fix merge conflicts

Author: mirkoCrobu

.github/workflows/go-test.yml

@@ -7,7 +7,7 @@ on:
     branches: [main]
 
 env:
-  GO_VERSION: "1.25.0"
+  GO_VERSION: "1.25.1"
 
 jobs:
   go-test-orchestrator:

.github/workflows/openapi-spec.yml

@@ -12,7 +12,7 @@ on:
         required: false
         default: "main"
 env:
-  GO_VERSION: "1.25.0"
+  GO_VERSION: "1.25.1"
 
 jobs:
   oasdiff:

.github/workflows/release-flasher.yml

@@ -0,0 +1,283 @@
+name: Release Arduino Flasher tool
+
+on:
+  push:
+    tags:
+      - "flasher-*" # Trigger on all tags
+
+env:
+  GO_VERSION: "1.25.1"
+  PROJECT_NAME: "arduino-flasher-cli"
+  GITHUB_TOKEN: ${{ secrets.ARDUINOBOT_TOKEN }}
+  GITHUB_USERNAME: ArduinoBot
+  DIST_DIR: build
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        os: [ubuntu-22.04, macos-13, windows-2022]
+        arch: [amd64, arm64]
+        exclude:
+          - os: windows-2022
+            arch: arm64
+    runs-on: ${{ matrix.os }}
+    outputs:
+      release: ${{ steps.set-version.outputs.RELEASE_NAME }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Extract version
+        run: |
+          TAG_NAME="${GITHUB_REF##*/}"
+          VERSION="${TAG_NAME#flasher-}" # Remove 'flasher-' prefix
+          echo "RELEASE_NAME=${{ env.PROJECT_NAME }}-${VERSION}-${{ matrix.os }}-${{ matrix.arch }}" >> $GITHUB_ENV
+        env:
+          GITHUB_REF: ${{ github.ref }}
+
+      - name: Set Windows version
+        id: set-version
+        run: |
+          echo "RELEASE_NAME=${{ env.RELEASE_NAME }}" >> $GITHUB_OUTPUT
+        if: matrix.os == 'windows-2022'
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Install Taskfile
+        uses: arduino/setup-task@v2
+        with:
+          version: "3.x"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git for private repo cloning
+        run: |
+          git config --global url."https://${{ env.GITHUB_USERNAME }}:${{ env.GITHUB_TOKEN }}@github.com".insteadOf "https://github.com"
+
+      - name: Build Binary
+        run: |
+          task arduino-flasher-cli:build
+
+      - name: Prepare Build Artifacts
+        working-directory: ./${{ env.DIST_DIR }}
+        run: |
+          tar -czf ${{ env.RELEASE_NAME }}.tar.gz arduino-flasher-cli*
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }}
+          path: |
+            ${{ env.DIST_DIR }}/${{ env.RELEASE_NAME }}.tar.gz
+          if-no-files-found: error
+
+  sign-windows-executable:
+    runs-on: windows-sign-pc
+    needs: build
+
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
+      # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
+      # Keep in mind that this path could change when upgrading to a new runner version
+      SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
+      RELEASE_NAME: ${{ needs.build.outputs.release }}
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ env.PROJECT_NAME }}-windows-2022-amd64
+
+      - name: Save Win signing certificate to file
+        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}}
+
+      - name: Extract build
+        run: |
+          tar -xvf ${{ env.RELEASE_NAME }}.tar.gz
+          rm ${{ env.RELEASE_NAME }}.tar.gz
+
+      - name: Sign executable
+        env:
+          CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
+          CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
+          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
+        run: |
+          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino Flasher CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "arduino-flasher-cli.exe"
+
+      - name: Prepare Build Artifacts
+        run: |
+          tar -czf ${{ env.RELEASE_NAME }}.tar.gz arduino-flasher-cli.exe
+          rm arduino-flasher-cli.exe
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.PROJECT_NAME }}-windows-2022-amd64
+          path: |
+            ${{ env.RELEASE_NAME }}.tar.gz
+          if-no-files-found: error
+          overwrite: true
+
+      # This step is needed because the self hosted runner does not delete files automatically
+      - name: Cleanup
+        run: rm ${{ env.RELEASE_NAME }}.tar.gz
+
+  notarize-macos:
+    name: Notarize macOS
+    runs-on: macos-13
+    needs: build
+    permissions:
+      contents: read
+
+    env:
+      GON_CONFIG_PATH: gon.config.hcl
+
+    strategy:
+      matrix:
+        build: [macos-13-amd64, macos-13-arm64]
+    steps:
+      - name: Set environment variables
+        run: |
+          TAG_NAME="${GITHUB_REF##*/}"
+          VERSION="${TAG_NAME#flasher-}"
+          echo "PACKAGE_FILENAME=${{ env.PROJECT_NAME }}-${VERSION}-${{ matrix.build }}.tar.gz" >>$GITHUB_ENV
+
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ env.PROJECT_NAME }}-${{ matrix.build }}
+          path: ${{ env.DIST_DIR }}
+
+      - name: Extract build
+        working-directory: ${{ env.DIST_DIR }}
+        run: |
+          tar -xvf ${{ env.PACKAGE_FILENAME }}
+
+      - name: Import Code-Signing Certificates
+        env:
+          KEYCHAIN: "sign.keychain"
+          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
+          # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
+          KEYCHAIN_PASSWORD: keychainpassword
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode >"${{ env.INSTALLER_CERT_MAC_PATH }}"
+
+          security create-keychain \
+            -p "${{ env.KEYCHAIN_PASSWORD }}" \
+            "${{ env.KEYCHAIN }}"
+
+          security default-keychain \
+            -s "${{ env.KEYCHAIN }}"
+
+          security unlock-keychain \
+            -p "${{ env.KEYCHAIN_PASSWORD }}" \
+            "${{ env.KEYCHAIN }}"
+
+          security import \
+            "${{ env.INSTALLER_CERT_MAC_PATH }}" \
+            -k "${{ env.KEYCHAIN }}" \
+            -f pkcs12 \
+            -A \
+            -T "/usr/bin/codesign" \
+            -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
+
+          security set-key-partition-list \
+            -S apple-tool:,apple: \
+            -s \
+            -k "${{ env.KEYCHAIN_PASSWORD }}" \
+            "${{ env.KEYCHAIN }}"
+
+      - name: Install gon for code signing and app notarization
+        run: |
+          wget \
+            -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip
+
+          unzip \
+            gon_macos.zip \
+            -d /usr/local/bin
+
+      - name: Write gon config to file
+        # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
+        run: |
+          cat >"${{ env.GON_CONFIG_PATH }}" \
+          <<EOF
+          # See: https://github.com/Bearer/gon#configuration-file
+          source = ["${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}"]
+          bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
+
+          sign {
+            application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
+          }
+
+          # Ask Gon for zip output to force notarization process to take place.
+          # The CI will ignore the zip output, using the signed binary only.
+          zip {
+            output_path = "unused.zip"
+          }
+          EOF
+
+      - name: Sign and notarize binary
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+          AC_PROVIDER: ${{ secrets.AC_PROVIDER }}
+        run: |
+          gon "${{ env.GON_CONFIG_PATH }}"
+
+      - name: Re-package binary
+        working-directory: ${{ env.DIST_DIR }}
+        # Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
+        run: |
+          # GitHub's upload/download-artifact actions don't preserve file permissions,
+          # so we need to add execution permission back until the action is made to do this.
+          chmod \
+            +x \
+            "${{ env.PROJECT_NAME }}"
+
+          tar -czf ${{ env.PACKAGE_FILENAME }} ${{ env.PROJECT_NAME }}
+
+      - name: Replace artifact with notarized build
+        uses: actions/upload-artifact@v4
+        with:
+          if-no-files-found: error
+          name: ${{ env.PROJECT_NAME }}-${{ matrix.build }}
+          overwrite: true
+          path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
+
+  create-release:
+    runs-on: ubuntu-22.04
+    needs: [build, sign-windows-executable, notarize-macos]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # fetch all history for the create changelog step to work properly
+
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          merge-multiple: true
+          path: ${{ env.DIST_DIR }}
+
+      - name: Upload artifacts index
+        uses: ncipollo/release-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          draft: false
+          prerelease: true
+          artifacts: ${{ env.DIST_DIR }}/*

