, for upload to ci-builds
+      - name: Archive build metadata information
+        uses: actions/upload-artifact@v7
+        with:
+          name: build-metadata
+          path: ${{ env.CORE_VER }}.json
+          retention-days: 1
+
       # upload comment request artifact (will be retrieved by leave_pr_comment.yml)
       - name: Archive comment information
         uses: actions/upload-artifact@v7
@@ -600,22 +608,45 @@ jobs:
 
       - uses: actions/download-artifact@v8
         with:
+          pattern: ArduinoCore-*.tar.bz2
           path: .
-          pattern: ArduinoCore-*
           merge-multiple: true
 
+      - uses: actions/download-artifact@v8
+        with:
+          name: build-metadata
+          path: snippets/metadata/
+
       - name: Prepare package index snippets
         run: |
+          mkdir -p snippets/platforms/
           jq -cr '.[]' <<< ${ARTIFACTS} | while read -r artifact; do
             # note: the archive names are always hash-based so they use a
             # predictable pattern. JSON files can use the tag for user-friendliness.
             ARTIFACT_FILE=ArduinoCore-${artifact}-${CORE_HASH}.tar.bz2
-            PACKAGE_JSON=ArduinoCore-${artifact}-${CORE_TAG}.json
+            PACKAGE_JSON=snippets/platforms/ArduinoCore-${artifact}-${CORE_TAG}.json
             ./extra/gen_package_index_json.sh ${artifact} ${ARTIFACT_FILE} ${PACKAGE_JSON}
           done
 
       - name: Archive package index snippets
         uses: actions/upload-artifact@v7
         with:
-          name: ArduinoCore-zephyr-${{ env.CORE_TAG }}-jsons
-          path: ArduinoCore-*-${{ env.CORE_TAG }}.json
+          name: snippets-${{ env.CORE_TAG }}
+          path: snippets/
+
+  ci-builds-upload:
+    name: Upload to ci-builds
+    if: ${{ github.event_name == 'push' && github.repository == 'arduino/ArduinoCore-zephyr' }}
+    needs:
+      - build-env
+      - verify-core
+      - prepare-json
+    permissions:
+      id-token: write   # required to obtain the OIDC token
+    uses: ./.github/workflows/ci_builds_upload.yml
+    with:
+      artifact: snippets-${{ needs.build-env.outputs.CORE_TAG }}
+      version: ${{ needs.build-env.outputs.CORE_VER }}
+      base-branch: ${{ needs.build-env.outputs.CORE_BRANCH }}
+    secrets:
+      ci-builds-token: ${{ secrets.CI_BUILDS_TOKEN }}
diff --git a/.github/workflows/package_tool.yml b/.github/workflows/package_tool.yml
@@ -102,7 +102,12 @@ jobs:
           cache: false
 
       - name: Build and package tool
-        run: extra/package_tool.sh tools/${{ matrix.tool }} ${{ matrix.version }}
+        run: |
+          mkdir -p snippets/tools snippets/metadata
+          extra/package_tool.sh tools/${{ matrix.tool }} ${{ matrix.version }}
+          mv distrib/*.json snippets/tools/
+          # metadata dir is empty, but is still required to preserve the
+          # directory structure in the generated artifacts
 
       - name: Upload tool artifact
         uses: actions/upload-artifact@v7
@@ -113,12 +118,11 @@ jobs:
             distrib/*.zip
           retention-days: 7
 
-      - name: Upload JSON artifact
+      - name: Upload JSON snippet
         uses: actions/upload-artifact@v7
         with:
-          name: ${{ matrix.tool }}-${{ matrix.version }}.json
-          path: distrib/*.json
-          archive: false
+          name: snippet-${{ matrix.tool }}-${{ matrix.version }}
+          path: snippets/
 
   # Upload the built tool packages to the S3 bucket for public distribution.
 
@@ -167,3 +171,21 @@ jobs:
           # A failure here means either the build or publish step failed when it was expected to run.
           [ ${{ needs.build-tool.result }} == "success" ] && \
             ( [ ${{ needs.publish-tool.result }} == "success" ] || [ ${{ needs.publish-tool.result }} == "skipped" ] )
+
+  ci-builds-upload:
+    name: Upload to ci-builds
+    if: fromJSON(needs.setup.outputs.is_release)
+    needs:
+      - setup
+      - build-tool
+      - publish-tool
+      - verify-tool
+    permissions:
+      id-token: write   # required to obtain the OIDC token
+    uses: ./.github/workflows/ci_builds_upload.yml
+    with:
+      artifact: snippet-${{ needs.setup.outputs.tool_artifact }}
+      version: ${{ needs.setup.outputs.CORE_VER }}
+      base-branch: ${{ needs.setup.outputs.CORE_BRANCH }}
+    secrets:
+      ci-builds-token: ${{ secrets.CI_BUILDS_TOKEN }}
