init

.github/workflows/build.yml

@@ -0,0 +1,234 @@
+name: Arduino IDE
+
+on:
+ push:
+ branches:
+ - main
+ tags:
+ - '[0-9]+.[0-9]+.[0-9]+*'
+ workflow_dispatch:
+ pull_request:
+ branches:
+ - main
+ schedule:
+ - cron: '0 3 * * *' # run every day at 3AM (https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events-schedule)
+
+env:
+ JOB_TRANSFER_ARTIFACT: build-artifacts
+
+jobs:
+
+ build:
+ if: github.repository == 'arduino/arduino-ide'
+ strategy:
+ matrix:
+ config:
+ - os: windows-latest
+ - os: ubuntu-latest
+ - os: macos-latest
+ runs-on: ${{ matrix.config.os }}
+ timeout-minutes: 90
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Install Node.js 12.x
+ uses: actions/setup-node@v1
+ with:
+ node-version: '12.14.1'
+ registry-url: 'https://registry.npmjs.org'
+
+ - name: Install Python 2.7
+ uses: actions/setup-python@v2
+ with:
+ python-version: '2.7'
+
+ - name: Package
+ shell: bash
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ AC_USERNAME: ${{ secrets.AC_USERNAME }}
+ AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ IS_NIGHTLY: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
+ IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/') }}
+ IS_FORK: ${{ github.event.pull_request.head.repo.fork == true }}
+ run: |
+ # See: https://www.electron.build/code-signing
+ if [ $IS_FORK = true ]; then
+ echo "Skipping the app signing: building from a fork."
+ else
+ if [ "${{ runner.OS }}" = "macOS" ]; then
+ export CSC_LINK="${{ runner.temp }}/signing_certificate.p12"
+ # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from:
+ # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate
+ echo "${{ secrets.APPLE_SIGNING_CERTIFICATE_P12 }}" | base64 --decode > "$CSC_LINK"
+
+ export CSC_KEY_PASSWORD="${{ secrets.KEYCHAIN_PASSWORD }}"
+
+ elif [ "${{ runner.OS }}" = "Windows" ]; then
+ export CSC_LINK="${{ runner.temp }}/signing_certificate.pfx"
+ echo "${{ secrets.WINDOWS_SIGNING_CERTIFICATE_PFX }}" | base64 --decode > "$CSC_LINK"
+
+ export CSC_KEY_PASSWORD="${{ secrets.WINDOWS_SIGNING_CERTIFICATE_PASSWORD }}"
+ fi
+ fi
+
+ yarn --cwd ./electron/packager/
+ yarn --cwd ./electron/packager/ package
+
+ - name: Upload [GitHub Actions]
+ uses: actions/upload-artifact@v2
+ with:
+ name: ${{ env.JOB_TRANSFER_ARTIFACT }}
+ path: electron/build/dist/build-artifacts/
+
+ artifacts:
+ name: ${{ matrix.artifact.name }} artifact
+ needs: build
+ if: always() && needs.build.result != 'skipped'
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ artifact:
+ - path: "*Linux_64bit.zip"
+ name: Linux_X86-64
+ - path: "*macOS_64bit.dmg"
+ name: macOS
+ - path: "*Windows_64bit.exe"
+ name: Windows_X86-64_interactive_installer
+ - path: "*Windows_64bit.msi"
+ name: Windows_X86-64_MSI
+ - path: "*Windows_64bit.zip"
+ name: Windows_X86-64_zip
+
+ steps:
+ - name: Download job transfer artifact
+ uses: actions/download-artifact@v2
+ with:
+ name: ${{ env.JOB_TRANSFER_ARTIFACT }}
+ path: ${{ env.JOB_TRANSFER_ARTIFACT }}
+
+ - name: Upload tester build artifact
+ uses: actions/upload-artifact@v2
+ with:
+ name: ${{ matrix.artifact.name }}
+ path: ${{ env.JOB_TRANSFER_ARTIFACT }}/${{ matrix.artifact.path }}
+
+ changelog:
+ needs: build
+ runs-on: ubuntu-latest
+ outputs:
