Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix collision between macOS workflow artifacts in release workflows #530

Merged
merged 1 commit into from
Nov 6, 2024
Merged

Fix collision between macOS workflow artifacts in release workflows #530

merged 1 commit into from
Nov 6, 2024

Conversation

per1234
Copy link
Contributor

@per1234 per1234 commented Nov 6, 2024

These GitHub Workflows are used to automatically generate and publish production and nightly releases of a project. This is done for a range of host architectures, including macOS. The macOS builds are then put through a notarization process in a dedicated workflow job.

GitHub Actions workflow artifacts are used to transfer the generated files between sequential jobs in the workflow. The actions/upload-artifact and actions/download-artifact actions are used for this purpose.

The workflow artifact handling had to be reworked recently in order to handle a breaking change in the 4.0.0 release of the actions/upload-artifact action (#507 / 3b79267). Previously, a single artifact was used for the transfer of the builds for all hosts. However, support for uploading multiple times to a single artifact was dropped in version 4.0.0 of the actions/upload-artifact action. So it is now necessary to use a dedicated artifact for each of the builds. These are downloaded in aggregate in a subsequent job by using the artifact name globbing and merging features which were introduced in version 4.1.0 of the actions/download-artifact action.

A regression was introduced at that time. The chosen approach was to use a separate set of artifacts for the non-notarized and notarized files. An overview of the sequence (the prefixes are the workflow job names):

  1. create-release-artifacts/create-nightly-artifacts: Generate builds.
  2. create-release-artifacts/create-nightly-artifacts: Upload builds to workflow artifacts
  3. notarize-macos: Download workflow artifacts.
  4. notarize-macos: Notarize macOS build from downloaded artifact.
  5. notarize-macos: Upload notarized build to workflow artifact with a different name than the source artifact.
  6. create-release/publish-nightly: Download workflow artifacts.
  7. create-release/publish-nightly: Publish builds.

The problem with this is that the artifacts for the non-notarized (uploaded by the create-release-artifacts/create-nightly-artifacts job) and notarized (created by the notarize-macos job) files are then downloaded and merged by the create-release/publish-nightly job. Since each artifact contains a file with the same path in the merged output, the contents of the last downloaded artifact overwrite the contents of the first. It happens that the non-notarized artifact is downloaded after the notarized artifact, so this file path collision results in non-notarized macOS builds being published instead of the notarized builds as intended, and as done by the workflow prior to the regression. For example, this bug was also present in the Arduino CLI repository and you can see the impact on its releases:

% wget https://downloads.arduino.cc/arduino-cli/nightly/arduino-cli_nightly-latest_macOS_ARM64.tar.gz

[...]

% tar -xf arduino-cli_nightly-latest_macOS_ARM64.tar.gz

% spctl -a -vvv -t install arduino-cli
arduino-cli: rejected

% wget https://downloads.arduino.cc/arduino-cli/arduino-cli_latest_macOS_ARM64.tar.gz

[..]

% tar -xf arduino-cli_latest_macOS_ARM64.tar.gz

% spctl -a -vvv -t install arduino-cli
arduino-cli: rejected

The chosen solution is that, instead of using new artifacts for the notarized builds, to overwrite the same macOS artifacts containing the no-notarized builds, which were generated by the create-release-artifacts/create-nightly-artifacts job with the notarized builds from the notarize-macos jobs. This is made possible by the overwriting capability of the actions/upload-artifact action (which was introduced in version 4.2.0: actions/upload-artifact@11ff42c).

An overview of the new sequence (the prefixes are the workflow job names):

  1. create-release-artifacts/create-nightly-artifacts: Generate builds.
  2. create-release-artifacts/create-nightly-artifacts: Upload builds to workflow artifacts
  3. notarize-macos: Download macOS x86 or Apple Silicon workflow artifact.
  4. notarize-macos: Notarize macOS build from downloaded artifact.
  5. notarize-macos: Upload notarized build to same workflow artifact, overwriting the non-notarized contents.
  6. create-release/publish-nightly: Download workflow artifacts.
  7. create-release/publish-nightly: Publish builds.

The result is that there is no file path collision when the create-release/publish-nightly job downloads and merges the artifacts.

