Nightly builds #1337

Workflow file for this run

.github/workflows/nightly.yml at 0eb9e44

	# This workflow will build a Java project with Maven and publish nightly builds
	# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven

	name: Nightly builds

	on:
	schedule:
	- cron: "0 0 * * *"

	jobs:
	build:
	runs-on: macos-latest

	steps:
	- uses: actions/checkout@v2

	- name: Set up JDK 21
	uses: actions/setup-java@v2
	with:
	java-version: '21'
	distribution: 'temurin'

	- name: Build with Maven
	run: \|
	# We skip local signing because we will use Azure Cloud Signing next
	mvn -e -X clean install -Djarsigner.skip=true -DskipTests=true

	- name: Download Jsign
	run: \|
	wget -q https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar \|\| \
	curl -L -o jsign-7.4.jar https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
	echo "Downloaded Jsign 7.4"

	- name: Authenticate to Azure
	run: \|
	az login --service-principal \
	--username ${{ secrets.AZURE_CLIENT_ID }} \
	--password ${{ secrets.AZURE_CLIENT_SECRET }} \
	--tenant ${{ secrets.AZURE_TENANT_ID }} \
	--allow-no-subscriptions

	- name: Get Azure Key Vault Access Token
	id: get-token
	run: \|
	TOKEN=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv)
	echo "::add-mask::$TOKEN"
	echo "token=$TOKEN" >> $GITHUB_OUTPUT

	- name: Sign JAR files with Azure Key Vault
	env:
	AZURE_TOKEN: ${{ steps.get-token.outputs.token }}
	CERT_CHAIN: ${{ secrets.AZURE_KEYVAULT_CERTCHAIN }}
	run: \|
	# Setup Certificate Chain
	CERTCHAIN_ARG=""
	if [ -n "$CERT_CHAIN" ]; then
	echo "$CERT_CHAIN" > certchain.p7b
	CERTCHAIN_ARG="-certchain certchain.p7b"
	fi

	REPO_DIR="releng/com.espressif.idf.update/target/repository"
	SIGFILE="ECLIPSE"

	echo "Signing IDF plugin JARs in $REPO_DIR..."

	# Find and sign specific Espressif JARs
	find "$REPO_DIR" -type f -name "*.jar" \| while read -r file; do
	if [[ "$file" =~ (plugins\|features)/com\.espressif\. ]]; then
	echo "Signing: $file"

	jarsigner \
	-J-cp -Jjsign-7.4.jar \
	-J--add-modules -Jjava.sql \
	-providerClass net.jsign.jca.JsignJcaProvider \
	-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
	-keystore NONE \
	-storetype AZUREKEYVAULT \
	-storepass "$AZURE_TOKEN" \
	-sigfile "$SIGFILE" \
	-digestalg SHA-256 \
	-tsa http://timestamp.digicert.com \
	$CERTCHAIN_ARG \
	-certs \
	-verbose \
	"$file" \
	"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"

	if [ $? -ne 0 ]; then
	echo "Failed to sign: $file"
	exit 1
	fi
	fi
	done

	- name: Regenerate P2 Metadata
	run: \|
	# Signing changes file checksums, so we must fix the P2 metadata
	mvn -f releng/com.espressif.idf.update/pom.xml \
	org.eclipse.tycho:tycho-p2-repository-plugin:fix-artifacts-metadata \
	-DrepositoryPath="releng/com.espressif.idf.update/target/repository" \
	-DskipTests=true

	- name: Cleanup
	if: always()
	run: \|
	az logout \|\| true
	rm -f jsign-7.4.jar \|\| true
	rm -f certchain.p7b \|\| true

	- name: Codesign Espressif-IDE
	env:
	MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
	MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
	run: \|
	echo $MACOS_CERTIFICATE \| base64 --decode > certificate.p12
	/usr/bin/security create-keychain -p espressif build.keychain
	/usr/bin/security default-keychain -s build.keychain
	/usr/bin/security unlock-keychain -p espressif build.keychain
	/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
	/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

	echo "codesigning espressif-ide-macosx.cocoa.x86_64"
	/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
	/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app

	echo "codesigning espressif-ide-macosx.cocoa.aarch64"
	/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
	/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app

	echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
	$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
	/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
	/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

	echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
	$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
	/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
	/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

