@@ -203,7 +203,7 @@ jobs:
203203 echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
204204 echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
205205 # Only attempt upload to Amazon S3 if the credentials are available.
206- echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT
206+ echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT
207207
208208select-targets :
209209 needs : build-type-determination
@@ -284,8 +284,6 @@ jobs:
284284 - build-type-determination
285285 - select-targets
286286 env :
287- # https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
288- ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION : true
289287 # Location of artifacts generated by build.
290288 BUILD_ARTIFACTS_PATH : electron-app/dist/build-artifacts
291289 # to skip passing signing credentials to electron-builder
@@ -363,8 +361,6 @@ jobs:
363361 AC_USERNAME : ${{ secrets.AC_USERNAME }}
364362 AC_PASSWORD : ${{ secrets.AC_PASSWORD }}
365363 AC_TEAM_ID : ${{ secrets.AC_TEAM_ID }}
366- AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
367- AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
368364 IS_NIGHTLY : ${{ needs.build-type-determination.outputs.is-nightly }}
369365 IS_RELEASE : ${{ needs.build-type-determination.outputs.is-release }}
370366 CAN_SIGN : ${{ secrets[matrix.config.certificate-secret] != '' }}
@@ -588,6 +584,12 @@ jobs:
588584 env :
589585 ARTIFACTS_FOLDER : build-artifacts
590586
587+ environment : production
588+
589+ permissions :
590+ id-token : write
591+ contents : read
592+
591593 steps :
592594 - name : Download all job transfer artifacts
593595 uses : actions/download-artifact@v4
@@ -596,15 +598,15 @@ jobs:
596598 path : ${{ env.ARTIFACTS_FOLDER }}
597599 pattern : ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
598600
601+ - name : Configure AWS Credentials for Nightly [S3]
602+ uses : aws-actions/configure-aws-credentials@v4
603+ with :
604+ role-to-assume : ${{ secrets.AWS_ROLE_ARN }}
605+ aws-region : us-east-1
606+
599607 - name : Publish Nightly [S3]
600- uses : docker://plugins/s3
601- env :
602- PLUGIN_SOURCE : ' ${{ env.ARTIFACTS_FOLDER }}/*'
603- PLUGIN_STRIP_PREFIX : ' ${{ env.ARTIFACTS_FOLDER }}/'
604- PLUGIN_TARGET : ' /arduino-ide/nightly'
605- PLUGIN_BUCKET : ${{ secrets.DOWNLOADS_BUCKET }}
606- AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
607- AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
608+ run : |
609+ aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly
608610
609611release :
610612 needs :
@@ -625,6 +627,12 @@ jobs:
625627 env :
626628 ARTIFACTS_FOLDER : build-artifacts
627629
630+ environment : production
631+
632+ permissions :
633+ id-token : write
634+ contents : read
635+
628636 steps :
629637 - name : Download all job transfer artifacts
630638 uses : actions/download-artifact@v4
@@ -648,16 +656,17 @@ jobs:
648656 file_glob : true
649657 body : ${{ needs.changelog.outputs.BODY }}
650658
659+ - name : Configure AWS Credentials for Release [S3]
660+ if : needs.build-type-determination.outputs.publish-to-s3 == 'true'
661+ uses : aws-actions/configure-aws-credentials@v4
662+ with :
663+ role-to-assume : ${{ secrets.AWS_ROLE_ARN }}
664+ aws-region : us-east-1
665+
651666 - name : Publish Release [S3]
652667 if : needs.build-type-determination.outputs.publish-to-s3 == 'true'
653- uses : docker://plugins/s3
654- env :
655- PLUGIN_SOURCE : ' ${{ env.ARTIFACTS_FOLDER }}/*'
656- PLUGIN_STRIP_PREFIX : ' ${{ env.ARTIFACTS_FOLDER }}/'
657- PLUGIN_TARGET : ' /arduino-ide'
658- PLUGIN_BUCKET : ${{ secrets.DOWNLOADS_BUCKET }}
659- AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
660- AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
668+ run : |
669+ aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide
661670
662671clean :
663672 # This job must run after all jobs that use the transfer artifact.
0 commit comments