name: Build on: pull_request: branches: [ master ] push: # ci-sandbox is a branch dedicated to testing post-submit code. branches: [ master, artifacts-pr ] tags: - v* schedule: # run on Mondays at 8AM - cron: '0 8 * * 1' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: # environment variables shared between build steps # do not include sensitive credentials and tokens here, instead pass them # directly to tools that need them to limit the blast radius in case one of them # becomes compromised and leaks credentials to external sites. # required by Makefile UNIX_SHELL_ON_WINDOWS: true # set to true if Publish Artifacts should run PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }} # where to publish releases for non-tagged commits NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }} # RPM and APT packages GCS bucket/hostname. PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }} jobs: build: strategy: fail-fast: false matrix: os: [windows-latest, ubuntu-latest, macos-latest, ubuntu-24.04-arm ] name: Make runs-on: ${{ matrix.os }} steps: - name: Check out repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: 'go.mod' check-latest: true id: go - name: Install Windows-specific packages run: "choco install --no-progress -y make zip unzip curl" if: ${{ contains(matrix.os, 'windows') }} - name: Install macOS-specific packages run: "sudo xcode-select -r" if: ${{ contains(matrix.os, 'macos') }} - name: Setup run: make -j4 ci-setup - name: Install macOS certificates # install signing tools and credentials for macOS and Windows outside of main # build process. run: make macos-certificates env: # macOS signing certificate (base64-encoded), used by Electron Builder CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} if: ${{ contains(matrix.os, 'macos') }} - name: Install Windows signing tools # install signing tools and credentials for macOS and Windows outside of main # build process. run: make windows-signing-tools env: # tool to install Windows signing certificate WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }} WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} if: ${{ contains(matrix.os, 'windows') }} - name: Build run: make ci-build timeout-minutes: 40 env: # Apple credentials for notarizaton, used by Electron Builder APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }} # tool to install Windows signing certificate WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }} WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }} WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }} WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} # macOS signing certificate (base64-encoded), used by Electron Builder MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} - name: Upload Kopia Artifacts uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kopia-${{ matrix.os }} path: | dist/*.md dist/*.rb dist/*.zip dist/*.tar.gz dist/*.rpm dist/*.deb dist/*.exe dist/kopia-ui/*.zip dist/kopia-ui/*.tar.gz dist/kopia-ui/*.dmg dist/kopia-ui/*.rpm dist/kopia-ui/*.deb dist/kopia-ui/*.exe dist/kopia-ui/*.AppImage dist/kopia-ui/*.yml if-no-files-found: ignore - name: Upload Kopia Binary uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kopia_binaries-${{ matrix.os }} path: | dist/*/kopia dist/*/kopia.exe dist/*/rclone dist/*/rclone.exe if-no-files-found: ignore publish: name: Stage And Publish Artifacts runs-on: ubuntu-latest needs: build if: github.event_name != 'pull_request' && github.repository == 'kopia/kopia' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Install Linux-specific packages run: "sudo apt-get install -y createrepo-c" - name: Download Artifacts uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: pattern: kopia-* merge-multiple: true path: dist - name: Download Kopia Binaries uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: pattern: kopia_binaries-* merge-multiple: true path: dist_binaries - name: Display structure of downloaded files run: ls -lR dist/ dist_binaries/ - name: Install GPG Key run: make ci-gpg-key env: GPG_KEYRING: ${{secrets.GPG_KEYRING}} - name: Stage Release run: make stage-release - name: Push Github Release run: make push-github-release env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - name: Install GCS Credentials run: make ci-gcs-creds env: GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}} - name: Publish APT # this needs GCS credentials and GPG keys installed before. run: make publish-apt - name: Publish RPM # this needs GCS credentials and GPG keys installed before. run: make publish-rpm - name: Publish Homebrew # this only pushes to a GitHub repository. run: make publish-homebrew env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - name: Publish Scoop # this only pushes to a GitHub repository. run: make publish-scoop env: GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - name: Publish Docker run: make publish-docker env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - name: Bump Homebrew formula uses: dawidd6/action-homebrew-bump-formula@8d494330bce4434918392df134ad3db1167904db # v4 # only bump formula for tags which don't contain '-' # this excludes vx.y.z-rc1 if: github.ref_type == 'tag' && !contains(github.ref_name, '-') with: token: ${{ secrets.HOMEBREW_PUSH_TOKEN }} formula: kopia