forked from zephyrproject-rtos/ArduinoCore-zephyr
-
Notifications
You must be signed in to change notification settings - Fork 62
205 lines (179 loc) · 7.37 KB
/
Copy pathpackage_tool.yml
File metadata and controls
205 lines (179 loc) · 7.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
# Copyright (c) Arduino s.r.l. and/or its affiliated companies
# SPDX-License-Identifier: Apache-2.0
# CI workflow to build, package and upload a specific tool.
name: Package and upload tool
# Trigger on any pull request that modifies files in the tools/ directory or
# the packaging script, or on any tag that starts with tools/ and has the
# format tools/<tool>/<version>, e.g. tools/gen-rodata-ld/0.1.0.
#
# For tag pushes, only build the specific tool and version indicated by the
# tag, and only publish if the repository is the official Arduino one.
on:
push:
tags:
- 'tools/**'
pull_request:
paths:
- 'tools/**'
- 'extra/package_tool.sh'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.actor }}
cancel-in-progress: true
jobs:
# Set up the build matrix based on the event type. For tag pushes, the matrix
# will contain only the tool and version specified by the tag. For pull
# requests, the matrix will include all tools with the version set to the
# commit SHA. Also determine if this is a release build on the main
# repository, and if so, set the tool artifact name for later use.
setup:
name: Set up build matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
is_release: ${{ steps.set-matrix.outputs.is_release }}
tool_artifact: ${{ steps.set-matrix.outputs.tool_artifact }}
CORE_BRANCH: ${{ steps.set-matrix.outputs.CORE_BRANCH }}
CORE_VER: ${{ steps.set-matrix.outputs.CORE_VER }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true # for get_core_version
persist-credentials: false
submodules: 'ignore'
- name: Set build matrix
id: set-matrix
run: |
if [[ "$GITHUB_REF" == refs/tags/tools/* ]]; then
# single tool, release build on main repo
TAG="${GITHUB_REF#refs/tags/tools/}"
TOOL="${TAG%%/*}"
VERSION="${TAG#*/}"
MATRIX=$(jq -cn --arg tool "$TOOL" --arg version "$VERSION" \
'{include: [{tool: $tool, version: $version}]}')
echo "tool_artifact=$TOOL-$VERSION" >> "$GITHUB_OUTPUT"
echo "is_release=${{ github.repository == 'arduino/ArduinoCore-zephyr' }}" >> "$GITHUB_OUTPUT"
BRANCH=$(git branch -r --contains HEAD --sort=-committerdate --format='%(refname:short)' | sed 's|origin/||' | grep -v HEAD | head -1)
[[ -n "$BRANCH" ]] || { echo "::error::No branch found containing tag ${{ github.ref_name }}"; exit 1; }
echo "CORE_BRANCH=${BRANCH}" >> "$GITHUB_OUTPUT"
else
# build all tools using commit SHA as version
VERSION=$(git rev-parse --short ${{ github.event.pull_request.head.sha || 'HEAD' }})
MATRIX=$(for d in tools/*/; do [ -f "$d/go.mod" ] && basename "$d"; done \
| jq -Rnc --arg version "$VERSION" '{include: [inputs | {tool: ., version: $version}]}')
echo "tool_artifact=" >> "$GITHUB_OUTPUT"
echo "is_release=false" >> "$GITHUB_OUTPUT"
echo "CORE_BRANCH=${{ github.head_ref || github.ref_name }}" >> "$GITHUB_OUTPUT"
fi
echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"
echo "CORE_VER=$(extra/get_core_version.sh)" >> "$GITHUB_OUTPUT"
- name: Verify dependabot config
if: ${{ github.event_name == 'pull_request' }}
run: |
# Check that the dependabot config is exactly as generated by extra/ci_dependabot_config.sh, to avoid
# accidentally breaking it and leaving the tools unmaintained.
extra/ci_dependabot_config.sh /tmp/expected_dependabot.yml
if ! cmp -s /tmp/expected_dependabot.yml .github/dependabot.yml; then
echo "::error::Dependabot config is not up to date. Please run extra/ci_dependabot_config.sh and commit the changes."
exit 1
fi
# Build and package the tools in parallel according to the matrix, uploading
# the resulting packages and metadata as artifacts for later use.
build-tool:
name: Build ${{ matrix.tool }} ${{ matrix.version }}
needs: setup
runs-on: ubuntu-latest
strategy:
matrix: ${{ fromJSON(needs.setup.outputs.matrix) }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false
submodules: 'ignore'
- uses: actions/setup-go@v6
with:
go-version: stable
cache: false
- name: Build and package tool
run: |
mkdir -p snippets/tools snippets/metadata
extra/package_tool.sh tools/${{ matrix.tool }} ${{ matrix.version }}
mv distrib/*.json snippets/tools/
# metadata dir is empty, but is still required to preserve the
# directory structure in the generated artifacts
- name: Upload tool artifact
uses: actions/upload-artifact@v7
with:
name: ${{ matrix.tool }}-${{ matrix.version }}
path: |
distrib/*.tar.gz
distrib/*.zip
retention-days: 7
- name: Upload JSON snippet
uses: actions/upload-artifact@v7
with:
name: snippet-${{ matrix.tool }}-${{ matrix.version }}
path: snippets/
# Upload the built tool packages to the S3 bucket for public distribution.
publish-tool:
name: Publish tool
runs-on: ubuntu-latest
if: fromJSON(needs.setup.outputs.is_release)
needs:
- setup
- build-tool
environment: production
permissions:
id-token: write
contents: read
steps:
- uses: actions/download-artifact@v8
with:
name: ${{ needs.setup.outputs.tool_artifact }}
path: .
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.IAM_ROLE }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Upload tool files to S3
run: |
for f in *.tar.gz *.zip ; do
[ -f "$f" ] || continue
aws s3 cp "$f" s3://${{ secrets.S3_TOOLS_BUCKET }}/
done
# The final verification step always runs to properly get the overall job status.
verify-tool:
runs-on: ubuntu-latest
if: always()
needs:
- build-tool
- publish-tool
steps:
- name: Check build result
run: |
# A failure here means either the build or publish step failed when it was expected to run.
[ ${{ needs.build-tool.result }} == "success" ] && \
( [ ${{ needs.publish-tool.result }} == "success" ] || [ ${{ needs.publish-tool.result }} == "skipped" ] )
ci-builds-upload:
name: Upload to ci-builds
if: fromJSON(needs.setup.outputs.is_release)
runs-on: ubuntu-latest
needs:
- setup
- build-tool
- publish-tool
- verify-tool
permissions:
id-token: write # required to obtain the OIDC token
steps:
# Run the composite action in this context to create a proper OIDC token
# for this repo and start the internal workflows.
- uses: arduino/core-ci-builds@main
with:
token: ${{ secrets.CI_BUILDS_TOKEN }}
version: ${{ needs.setup.outputs.CORE_VER }}
artifact: snippet-${{ needs.setup.outputs.tool_artifact }}
base-branch: ${{ needs.setup.outputs.CORE_BRANCH }}