Push releases to the S3 downloads bucket (#12)

MatteoPologruto · web-flow · commit 2298ce82fe59 · 2025-10-23T16:14:08.000+02:00
* Automatically determine pre-releases

* Push releases to the downloads bucket
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,9 @@ on:
 env:
   PROJECT_NAME: "arduino-flasher-cli"
   DIST_DIR: build
+  # The project's folder on Arduino's download server for uploading builds
+  AWS_PLUGIN_TARGET: /arduino-flasher-cli/
+  AWS_REGION: "us-east-1"
 
 jobs:
   build:
@@ -264,6 +267,10 @@ jobs:
   create-release:
     runs-on: ubuntu-24.04
     needs: [build, sign-windows-executable, notarize-macos]
+    environment: production
+    permissions:
+      contents: write
+      id-token: write # This is required for requesting the JWT
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -276,10 +283,46 @@ jobs:
           merge-multiple: true
           path: ${{ env.DIST_DIR }}
 
+      - name: Identify Prerelease
+        # This is a workaround while waiting for create-release action
+        # to implement auto pre-release based on tag
+        id: prerelease
+        run: |
+          wget \
+            -q \
+            -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.2.0.zip
+
+          unzip \
+            -p /tmp/3.2.0.zip semver-tool-3.2.0/src/semver \
+          >/tmp/semver
+
+          chmod \
+            +x \
+            /tmp/semver
+
+          if [[ "$(/tmp/semver get prerel "${GITHUB_REF/refs\/tags\//}")" ]]; then
+            echo "IS_PRE=true" >>$GITHUB_OUTPUT
+          fi
+
       - name: Upload artifacts index
         uses: ncipollo/release-action@v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           draft: false
-          prerelease: true
+          prerelease: ${{ steps.prerelease.outputs.IS_PRE }}
           artifacts: ${{ env.DIST_DIR }}/*
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          role-session-name: "github_${{ env.PROJECT_NAME }}"
+          aws-region: ${{ env.AWS_REGION }}
+        if: ${{ steps.prerelease.outputs.IS_PRE != 'true' }}
+
+      - name: Upload release files on Arduino downloads servers
+        run: |
+          aws s3 sync \
+            ${{ env.DIST_DIR }} \
+            s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}
+        if: ${{ steps.prerelease.outputs.IS_PRE != 'true' }}
