From 624f9054da2d9cbc1b8e1fe7c60841d66d9bbe2f Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Sun, 2 Nov 2025 05:23:11 -0800
Subject: [PATCH 1/2] Move nightly build checksum generation to dedicated job

The "Publish Nightly Build" GitHub Actions workflow calculates checksums of the generated builds and writes them to a
file. This file may be used to validate downloads of the builds.

In addition to uploading the builds to Arduino's downloads server, the workflow also uploads them to GitHub Actions
workflow artifacts. These artifacts may serve as an alternative source of the nightly builds (similar to the tester
builds).

Previously the checksum generation was performed in the workflow's "publish-nightly" job, which is used to upload the
builds to Arduino's downloads server. In addition to being outside the stated scope of that job, this also meant that
the checksum file was only available from Arduino's downloads server, and not from the workflow artifacts.

Moving the checksum generation code to a dedicated job limits the operations in the important "publish-nightly" job
exclusively to its stated scope. This also results in the checksum file being available as a workflow artifact.
---
 .github/workflows/publish-go-nightly-task.yml | 41 +++++++++++++++----
 1 file changed, 34 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
index df13edc8..21c68e57 100644
--- a/.github/workflows/publish-go-nightly-task.yml
+++ b/.github/workflows/publish-go-nightly-task.yml
@@ -219,10 +219,43 @@ jobs:
           overwrite: true
           path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
 
+  checksums:
+    needs: notarize-macos
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Set environment variables
+        run: |
+          # See: https://docs.github.com/actions/reference/workflows-and-actions/workflow-commands#setting-an-environment-variable
+          TAG="nightly-$(date -u +"%Y%m%d")"
+          echo "CHECKSUM_FILE_PATH=${{ runner.temp }}/${TAG}-checksums.txt" >>"$GITHUB_ENV"
+          echo "TAG=$TAG" >>"$GITHUB_ENV"
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v6
+        with:
+          merge-multiple: true
+          path: ${{ env.DIST_DIR }}
+          pattern: ${{ env.ARTIFACT_PREFIX }}*
+
+      - name: Create checksum file
+        working-directory: ${{ env.DIST_DIR }}
+        run: |
+          sha256sum ${{ env.PROJECT_NAME }}_${{ env.TAG }}* >"${{ env.CHECKSUM_FILE_PATH }}"
+
+      - name: Upload checksum artifact
+        uses: actions/upload-artifact@v5
+        with:
+          if-no-files-found: error
+          name: ${{ env.ARTIFACT_PREFIX }}checksums
+          path: ${{ env.CHECKSUM_FILE_PATH }}
+
   publish-nightly:
     runs-on: ubuntu-latest
     environment: production
-    needs: notarize-macos
+    needs: checksums
     permissions:
       contents: write
       id-token: write # This is required for requesting the JWT
@@ -235,12 +268,6 @@ jobs:
           merge-multiple: true
           path: ${{ env.DIST_DIR }}
 
-      - name: Create checksum file
-        working-directory: ${{ env.DIST_DIR }}
-        run: |
-          TAG="nightly-$(date -u +"%Y%m%d")"
-          sha256sum ${{ env.PROJECT_NAME }}_${TAG}* >${TAG}-checksums.txt
-
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:

From dfc288d06d7486f434714c9adb3d93521cd4e90e Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Sun, 2 Nov 2025 05:33:28 -0800
Subject: [PATCH 2/2] Skip publishing releases to AWS if credentials not
 configured

The "Release" and "Publish Nightly Build" workflows upload the generated build files to the AWS S3 bucket used by
Arduino's downloads server.

The necessary credentials are configured in Arduino's repository. However, these workflows might be used in other
contexts:

- by contributors validating proposed changes to the release infrastructure in their fork
- by hard forks of the project

In either case (especially the former), the fork owner is unlikely to be willing/able to set up the AWS infrastructure
that would be needed to use this capability of the workflow.

Since these workflows also publish the builds to GitHub, the AWS upload is not essential to either 3rd party use case.

The workflow code is hereby configured to skip the AWS upload steps if the necessary credentials have not been
configured in the repository. The existence of the `AWS_ROLE_TO_ASSUME` repository secret is used as the indicator of
whether the credentials are configured. This will allow runs of the workflow in forks without the need to remove the AWS
upload steps.
---
 .github/workflows/publish-go-nightly-task.yml | 8 ++++++++
 .github/workflows/release-go-task.yml         | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
index 21c68e57..9737fb8d 100644
--- a/.github/workflows/publish-go-nightly-task.yml
+++ b/.github/workflows/publish-go-nightly-task.yml
@@ -261,7 +261,13 @@ jobs:
       id-token: write # This is required for requesting the JWT
 
     steps:
+      - name: Determine whether publishing to AWS is possible
+        id: aws-determination
+        run: |
+          echo "publish=${{ secrets.AWS_ROLE_TO_ASSUME != '' }}" >>$GITHUB_OUTPUT
+
       - name: Download artifact
+        if: steps.aws-determination.outputs.publish == 'true'
         uses: actions/download-artifact@v6
         with:
           pattern: ${{ env.ARTIFACT_PREFIX }}*
@@ -269,6 +275,7 @@ jobs:
           path: ${{ env.DIST_DIR }}
 
       - name: configure aws credentials
+        if: steps.aws-determination.outputs.publish == 'true'
         uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
@@ -276,6 +283,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Upload release files on Arduino downloads servers
+        if: steps.aws-determination.outputs.publish == 'true'
         run: |
           aws s3 sync \
             ${{ env.DIST_DIR }} \
diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml
index 0cc3c8fb..aef3cf24 100644
--- a/.github/workflows/release-go-task.yml
+++ b/.github/workflows/release-go-task.yml
@@ -221,6 +221,11 @@ jobs:
       id-token: write # This is required for requesting the JWT
 
     steps:
+      - name: Determine whether publishing to AWS is possible
+        id: aws-determination
+        run: |
+          echo "publish=${{ secrets.AWS_ROLE_TO_ASSUME != '' }}" >>$GITHUB_OUTPUT
+
       - name: Download artifact
         uses: actions/download-artifact@v6
         with:
@@ -275,6 +280,7 @@ jobs:
           artifacts: ${{ env.DIST_DIR }}/*
 
       - name: configure aws credentials
+        if: steps.aws-determination.outputs.publish == 'true'
         uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
@@ -282,6 +288,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Upload release files on Arduino downloads servers
+        if: steps.aws-determination.outputs.publish == 'true'
         run: |
           aws s3 sync \
             ${{ env.DIST_DIR }} \