+ BODY: ${{ steps.changelog.outputs.BODY }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ fetch-depth: 0 # To fetch all history for all branches and tags.
+
+ - name: Generate Changelog
+ id: changelog
+ env:
+ IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/') }}
+ run: |
+ export LATEST_TAG=$(git describe --abbrev=0)
+ export GIT_LOG=$(git log --pretty=" - %s [%h]" $LATEST_TAG..HEAD | sed 's/ *$//g')
+ if [ "$IS_RELEASE" = true ]; then
+ export BODY=$(echo -e "$GIT_LOG")
+ else
+ export LATEST_TAG_WITH_LINK=$(echo "[$LATEST_TAG](https://github.com/OS-Q/S04B/releases/tag/$LATEST_TAG)")
+ if [ -z "$GIT_LOG" ]; then
+ export BODY="There were no changes since version $LATEST_TAG_WITH_LINK."
+ else
+ export BODY=$(echo -e "Changes since version $LATEST_TAG_WITH_LINK:\n$GIT_LOG")
+ fi
+ fi
+ echo -e "$BODY"
+ OUTPUT_SAFE_BODY="${BODY//'%'/'%25'}"
+ OUTPUT_SAFE_BODY="${OUTPUT_SAFE_BODY//$'\n'/'%0A'}"
+ OUTPUT_SAFE_BODY="${OUTPUT_SAFE_BODY//$'\r'/'%0D'}"
+ echo "::set-output name=BODY::$OUTPUT_SAFE_BODY"
+ echo "$BODY" > CHANGELOG.txt
+
+ - name: Upload Changelog [GitHub Actions]
+ if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
+ uses: actions/upload-artifact@v2
+ with:
+ name: ${{ env.JOB_TRANSFER_ARTIFACT }}
+ path: CHANGELOG.txt
+
+ publish:
+ needs: changelog
+ if: github.repository == 'arduino/arduino-ide' && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main'))
+ runs-on: ubuntu-latest
+ steps:
+ - name: Download [GitHub Actions]
+ uses: actions/download-artifact@v2
+ with:
+ name: ${{ env.JOB_TRANSFER_ARTIFACT }}
+ path: ${{ env.JOB_TRANSFER_ARTIFACT }}
+
+ - name: Publish Nightly [S3]
+ uses: docker:https://plugins/s3
+ env:
+ PLUGIN_SOURCE: "${{ env.JOB_TRANSFER_ARTIFACT }}/*"
+ PLUGIN_STRIP_PREFIX: "${{ env.JOB_TRANSFER_ARTIFACT }}/"
+ PLUGIN_TARGET: "/arduino-ide/nightly"
+ PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+ release:
+ needs: changelog
+ if: github.repository == 'arduino/arduino-ide' && startsWith(github.ref, 'refs/tags/')
+ runs-on: ubuntu-latest
+ steps:
+ - name: Download [GitHub Actions]
+ uses: actions/download-artifact@v2
+ with:
+ name: ${{ env.JOB_TRANSFER_ARTIFACT }}
+ path: ${{ env.JOB_TRANSFER_ARTIFACT }}
+
+ - name: Get Tag
+ id: tag_name
+ run: |
+ echo ::set-output name=TAG_NAME::${GITHUB_REF#refs/tags/}
+
+ - name: Publish Release [GitHub]
+ uses: svenstaro/[email protected]
+ with:
+ repo_token: ${{ secrets.GITHUB_TOKEN }}
+ release_name: ${{ steps.tag_name.outputs.TAG_NAME }}
+ file: ${{ env.JOB_TRANSFER_ARTIFACT }}/*
+ tag: ${{ github.ref }}
+ file_glob: true
+ body: ${{ needs.changelog.outputs.BODY }}
+
+ - name: Publish Release [S3]
+ uses: docker:https://plugins/s3
+ env:
+ PLUGIN_SOURCE: "${{ env.JOB_TRANSFER_ARTIFACT }}/*"
+ PLUGIN_STRIP_PREFIX: "${{ env.JOB_TRANSFER_ARTIFACT }}/"
+ PLUGIN_TARGET: "/arduino-ide"
+ PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+ clean:
+ # This job must run after all jobs that use the transfer artifact.
+ needs:
+ - build
+ - publish
+ - release
+ - artifacts
+ if: always() && needs.build.result != 'skipped'
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Remove unneeded job transfer artifact
+ uses: geekyeggo/delete-artifact@v1
+ with:
+ name: ${{ env.JOB_TRANSFER_ARTIFACT }}

