Skip to content

build(deps): bump github/codeql-action from 2.22.8 to 3.25.15 #479

build(deps): bump github/codeql-action from 2.22.8 to 3.25.15

build(deps): bump github/codeql-action from 2.22.8 to 3.25.15 #479

Workflow file for this run

name: Build
on:
pull_request:
branches: [ master ]
push:
# ci-sandbox is a branch dedicated to testing post-submit code.
branches: [ master, artifacts-pr ]
tags:
- v*
schedule:
# run on Mondays at 8AM
- cron: '0 8 * * 1'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
# environment variables shared between build steps
# do not include sensitive credentials and tokens here, instead pass them
# directly to tools that need them to limit the blast radius in case one of them
# becomes compromised and leaks credentials to external sites.
# required by Makefile
UNIX_SHELL_ON_WINDOWS: true
# set to true if Publish Artifacts should run
PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }}
# where to publish releases for non-tagged commits
NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }}
# RPM and APT packages GCS bucket/hostname.
PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }}
jobs:
build:
strategy:
fail-fast: false
matrix:
os: [windows-latest, ubuntu-latest, macos-latest]
include:
- os: [self-hosted, ARM64]
# - os: [self-hosted, ARMHF]
name: Make
runs-on: ${{ matrix.os }}
continue-on-error: ${{ contains(matrix.os, 'self-hosted') }}
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: 'go.mod'
check-latest: true
id: go
if: ${{ !contains(matrix.os, 'ARMHF') }}
- name: Install GoLang for ARMHF
run: "echo /usr/local/go/bin >> $GITHUB_PATH; rm -rf /usr/local/go && mkdir -p /usr/local/go && curl -s -L https://go.dev/dl/go1.19.2.linux-armv6l.tar.gz | tar -C /usr/local -xz"
if: ${{ contains(matrix.os, 'ARMHF') }}
- name: Install Windows-specific packages
run: "choco install --no-progress -y make zip unzip curl"
if: ${{ contains(matrix.os, 'windows') }}
- name: Install macOS-specific packages
run: "sudo xcode-select -r"
if: ${{ contains(matrix.os, 'macos') }}
- name: Setup
run: make -j4 ci-setup
- name: Install macOS certificates
# install signing tools and credentials for macOS and Windows outside of main
# build process.
run: make macos-certificates
env:
# macOS signing certificate (base64-encoded), used by Electron Builder
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
if: ${{ contains(matrix.os, 'macos') }}
- name: Install Windows signing tools
# install signing tools and credentials for macOS and Windows outside of main
# build process.
run: make windows-signing-tools
env:
# tool to install Windows signing certificate
WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }}
WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }}
if: ${{ contains(matrix.os, 'windows') }}
- name: Build
run: make ci-build
timeout-minutes: 40
env:
# Apple credentials for notarizaton, used by Electron Builder
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }}
# tool to install Windows signing certificate
WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }}
WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }}
WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }}
WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }}
# macOS signing certificate (base64-encoded), used by Electron Builder
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
- name: Upload Kopia Artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: kopia
path: |
dist/*.md
dist/*.rb
dist/*.zip
dist/*.tar.gz
dist/*.rpm
dist/*.deb
dist/*.exe
dist/kopia-ui/*.zip
dist/kopia-ui/*.tar.gz
dist/kopia-ui/*.dmg
dist/kopia-ui/*.rpm
dist/kopia-ui/*.deb
dist/kopia-ui/*.exe
dist/kopia-ui/*.AppImage
dist/kopia-ui/*.yml
if-no-files-found: ignore
if: ${{ !contains(matrix.os, 'self-hosted') }}
- name: Upload Kopia Binary
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: kopia_binaries
path: |
dist/*/kopia
dist/*/kopia.exe
dist/*/rclone
dist/*/rclone.exe
if-no-files-found: ignore
if: ${{ !contains(matrix.os, 'self-hosted') }}
publish:
name: Stage And Publish Artifacts
runs-on: ubuntu-latest
needs: build
if: github.event_name != 'pull_request' && github.repository == 'kopia/kopia'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Download Artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kopia
path: dist
- name: Download Kopia Binaries
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kopia_binaries
path: dist_binaries
- name: Display structure of downloaded files
run: ls -lR dist/ dist_binaries/
- name: Install GPG Key
run: make ci-gpg-key
env:
GPG_KEYRING: ${{secrets.GPG_KEYRING}}
- name: Stage Release
run: make stage-release
- name: Push Github Release
run: make push-github-release
env:
GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
- name: Install GCS Credentials
run: make ci-gcs-creds
env:
GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}}
- name: Publish APT
# this needs GCS credentials and GPG keys installed before.
run: make publish-apt
- name: Publish RPM
# this needs GCS credentials and GPG keys installed before.
run: make publish-rpm
- name: Publish Homebrew
# this only pushes to a GitHub repository.
run: make publish-homebrew
env:
GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
- name: Publish Scoop
# this only pushes to a GitHub repository.
run: make publish-scoop
env:
GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
- name: Publish Docker
run: make publish-docker
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Bump Homebrew formula
uses: dawidd6/action-homebrew-bump-formula@d3667e5ae14df19579e4414897498e3e88f2f458 # v3.10.0
# only bump formula for tags which don't contain '-'
# this excludes vx.y.z-rc1
if: github.ref_type == 'tag' && !contains(github.ref_name, '-')
with:
token: ${{ secrets.HOMEBREW_PUSH_TOKEN }}
formula: kopia