[EMB-115] Migrate package release from Cloudsmith to GAR

.github/workflows/build.yml

@@ -10,15 +10,18 @@ jobs:
   Build:
     name: 'Build Package'
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     env:
       RELEASE_VERSION: ${{ inputs.RELEASE_VERSION }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.ULTIMAKER_CI_PAT }}
+          token: ${{ secrets.ULTIMAKER_CI_PAT }}  # TODO: Replace with GITHUB_TOKEN - See https://ultimaker.atlassian.net/browse/EMB-120
           submodules: recursive
-         
+
       - name: Build Package
         id: build
         run: |
@@ -27,30 +30,14 @@ jobs:
           # an encrypted firmware module using Ultimaker/umlicensemanager.
           # Other firmware components ignore this.
           export BUILDTYPE=PRODUCTION
-          # Encryption key for UMMOD file in "PRODUCTION" build mode.
-          # See umlicensemanager documentation
-          export UMLM_ENCRYPTION_KEY="${{ secrets.UMLM_ENCRYPTION_KEY }}"
-
           export RELEASE_VERSION="${{ env.RELEASE_VERSION }}"
           echo "RELEASE_VERSION: ${RELEASE_VERSION}"
 
-          ./build_for_ultimaker.sh -a build
-
+          # Pass encryption key directly to the build script, not as global export
+          UMLM_ENCRYPTION_KEY="${{ secrets.UMLM_ENCRYPTION_KEY }}" ./build_for_ultimaker.sh -a build
+
       - name: Upload Artifact (Built package)
         uses: actions/upload-artifact@v4
         with:
           name: build-package
           path: "./*.deb"
-
-      - name: Dump GitHub context
-        if: ${{ always() }}
-        env:
-           GITHUB_CONTEXT: ${{ toJson(github) }}
-           JOB_CONTEXT: ${{ toJson(job) }}
-           STEPS_CONTEXT: ${{ toJson(steps) }}
-           RUNNER_CONTEXT: ${{ toJson(runner) }}
-        run: |
-          echo "${GITHUB_CONTEXT}"
-          echo "${JOB_CONTEXT}"
-          echo "${STEPS_CONTEXT}"
-          echo "${RUNNER_CONTEXT}"

.github/workflows/prepare_env.yml

@@ -2,130 +2,87 @@ on:
   workflow_call:
     inputs:
       BUILD_DOCKER_CACHE:
-        description: "If true, will build the docker image cache"
+        description: 'If true, will build the docker image cache'
         type: boolean
         required: false
         default: false
+      EMBEDDED_WORKFLOWS_BRANCH:
+        description: 'Branch to checkout embedded-workflows repo'
+        type: string
+        required: false
+        default: 'EMB-115_migrate_to_gar'  # TODO: Change to `main` once merged
     outputs:
       RELEASE_VERSION:
         description: "The package version for this build"
         value: ${{ jobs.Prepare.outputs.RELEASE_VERSION }}
       RELEASE_REPO:
-        description: "The Cloudsmith repository to release the package"
+        description: "The GAR repository to release the package"
         value: ${{ jobs.Prepare.outputs.RELEASE_REPO }}
 env:
   # All branches starting with any of the items in the list below will be
   # considered a master branch, e.g. "master/s-line" starts with "master"
   # from the list below and it is then a master branch.
   MASTER_BRANCH_LIST: "main master stable"
-  VERSION_REGEX: 'v[0-9]{1,4}\.[0-9]{1,4}\.[0-9]{1,9}(-(dev|[0-9]{1,3}))?'
-
+  # Regex to capture full prerelease identifiers including numeric suffixes
+  # Examples: v1.2.3, v1.2.3-alpha, v1.2.3-beta.1, v1.2.3-rc.2
+  VERSION_REGEX: 'v[0-9]{1,4}\.[0-9]{1,4}\.[0-9]{1,9}(-(alpha|beta|rc)(\.?[0-9]+)?)?'
+
 jobs:
   Prepare:
     name: 'Prepare Environment'
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     outputs:
       RELEASE_VERSION: ${{ steps.vars.outputs.RELEASE_VERSION }}
       RELEASE_REPO: ${{ steps.vars.outputs.RELEASE_REPO }}
-    env:
-      CURRENT_BRANCH_REF: ${{ github.ref_type == 'branch' && github.ref || github.event.base_ref }}  
     steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.ULTIMAKER_CI_PAT }}  # TODO: Replace with GITHUB_TOKEN - See https://ultimaker.atlassian.net/browse/EMB-120
+          fetch-depth: 0  # Full history needed for git describe
+          submodules: recursive  # Needed for docker cache build
+
+      - name: Checkout Embedded-workflows repo
+        uses: actions/checkout@v4
+        with:
+          repository: Ultimaker/embedded-workflows
+          path: embedded-workflows
+          ref: ${{ inputs.EMBEDDED_WORKFLOWS_BRANCH }}
+
       - name: Generate Variables
         id: vars
         run: |
-          echo "GITHUB_REF ${GITHUB_REF}"
-          echo "GITHUB_REF_NAME ${GITHUB_REF_NAME}"
-          echo "GITHUB_REF_TYPE: ${GITHUB_REF_TYPE}"
-          RELEASE_VERSION="999.999.999"
-          RELEASE_REPO="none"
-
-          # Check if this is a commit/tag in the master branch
-          IS_MASTER_BRANCH="no"
-          CURRENT_BRANCH="${CURRENT_BRANCH_REF##refs/heads/}"
-          for master_branch in $MASTER_BRANCH_LIST; do
-            # Try to remove "master_branch" from "CURRENT_BRANCH" and check if it changes
-            if [[ "${CURRENT_BRANCH##${master_branch}}" != "${CURRENT_BRANCH}" ]]; then
-              IS_MASTER_BRANCH="yes"
-              break
-            fi;
-          done;
-          echo "CURRENT_BRANCH: ${CURRENT_BRANCH}"
-          echo "IS_MASTER_BRANCH: ${IS_MASTER_BRANCH}"
+          set -euo pipefail
 
