Give build workflow step access to required deployment environment

Certain operations in the "Arduino IDE" GitHub Actions workflow use GitHub Actions "secrets" which are defined in the
repository's administrative settings.

These secrets will typically not be defined when the workflow is run in a fork. However, the workflow's base
functionality, the automated building of the application, does not require secrets. Since that base functionality alone
is very useful to contributors (either to validate relevant changes to the application and infrastructure, or to
generate tester builds) who are performing development work in a fork. For this reason, the workflow is configured to
only perform the secret-dependent operations when the required secrets have been defined in the repository settings.

One such operation is publishing the generated builds to Amazon S3, which Arduino uses to host files for distribution.
This operation depends on the "AWS_ROLE_ARN" secret. As a security measure, this secret is defined inside a deployment
environment (named "production"). GitHub Actions workflow jobs can only use secrets from deployment environments which
they have been explicitly configured to have access to.

At the time the workflow was originally developed, GitHub did not have the deployment environment feature, and so the
workflow was not configured to use environments. The switch to using a deployment environment for this secret was made
only recently, and when that was done, the workflow job that checks whether the secret is defined was not configured to
have access to the "production" environment. This caused the workflow to think it was running in a context where that
secret is not defined even when the secret is in fact defined. The bug caused the workflow to always spuriously skip the
"publish" job which publishes nightly builds of Arduino IDE, and the "publish release" step which publishes production
releases.

The bug is fixed by configuring the "build-type-determination" job so that it has access to the "production"
environment.

Loading branch information

per1234 committed Mar 31, 2025

commit 345dd7b7d4f0f72c5b696abc76af7829518f6d80

Give build workflow step access to required deployment environment #2672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

giacomocusinato merged 2 commits into arduino:main from per1234:missing-environment

Apr 1, 2025

.github/workflows/build.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -172,6 +172,7 @@ jobs: @@
           is-nightly: ${{ steps.determination.outputs.is-nightly }}
           channel-name: ${{ steps.determination.outputs.channel-name }}
           publish-to-s3: ${{ steps.determination.outputs.publish-to-s3 }}
+        environment: production
         permissions: {}
         steps:
           - name: Determine the type of build
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Give build workflow step access to required deployment environment #2672

Uh oh!

Diff view

Diff view

Uh oh!

There are no files selected for viewing

Uh oh!