@per1234
Fix collision between macOS workflow artifacts in release workflows
973700b 
These GitHub Workflows are used to automatically generate and publish production and nightly releases of a project. This
is done for a range of host architectures, including macOS. The macOS builds are then put through a notarization process
in a dedicated workflow job.

GitHub Actions workflow artifacts are used to transfer the generated files between sequential jobs in the workflow. The
"actions/upload-artifact" and "actions/download-artifact" actions are used for this purpose.

The workflow artifact handling had to be reworked recently in order to handle a breaking change in the 4.0.0 release of
the "actions/upload-artifact" action. Previously, a single artifact was used for the transfer of the builds for all
hosts. However, support for uploading multiple times to a single artifact was dropped in version 4.0.0 of the
"actions/upload-artifact" action. So it is now necessary to use a dedicated artifact for each of the builds. These are
downloaded in aggregate in a subsequent job by using the artifact name globbing and merging features which were
introduced in version 4.1.0 of the "actions/download-artifact" action.

A regression was introduced at that time. The chosen approach was to use a separate set of artifacts for the
non-notarized and notarized files. An overview of the sequence (the prefixes are the workflow job names):

1. create-release-artifacts/create-nightly-artifacts: Generate builds.
2. create-release-artifacts/create-nightly-artifacts: Upload builds to workflow artifacts
3. notarize-macos: Download workflow artifacts.
4. notarize-macos: Notarize macOS build from downloaded artifact.
5. notarize-macos: Upload notarized build to workflow artifact with a different name than the source artifact.
6. create-release/publish-nightly: Download workflow artifacts.
7. create-release/publish-nightly: Publish builds.

The problem with this is that the artifacts for the non-notarized (uploaded by the
create-release-artifacts/create-nightly-artifacts job) and notarized (created by the notarize-macos job) files are then
downloaded and merged by the create-release/publish-nightly job. Since each artifact contains a file with the same path
in the merged output, the contents of the last downloaded artifact overwrite the contents of the first. It happens that
the non-notarized artifact is downloaded after the notarized artifact, so this file path collision results in
non-notarized macOS builds being published instead of the notarized builds as intended, and as done by the workflow
prior to the regression. For example, this bug was also present in the Arduino CLI repository and you can see the impact
on its releases:

```
% wget https://downloads.arduino.cc/arduino-cli/nightly/arduino-cli_nightly-latest_macOS_ARM64.tar.gz

[...]

% tar -xf arduino-cli_nightly-latest_macOS_ARM64.tar.gz

% spctl -a -vvv -t install arduino-cli
arduino-cli: rejected
```

```
% wget https://downloads.arduino.cc/arduino-cli/arduino-cli_latest_macOS_ARM64.tar.gz

[..]

% tar -xf arduino-cli_latest_macOS_ARM64.tar.gz

% spctl -a -vvv -t install arduino-cli
arduino-cli: rejected
```

The chosen solution is that, instead of using new artifacts for the notarized builds, to overwrite the same macOS
artifacts containing the non-notarized builds (which were generated by the
create-release-artifacts/create-nightly-artifacts job) with the notarized builds from the notarize-macos jobs. This is
made possible by the overwriting capability of the "actions/upload-artifact" action (introduced in version 4.2.0 of the
action).

An overview of the new sequence (the prefixes are the workflow job names):

1. create-release-artifacts/create-nightly-artifacts: Generate builds.
2. create-release-artifacts/create-nightly-artifacts: Upload builds to workflow artifacts
3. notarize-macos: Download macOS x86 or Apple Silicon workflow artifact.
5. notarize-macos: Notarize macOS build from downloaded artifact.
6. notarize-macos: Upload notarized build to same workflow artifact, overwriting the non-notarized contents.
7. create-release/publish-nightly: Download workflow artifacts.
8. create-release/publish-nightly: Publish builds.
@per1234 per1234 added type: imperfection Perceived defect in any part of project topic: code Related to content of the project itself labels Nov 6, 2024
@per1234 per1234 self-assigned this Nov 6, 2024
@per1234 per1234 merged commit 06e6a0e into arduino:main Nov 6, 2024
16 checks passed
@per1234 per1234 deleted the fix-release-workflow branch November 6, 2024 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@per1234 per1234

Labels
topic: code Related to content of the project itself type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@per1234