-          # Check what triggered this action: A Pull Request, a tag push or branch push
-          TRIGGER="pull_request"
-          if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
-            if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
-              TRIGGER="tag"
-            else
-              TRIGGER="branch"
-            fi
-          fi
+          # Use dedicated script for version generation
+          # This script can be tested locally and reused across workflows
+          VERSION_OUTPUT=$(./embedded-workflows/scripts/generate_semver_version.sh)
 
-          echo "TRIGGER: ${TRIGGER}"
+          # Parse output and set GitHub outputs
+          RELEASE_VERSION=$(echo "$VERSION_OUTPUT" | grep "^RELEASE_VERSION=" | cut -d= -f2)
+          RELEASE_REPO=$(echo "$VERSION_OUTPUT" | grep "^RELEASE_REPO=" | cut -d= -f2)
 
-          if [[ "${TRIGGER}" == "branch" && "${IS_MASTER_BRANCH}" == "yes" ]]; then
-            echo "This is a merge to master, lets make the Nightly Release"
-
-            # Lets prepare the package name from the branch name. There are a few rules for debian package version and we must follow them:
-            # - Only lowercase letters: So lets convert all uppercase letter to lower case:            
-            NIGHTLY_PACKAGE_VERSION_SUFFIX="${GITHUB_REF_NAME@L}"
-
-            # - Other accepted chars: numbers (0-9), '.', '+' and '-'. Lets convert all other chars to '-':
-            NIGHTLY_PACKAGE_VERSION_SUFFIX=${NIGHTLY_PACKAGE_VERSION_SUFFIX//[^0-9a-z+.-]/-}
-
-            echo "Nightly Package Version Suffix: '${NIGHTLY_PACKAGE_VERSION_SUFFIX}'"
-            RELEASE_REPO="nightly-builds"
-            RELEASE_VERSION="$(date +%Y.%m.%d)-merge-${NIGHTLY_PACKAGE_VERSION_SUFFIX}"
-
-          elif [[ "${TRIGGER}" == "tag" ]]; then
-            echo "This is a tag push, lets parse the tag >${GITHUB_REF_NAME}< and check if we should release"
-            VERSION=$(echo "${GITHUB_REF_NAME}" | grep -o -E -e "${VERSION_REGEX}") || true   # Return true if grep finds nothing
-            RELEASE_VERSION="${VERSION#v}"  # Remove the initial "v" leaving only the numbers and optional "-dev"
-
-            if [[ -z "${RELEASE_VERSION}" ]]; then
-              echo "Failed to parse the tag, it does not follow the standard"
-            elif [[ "${RELEASE_VERSION//dev/}" == "${RELEASE_VERSION}" ]]; then ## True if there is no "dev" in the tag
-              echo "Success, this is a official release"
-              RELEASE_REPO="packages-released"
-            else
-              echo "Success, this is a development release"
-              RELEASE_REPO="packages-dev"
-            fi
-          fi
-
-          if [[ "${RELEASE_REPO}" == "none" ]]; then
-              echo "This is an ordinary commit, do not release"
-              RELEASE_VERSION="999.999.999"
-          fi
-
-          echo "RELEASE_VERSION: ${RELEASE_VERSION}"
-          echo "RELEASE_REPO: ${RELEASE_REPO}"
           echo RELEASE_VERSION="${RELEASE_VERSION}" >> $GITHUB_OUTPUT
           echo RELEASE_REPO="${RELEASE_REPO}" >> $GITHUB_OUTPUT
 
