name: Build on: pull_request: branches: [ master ] push: # ci-sandbox is a branch dedicated to testing post-submit code. branches: [ master, artifacts-pr ] tags: - v* schedule: # run on Mondays at 8AM - cron: '0 8 * * 1' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: # environment variables shared between build steps # do not include sensitive credentials and tokens here, instead pass them # directly to tools that need them to limit the blast radius in case one of them # becomes compromised and leaks credentials to external sites. # required by Makefile UNIX_SHELL_ON_WINDOWS: true # set to true if Publish Artifacts should run PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }} # where to publish releases for non-tagged commits NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }} # RPM and APT packages GCS bucket/hostname. PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }} jobs: build: strategy: fail-fast: false matrix: os: [windows-latest, ubuntu-latest, macos-latest, ubuntu-24.04-arm ] name: Make runs-on: ${{ matrix.os }} steps: - name: Check out repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: 'go.mod' id: go - name: Install Windows-specific packages run: "choco install --no-progress -y make zip unzip curl" if: ${{ contains(matrix.os, 'windows') }} - name: Install macOS-specific packages run: "sudo xcode-select -r" if: ${{ contains(matrix.os, 'macos') }} - name: Setup run: make -j4 ci-setup - name: Install macOS certificates # install signing tools and credentials for macOS and Windows outside of main # build process. run: make macos-certificates env: # macOS signing certificate (base64-encoded), used by Electron Builder CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} if: ${{ contains(matrix.os, 'macos') }} - name: Install Windows signing tools # install signing tools and credentials for macOS and Windows outside of main # build process. run: make windows-signing-tools env: # tool to install Windows signing certificate WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }} WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} if: ${{ contains(matrix.os, 'windows') }} - name: Build run: make ci-build timeout-minutes: 40 env: # Apple credentials for notarization, used by Electron Builder APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }} # tool to install Windows signing certificate WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }} WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }} WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }} WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} # macOS signing certificate (base64-encoded), used by Electron Builder MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} - name: Upload Kopia Artifacts uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kopia-${{ matrix.os }} path: | dist/*.md dist/*.rb dist/*.zip dist/*.tar.gz dist/*.rpm dist/*.deb dist/*.exe dist/kopia-ui/*.zip dist/kopia-ui/*.tar.gz dist/kopia-ui/*.dmg dist/kopia-ui/*.rpm dist/kopia-ui/*.deb dist/kopia-ui/*.exe dist/kopia-ui/*.AppImage dist/kopia-ui/*.yml if-no-files-found: ignore - name: Upload Kopia Binary uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kopia_binaries-${{ matrix.os }} path: | dist/*/kopia dist/*/kopia.exe dist/*/rclone dist/*/rclone.exe if-no-files-found: ignore publish: name: Stage And Publish Artifacts runs-on: ubuntu-latest needs: build if: github.event_name != 'pull_request' && github.repository == 'kopia/kopia' steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Install Linux-specific packages run: "sudo apt-get install -y createrepo-c" - name: Download Artifacts uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: kopia-* merge-multiple: true path: dist - name: Download Kopia Binaries uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: kopia_binaries-* merge-multiple: true path: dist_binaries - name: Display structure of downloaded files run: ls -lR dist/ dist_binaries/ - name: Install GPG Key run: make ci-gpg-key env: GPG_KEYRING: ${{secrets.GPG_KEYRING}} - name: Stage Release run: make stage-release - name: Push Github Release run: make push-github-release env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - name: Install GCS Credentials run: make ci-gcs-creds env: GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}} - name: Publish APT # this needs GCS credentials and GPG keys installed before. run: make publish-apt - name: Publish RPM # this needs GCS credentials and GPG keys installed before. run: make publish-rpm - name: Publish Homebrew # this only pushes to a GitHub repository. run: make publish-homebrew env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - name: Publish Scoop # this only pushes to a GitHub repository. run: make publish-scoop env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - name: Publish Docker run: make publish-docker env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - name: Bump Homebrew formula uses: dawidd6/action-homebrew-bump-formula@3428a0601bba3173ec0bdcc945be23fa27aa4c31 # v5 # only bump formula for tags which don't contain '-' # this excludes vx.y.z-rc1 if: github.ref_type == 'tag' && !contains(github.ref_name, '-') with: token: ${{ secrets.HOMEBREW_PUSH_TOKEN }} formula: kopia