Add workflow to release arduino-flasher-cli tool (#654)

Co-authored-by: Luca Rinaldi <lucarin@protonmail.com>

Author: MatteoPologruto

.github/workflows/release-flasher.yml

@@ -0,0 +1,164 @@
+name: Release Arduino Flasher tool
+
+on:
+  push:
+    tags:
+      - "flasher-*" # Trigger on all tags
+
+env:
+  GO_VERSION: "1.25.0"
+  PROJECT_NAME: "arduino-flasher"
+  GITHUB_TOKEN: ${{ secrets.ARDUINOBOT_TOKEN }}
+  GITHUB_USERNAME: ArduinoBot
+  DIST_DIR: build
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        os: [linux, darwin, windows]
+        arch: [amd64, arm64]
+        exclude:
+          - os: windows
+            arch: arm64
+    runs-on: ubuntu-22.04
+    outputs:
+      release: ${{ steps.set-version.outputs.RELEASE_NAME }}
+    steps:
+      - name: Extract version
+        run: |
+          TAG_NAME="${GITHUB_REF##*/}"
+          VERSION="${TAG_NAME#flasher-}" # Remove 'flasher-' prefix
+          echo "RELEASE_NAME=${{ env.PROJECT_NAME }}-${VERSION}-${{ matrix.os }}-${{ matrix.arch }}" >> $GITHUB_ENV
+        env:
+          GITHUB_REF: ${{ github.ref }}
+
+      - name: Set Windows version
+        id: set-version
+        run: |
+          echo "RELEASE_NAME=${{ env.RELEASE_NAME }}" >> $GITHUB_OUTPUT
+        if: matrix.os == 'windows'
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Install Taskfile
+        uses: arduino/setup-task@v2
+        with:
+          version: "3.x"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git for private repo cloning
+        run: |
+          git config --global url."https://${{ env.GITHUB_USERNAME }}:${{ env.GITHUB_TOKEN }}@github.com".insteadOf "https://github.com"
+
+      - name: Build Binary
+        env:
+          GOARCH: ${{ matrix.arch }}
+          GOOS: ${{ matrix.os }}
+        run: |
+          task arduino-flasher-cli:build
+
+      - name: Rename Windows exe
+        working-directory: ./${{ env.DIST_DIR }}
+        run: |
+          mv arduino-flasher-cli arduino-flasher-cli.exe
+        if: matrix.os == 'windows'
+
+      - name: Prepare Build Artifacts
+        working-directory: ./${{ env.DIST_DIR }}
+        run: |
+          tar -czf ${{ env.RELEASE_NAME }}.tar.gz arduino-flasher-cli*
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }}
+          path: |
+            ${{ env.DIST_DIR }}/${{ env.RELEASE_NAME }}.tar.gz
+          if-no-files-found: error
+
+  sign-windows-executable:
+    runs-on: windows-sign-pc
+    needs: build
+
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
+      # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
+      # Keep in mind that this path could change when upgrading to a new runner version
+      SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
+      RELEASE_NAME: ${{ needs.build.outputs.release }}
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ env.PROJECT_NAME }}-windows-amd64
+
+      - name: Save Win signing certificate to file
+        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}}
+
+      - name: Extract build
+        run: |
+          tar -xvf ${{ env.RELEASE_NAME }}.tar.gz
+          rm ${{ env.RELEASE_NAME }}.tar.gz
+
+      - name: Sign executable
+        env:
+          CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
+          CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
+          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
+        run: |
+          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino Flasher CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "arduino-flasher-cli.exe"
+
+      - name: Prepare Build Artifacts
+        run: |
+          tar -czf ${{ env.RELEASE_NAME }}.tar.gz arduino-flasher-cli.exe
+          rm arduino-flasher-cli.exe
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.PROJECT_NAME }}-windows-amd64
+          path: |
+            ${{ env.RELEASE_NAME }}.tar.gz
+          if-no-files-found: error
+          overwrite: true
+
+      # This step is needed because the self hosted runner does not delete files automatically
+      - name: Cleanup
+        run: rm ${{ env.RELEASE_NAME }}.tar.gz
+
+  create-release:
+    runs-on: ubuntu-22.04
+    needs: [build, sign-windows-executable]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # fetch all history for the create changelog step to work properly
+
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          merge-multiple: true
+          path: ${{ env.DIST_DIR }}
+
+      - name: Upload artifacts index
+        uses: ncipollo/release-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          draft: false
+          prerelease: true
+          artifacts: ${{ env.DIST_DIR }}/*

.github/workflows/release.yml

@@ -6,6 +6,7 @@ on:
       - "*" # Trigger on all tags
       - "!remoteocd-*" # Exclude remoteocd tags
       - "!releaser-*" # Exclude releaser tags
+      - "!flasher-*" # Exclude flasher tags
 
 env:
   GO_VERSION: "1.25.0"