-      - name: Checkout Repository
-        if: ${{ inputs.BUILD_DOCKER_CACHE }}
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.ULTIMAKER_CI_PAT }}
-          submodules: recursive
+      - name: Generate Summary
+        run: |
+          set -euo pipefail
+
+          echo "# Environment Preparation Summary" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "## Release Information" >> "$GITHUB_STEP_SUMMARY"
+          echo "- **Version**: \`${{ steps.vars.outputs.RELEASE_VERSION }}\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "- **Repository**: \`${{ steps.vars.outputs.RELEASE_REPO }}\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "- **Trigger**: \`${GITHUB_EVENT_NAME}\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "- **Ref Type**: \`${GITHUB_REF_TYPE}\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "- **Ref Name**: \`${GITHUB_REF_NAME}\`" >> "$GITHUB_STEP_SUMMARY"
 
       - name: "Build Docker Image Cache"
         if: ${{ inputs.BUILD_DOCKER_CACHE }}
         run: |
           echo "${{ secrets.ULTIMAKER_CI_PAT }}" | docker login ghcr.io -u $ --password-stdin
           ./build_for_ultimaker.sh -a build_docker_cache
-
-      - name: Dump GitHub context
-        if: ${{ always() }}
-        env:
-           GITHUB_CONTEXT: ${{ toJson(github) }}
-           JOB_CONTEXT: ${{ toJson(job) }}
-           STEPS_CONTEXT: ${{ toJson(steps) }}
-           RUNNER_CONTEXT: ${{ toJson(runner) }}
-        run: |
-          echo "${GITHUB_CONTEXT}"
-          echo "${JOB_CONTEXT}"
-          echo "${STEPS_CONTEXT}"
-          echo "${RUNNER_CONTEXT}"

.github/workflows/release_docker_img.yml

@@ -17,23 +17,26 @@ on:
 env:
   DOCKER_IMAGE_NAME: ghcr.io/ultimaker/${{ inputs.DOCKER_IMAGE_NAME }}
   DOCKER_TAG_PREFIX: ${{ inputs.DOCKER_TAG_PREFIX }}
-  
+
 jobs:
   Build:
     name: 'Build and Release Docker Image'
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.ULTIMAKER_CI_PAT }}
+          token: ${{ secrets.ULTIMAKER_CI_PAT }}  # TODO: Replace with GITHUB_TOKEN - See https://ultimaker.atlassian.net/browse/EMB-120
           submodules: recursive
 
       - name: Login in GitHub Container Registry
         id: ghcr_login
         run: |
           echo "${{ secrets.ULTIMAKER_CI_PAT }}" | docker login ghcr.io -u $ --password-stdin
-                   
+
       - name: Build Docker Image
         id: build
         run: |
@@ -55,11 +58,3 @@ jobs:
           echo "DOCKER_IMAGE_NAME: ${DOCKER_IMAGE_NAME}"
           echo "DOCKER_IMAGE_VERSION: ${DOCKER_IMAGE_VERSION}"
           docker push "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_VERSION}"
-
-      - name: Dump GitHub context
-        if: ${{ always() }}
-        run: |
-          echo "${{ toJson(github) }}"
-          echo "${{ toJson(steps) }}"
-          echo "${{ toJson(runner) }}"
-