.github/workflows/check-certificates.yml

@@ -0,0 +1,127 @@
+name: Check for issues with signing certificates
+
+on:
+ schedule:
+ # run every 10 hours
+ - cron: "0 */10 * * *"
+ # workflow_dispatch event allows the workflow to be triggered manually.
+ # This could be used to run an immediate check after updating certificate secrets.
+ # See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
+ workflow_dispatch:
+
+env:
+ # Begin notifications when there are less than this many days remaining before expiration
+ EXPIRATION_WARNING_PERIOD: 30
+
+jobs:
+ check-certificates:
+ # Only run when the workflow will have access to the certificate secrets.
+ if: >
+ (github.event_name != 'pull_request' && github.repository == 'arduino/arduino-ide') ||
+ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-ide')
+ 
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+
+ matrix:
+ certificate:
+ - identifier: macOS signing certificate # Text used to identify the certificate in notifications
+ certificate-secret: APPLE_SIGNING_CERTIFICATE_P12 # The name of the secret that contains the certificate
+ password-secret: KEYCHAIN_PASSWORD # The name of the secret that contains the certificate password
+ - identifier: Windows signing certificate
+ certificate-secret: WINDOWS_SIGNING_CERTIFICATE_PFX
+ password-secret: WINDOWS_SIGNING_CERTIFICATE_PASSWORD
+
+ steps:
+ - name: Set certificate path environment variable
+ run: |
+ # See: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
+ echo "CERTIFICATE_PATH=${{ runner.temp }}/certificate.p12" >> "$GITHUB_ENV"
+
+ - name: Decode certificate
+ env:
+ CERTIFICATE: ${{ secrets[matrix.certificate.certificate-secret] }}
+ run: |
+ echo "${{ env.CERTIFICATE }}" | base64 --decode > "${{ env.CERTIFICATE_PATH }}"
+
+ - name: Verify certificate
+ env:
+ CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }}
+ run: |
+ (
+ openssl pkcs12 \
+ -in "${{ env.CERTIFICATE_PATH }}" \
+ -noout -passin env:CERTIFICATE_PASSWORD
+ ) || (
+ echo "::error::Verification of ${{ matrix.certificate.identifier }} failed!!!"
+ exit 1
+ )
+
+ # See: https://github.com/rtCamp/action-slack-notify
+ - name: Slack notification of certificate verification failure
+ if: failure()
+ uses: rtCamp/[email protected]
+ env:
+ SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }}
+ SLACK_MESSAGE: |
+ :warning::warning::warning::warning:
+ WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} verification failed!!!
+ :warning::warning::warning::warning:
+ SLACK_COLOR: danger
+ MSG_MINIMAL: true
+
+ - name: Get days remaining before certificate expiration date
+ env:
+ CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }}
+ id: get-days-before-expiration
+ run: |
+ EXPIRATION_DATE="$(
+ (
+ openssl pkcs12 \
+ -in "${{ env.CERTIFICATE_PATH }}" \
+ -clcerts \
+ -nodes \
+ -passin env:CERTIFICATE_PASSWORD
+ ) | (
+ openssl x509 \
+ -noout \
+ -enddate
+ ) | (
+ grep \
+ --max-count=1 \
+ --only-matching \
+ --perl-regexp \
+ 'notAfter=(\K.*)'
+ )
+ )"
+
+ DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
+
+ # Display the expiration information in the log
+ echo "Certificate expiration date: $EXPIRATION_DATE"
+ echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION"
+
+ echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION"
+
+ - name: Check if expiration notification period has been reached
+ id: check-expiration
+ run: |
+ if [[ ${{ steps.get-days-before-expiration.outputs.days }} -lt ${{ env.EXPIRATION_WARNING_PERIOD }} ]]; then
+ echo "::error::${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!"
+ exit 1
+ fi
+
+ - name: Slack notification of pending certificate expiration
+ # Don't send spurious expiration notification if verification fails
+ if: failure() && steps.check-expiration.outcome == 'failure'
+ uses: rtCamp/[email protected]
+ env:
+ SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }}
+ SLACK_MESSAGE: |
+ :warning::warning::warning::warning:
+ WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!
+ :warning::warning::warning::warning:
+ SLACK_COLOR: danger
+ MSG_MINIMAL: true

.gitignore

@@ -0,0 +1,18 @@
+node_modules/
+# .node_modules is a hack for the electron builder.
+.node_modules/
+lib/
+downloads/
+build/
+Examples/
+!electron/build/
+src-gen/
+*webpack.config.js
+.DS_Store
+# switching from `electron` to `browser` in dev mode.
+.browser_modules
+yarn*.log
+# For the VS Code extensions used by Theia.
+plugins
+# the config files for the CLI
+arduino-ide-extension/data/cli/config