name: Build
on:
  pull_request:
    branches: [ master ]
  push:
    # ci-sandbox is a branch dedicated to testing post-submit code.
    branches: [ master, artifacts-pr ]
    tags:
      - v*
  schedule:
    # run on Mondays at 8AM
    - cron:  '0 8 * * 1'
env:
  # environment variables shared between build steps
  # do not include sensitive credentials and tokens here, instead pass them
  # directly to tools that need them to limit the blast radius in case one of them
  # becomes compromised and leaks credentials to external sites.
  # required by Makefile
  UNIX_SHELL_ON_WINDOWS: true
  # set to true if Publish Artifacts should run
  PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }}
  # where to publish releases for non-tagged commits
  NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }}
  # RPM and APT packages GCS bucket/hostname.
  PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }}
  # set (to any value other than false) to trigger random unicode filenames testing (logs may be difficult to read)
  ENABLE_UNICODE_FILENAMES: ${{ secrets.ENABLE_UNICODE_FILENAMES }}
  # set (to any value other than false) to trigger very long filenames testing
  ENABLE_LONG_FILENAMES: ${{ secrets.ENABLE_LONG_FILENAMES }}
jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        os: [windows-latest, ubuntu-latest, macos-latest]
        include:
          - os: [self-hosted, ARM64]
          - os: [self-hosted, ARMHF]
    name: Make
    runs-on: ${{ matrix.os }}
    continue-on-error: ${{ contains(matrix.os, 'self-hosted') }}
    steps:
    - name: Set up Go.
      uses: actions/setup-go@v2
      with:
        go-version: ^1.17
      id: go
      if: ${{ !contains(matrix.os, 'ARMHF') }}
    - name: Install GoLang for ARMHF
      run: "echo /usr/local/go/bin >> $GITHUB_PATH; rm -rf /usr/local/go && mkdir -p /usr/local/go && curl -s -L https://golang.org/dl/go1.17.linux-armv6l.tar.gz | tar -C /usr/local -xz"
      if: ${{ contains(matrix.os, 'ARMHF') }}
    - name: Install Windows-specific packages
      run: "choco install --no-progress -y make zip unzip curl"
      if: ${{ contains(matrix.os, 'windows') }}
    - name: Install macOS-specific packages
      run: "sudo xcode-select -r"
      if: ${{ contains(matrix.os, 'macos') }}
    - name: Check out code into the Go module directory
      uses: actions/checkout@v2
      with:
        fetch-depth: 0
    - name: Setup
      run: make -j4 ci-setup
    - name: Build HTML
      # build HTML separately without passing any sensitive credentials to the build
      # since it involves a bunch of NPM scripts.
      run: make html-ui
    - name: Install macOS certificates
      # install signing tools and credentials for macOS and Windows outside of main
      # build process.
      run: make macos-certificates
      env:
        # macOS signing certificate (base64-encoded), used by Electron Builder
        CSC_LINK: ${{ secrets.CSC_LINK }}
        CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }}
        CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
        MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
      if: ${{ contains(matrix.os, 'macos') }}
    - name: Install Windows signing tools
      # install signing tools and credentials for macOS and Windows outside of main
      # build process.
      run: make windows-signing-tools
      env:
        # tool to install Windows signing certificate
        WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }}
        WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }}
      if: ${{ contains(matrix.os, 'windows') }}
    - name: Build 
      run: make ci-build
      env:
        # Apple ID and app-specific password for notarizaton, used by Electron Builder
        APPLEID: ${{ secrets.APPLEID }}
        APPLEIDPASS: ${{ secrets.APPLEIDPASS }}
        KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }}

        # tool to install Windows signing certificate
        WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }}
        WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }}
        WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }}
        WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }}

        # macOS signing certificate (base64-encoded), used by Electron Builder
        MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
    - name: Tests
      run: make ci-tests
      continue-on-error: ${{ github.event_name != 'pull_request' }}
    - name: Integration Tests
      run: make -j2 ci-integration-tests
      continue-on-error: ${{ github.event_name != 'pull_request' }}
    - name: Upload Logs
      uses: actions/upload-artifact@v2
      with:
        name: logs
        path: .logs/**/*.log
        if-no-files-found: ignore
      if: ${{ always() }}
    - name: Upload Kopia Artifacts
      uses: actions/upload-artifact@v2
      with:
        name: kopia
        path: |
          dist/*.md
          dist/*.rb
          dist/*.zip
          dist/*.tar.gz
          dist/*.rpm
          dist/*.deb
          dist/*.exe
          dist/kopia-ui/*.zip
          dist/kopia-ui/*.tar.gz
          dist/kopia-ui/*.dmg
          dist/kopia-ui/*.rpm
          dist/kopia-ui/*.deb
          dist/kopia-ui/*.exe
          dist/kopia-ui/*.AppImage
          dist/kopia-ui/*.yml
        if-no-files-found: ignore
      if: ${{ !contains(matrix.os, 'self-hosted') }}
    - name: Upload Kopia Binary
      uses: actions/upload-artifact@v2
      with:
        name: kopia_binaries
        path: |
          dist/*/kopia
          dist/*/kopia.exe
        if-no-files-found: ignore
      if: ${{ !contains(matrix.os, 'self-hosted') }}
  publish:
    name: Stage And Publish Artifacts
    runs-on: ubuntu-latest
    needs: build
    if: github.event_name != 'pull_request' && github.repository == 'kopia/kopia'
    steps:
    - uses: actions/checkout@v2
    - name: Set up QEMU
      uses: docker/setup-qemu-action@v1
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1
    - name: Download Artifacts
      uses: actions/download-artifact@v2
      with:
        name: kopia
        path: dist
    - name: Download Kopia Binaries
      uses: actions/download-artifact@v2
      with:
        name: kopia_binaries
        path: dist_binaries
    - name: Display structure of downloaded files
      run: ls -lR dist/ dist_binaries/
    - name: Install GPG Key
      run: make ci-gpg-key
      env:
        GPG_KEYRING: ${{secrets.GPG_KEYRING}}
    - name: Stage Release
      run: make stage-release
    - name: Push Github Release
      run: make push-github-release
      env:
        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
    - name: Install GCS Credentials
      run: make ci-gcs-creds
      env:
        GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}}
    - name: Publish APT
      # this needs GCS credentials and GPG keys installed before.
      run: make publish-apt
    - name: Publish RPM
      # this needs GCS credentials and GPG keys installed before.
      run: make publish-rpm
    - name: Publish Homebrew
      # this only pushes to a GitHub repository.
      run: make publish-homebrew
      env:
        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
    - name: Publish Scoop
      # this only pushes to a GitHub repository.
      run: make publish-scoop
      env:
        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
    - name: Publish Docker
      run: make publish-docker
      env:
        DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
        DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}