.github/workflows/release-releaser.yml

@@ -6,7 +6,7 @@ on:
       - "releaser-*" # Trigger on all tags
 
 env:
-  GO_VERSION: "1.25.0"
+  GO_VERSION: "1.25.1"
   PROJECT_NAME: "releaser"
   GITHUB_TOKEN: ${{ secrets.ARDUINOBOT_TOKEN }}
   GITHUB_USERNAME: ArduinoBot

.github/workflows/release-remoteocd.yml

@@ -6,7 +6,7 @@ on:
       - "remoteocd-*" # Trigger on all tags
 
 env:
-  GO_VERSION: "1.25.0"
+  GO_VERSION: "1.25.1"
   PROJECT_NAME: "remoteocd"
   GITHUB_TOKEN: ${{ secrets.ARDUINOBOT_TOKEN }}
   GITHUB_USERNAME: ArduinoBot

.github/workflows/release.yml

@@ -6,9 +6,10 @@ on:
       - "*" # Trigger on all tags
       - "!remoteocd-*" # Exclude remoteocd tags
       - "!releaser-*" # Exclude releaser tags
+      - "!flasher-*" # Exclude flasher tags
 
 env:
-  GO_VERSION: "1.25.0"
+  GO_VERSION: "1.25.1"
   PROJECT_NAME: "arduino-app-cli"
   GITHUB_TOKEN: ${{ secrets.ARDUINOBOT_TOKEN }}
   GITHUB_USERNAME: ArduinoBot