kopia/.github/workflows/make.yml

name: Build
on:
  pull_request:
    branches: [ master ]
  push:
    # ci-sandbox is a branch dedicated to testing post-submit code.
    branches: [ master, artifacts-pr ]
    tags:
      - v*
  schedule:
    # run on Mondays at 8AM
    - cron:  '0 8 * * 1'
concurrency: 
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
env:
  # environment variables shared between build steps
  # do not include sensitive credentials and tokens here, instead pass them
  # directly to tools that need them to limit the blast radius in case one of them
  # becomes compromised and leaks credentials to external sites.
  # required by Makefile
  UNIX_SHELL_ON_WINDOWS: true
  # set to true if Publish Artifacts should run
  PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }}
  # where to publish releases for non-tagged commits
  NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }}
  # RPM and APT packages GCS bucket/hostname.
  PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }}
jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        os: [windows-latest, ubuntu-latest, macos-latest]
        include:
          - os: [self-hosted, ARM64]
          # - os: [self-hosted, ARMHF]
    name: Make
    runs-on: ${{ matrix.os }}
    continue-on-error: ${{ contains(matrix.os, 'self-hosted') }}
    steps:
    - name: Check out repository
      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
      with:
        fetch-depth: 0
    - name: Set up Go
      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
      with:
        go-version-file: 'go.mod'
        check-latest: true
      id: go
      if: ${{ !contains(matrix.os, 'ARMHF') }}
    - name: Install GoLang for ARMHF
      run: "echo /usr/local/go/bin >> $GITHUB_PATH; rm -rf /usr/local/go && mkdir -p /usr/local/go && curl -s -L https://go.dev/dl/go1.19.2.linux-armv6l.tar.gz | tar -C /usr/local -xz"
      if: ${{ contains(matrix.os, 'ARMHF') }}
    - name: Install Windows-specific packages
      run: "choco install --no-progress -y make zip unzip curl"
      if: ${{ contains(matrix.os, 'windows') }}
    - name: Install macOS-specific packages
      run: "sudo xcode-select -r"
      if: ${{ contains(matrix.os, 'macos') }}
    - name: Setup
      run: make -j4 ci-setup
    - name: Install macOS certificates
      # install signing tools and credentials for macOS and Windows outside of main
      # build process.
      run: make macos-certificates
      env:
        # macOS signing certificate (base64-encoded), used by Electron Builder
        CSC_LINK: ${{ secrets.CSC_LINK }}
        CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }}
        CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
        MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
      if: ${{ contains(matrix.os, 'macos') }}
    - name: Install Windows signing tools
      # install signing tools and credentials for macOS and Windows outside of main
      # build process.
      run: make windows-signing-tools
      env:
        # tool to install Windows signing certificate
        WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }}
        WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }}
      if: ${{ contains(matrix.os, 'windows') }}
    - name: Build 
      run: make ci-build
      timeout-minutes: 40
      env:
        # Apple credentials for notarizaton, used by Electron Builder
        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
        APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
        KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }}

        # tool to install Windows signing certificate
        WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }}
        WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }}
        WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }}
        WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }}

        # macOS signing certificate (base64-encoded), used by Electron Builder
        MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
    - name: Upload Kopia Artifacts
      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
      with:
        name: kopia-${{ matrix.os }}
        path: |
          dist/*.md
          dist/*.rb
          dist/*.zip
          dist/*.tar.gz
          dist/*.rpm
          dist/*.deb
          dist/*.exe
          dist/kopia-ui/*.zip
          dist/kopia-ui/*.tar.gz
          dist/kopia-ui/*.dmg
          dist/kopia-ui/*.rpm
          dist/kopia-ui/*.deb
          dist/kopia-ui/*.exe
          dist/kopia-ui/*.AppImage
          dist/kopia-ui/*.yml
        if-no-files-found: ignore
      if: ${{ !contains(matrix.os, 'self-hosted') }}
    - name: Upload Kopia Binary
      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
      with:
        name: kopia_binaries-${{ matrix.os }}
        path: |
          dist/*/kopia
          dist/*/kopia.exe
          dist/*/rclone
          dist/*/rclone.exe
        if-no-files-found: ignore
      if: ${{ !contains(matrix.os, 'self-hosted') }}
  publish:
    name: Stage And Publish Artifacts
    runs-on: ubuntu-latest
    needs: build
    if: github.event_name != 'pull_request' && github.repository == 'kopia/kopia'
    steps:
    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
    - name: Set up QEMU
      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
    - name: Download Artifacts
      uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
      with:
        pattern: kopia-*
        merge-multiple: true
        path: dist
    - name: Download Kopia Binaries
      uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
      with:
        pattern: kopia_binaries-*
        merge-multiple: true
        path: dist_binaries
    - name: Display structure of downloaded files
      run: ls -lR dist/ dist_binaries/
    - name: Install GPG Key
      run: make ci-gpg-key
      env:
        GPG_KEYRING: ${{secrets.GPG_KEYRING}}
    - name: Stage Release
      run: make stage-release
    - name: Push Github Release
      run: make push-github-release
      env:
        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
    - name: Install GCS Credentials
      run: make ci-gcs-creds
      env:
        GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}}
    - name: Publish APT
      # this needs GCS credentials and GPG keys installed before.
      run: make publish-apt
    - name: Publish RPM
      # this needs GCS credentials and GPG keys installed before.
      run: make publish-rpm
    - name: Publish Homebrew
      # this only pushes to a GitHub repository.
      run: make publish-homebrew
      env:
        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
    - name: Publish Scoop
      # this only pushes to a GitHub repository.
      run: make publish-scoop
      env:
        GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
    - name: Publish Docker
      run: make publish-docker
      env:
        DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
        DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
    - name: Bump Homebrew formula
      uses: dawidd6/action-homebrew-bump-formula@baf2b60c51fc1f8453c884b0c61052668a71bd1d # v3.11.0
      # only bump formula for tags which don't contain '-'
      # this excludes vx.y.z-rc1
      if: github.ref_type == 'tag' && !contains(github.ref_name, '-')
      with:
        token: ${{ secrets.HOMEBREW_PUSH_TOKEN }}
        formula: kopia