	- name: Notarization of Espressif-IDE dmg files
	env:
	NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }}
	NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
	NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }}
	run: \|
	echo "Create notary keychain"
	/usr/bin/security create-keychain -p espressif notary.keychain
	/usr/bin/security default-keychain -s notary.keychain
	/usr/bin/security unlock-keychain -p espressif notary.keychain

	echo "Create keychain profile"
	xcrun notarytool store-credentials "ide-notarytool-profile" --apple-id $NOTARIZATION_USERNAME --team-id $NOTARIZATION_TEAM_ID --password $NOTARIZATION_PASSWORD
	xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg --keychain-profile "ide-notarytool-profile" --wait

	echo "Attach staple for x86_64.dmg"
	xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

	echo "Unlock the notary keychain"
	/usr/bin/security unlock-keychain -p espressif notary.keychain

	xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg --keychain-profile "ide-notarytool-profile" --wait
	echo "Attach staple for aarch64.dmg"
	xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

	- name: Upload Espressif-IDE-macosx-cocoa-x86_64.dmg
	if: ${{ !cancelled() }}
	uses: actions/upload-artifact@v4
	with:
	name: espressif-ide-macosx-cocoa-x86_64
	path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

	- name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg
	if: ${{ !cancelled() }}
	uses: actions/upload-artifact@v4
	with:
	name: espressif-ide-macosx.cocoa.aarch64
	path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

	- name: Upload build artifacts
	if: ${{ !cancelled() }}
	uses: actions/upload-artifact@v4
	with:
	name: com.espressif.idf.update
	path: releng/com.espressif.idf.update/target/repository

	- name: Upload windows rcp
	if: ${{ !cancelled() }}
	uses: actions/upload-artifact@v4
	with:
	name: espressif-ide-win32
	path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip

	- name: Upload linux rcp
	if: ${{ !cancelled() }}
	uses: actions/upload-artifact@v4
	with:
	name: espressif-ide-linux
	path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-linux.gtk.x86_64.tar.gz

	- name: Upload build assets to dl.espressif.com
	id: upload-release-asset-espressif
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
	run: \|
	ARCHIVE_DIR="/releng/com.espressif.idf.update/target/"
	ARCHIVE_NAME="com.espressif.idf.update*.zip"
	echo "${ARCHIVE_DIR}"
	echo ${PWD}${ARCHIVE_DIR}
	ARCHIVE_FILE_NAME="$(find ${PWD}${ARCHIVE_DIR}${ARCHIVE_NAME})"
	echo "${ARCHIVE_FILE_NAME}"
	ARCHIVE_PREFIX="com.espressif.idf.update-"
	ARCHIVE_SUFFIX="-SNAPSHOT.zip";
	tmp=${ARCHIVE_FILE_NAME#*${ARCHIVE_PREFIX}} # remove prefix
	ARCHIVE_VERSION=${tmp%${ARCHIVE_SUFFIX}*} # remove suffix
	echo "${ARCHIVE_VERSION}"
	FOLDER_NAME="v${ARCHIVE_VERSION}"
	mkdir "${FOLDER_NAME}" && cd "${FOLDER_NAME}" && unzip -q ${ARCHIVE_FILE_NAME} && cd ..
	echo ${PWD}
	ARCHIVE_VERSION_NEW="${ARCHIVE_PREFIX}${ARCHIVE_VERSION}.zip"
	echo ${ARCHIVE_VERSION_NEW}
	mv ${ARCHIVE_FILE_NAME} ${ARCHIVE_VERSION_NEW}
	mv releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg "releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64-${FOLDER_NAME}.dmg"
	mv releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg "releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64-${FOLDER_NAME}.dmg"
	aws s3 rm s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly --recursive
	aws s3 cp --acl=public-read --recursive "./${FOLDER_NAME}/" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly
	aws s3 cp --acl=public-read "./releng/index.html" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly/
	aws cloudfront create-invalidation --distribution-id ${{ secrets.DL_DISTRIBUTION_ID }} --paths "/dl/idf-eclipse-plugin/updates/nightly/*"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Nightly builds #1337

Workflow file

Nightly builds #1337

Uh oh!

Workflow file for this run