build(deps): bump github/codeql-action from 2.22.8 to 3.25.15 #479
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
pull_request: | |
branches: [ master ] | |
push: | |
# ci-sandbox is a branch dedicated to testing post-submit code. | |
branches: [ master, artifacts-pr ] | |
tags: | |
- v* | |
schedule: | |
# run on Mondays at 8AM | |
- cron: '0 8 * * 1' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
# environment variables shared between build steps | |
# do not include sensitive credentials and tokens here, instead pass them | |
# directly to tools that need them to limit the blast radius in case one of them | |
# becomes compromised and leaks credentials to external sites. | |
# required by Makefile | |
UNIX_SHELL_ON_WINDOWS: true | |
# set to true if Publish Artifacts should run | |
PUBLISH_ARTIFACTS: ${{ secrets.PUBLISH_ARTIFACTS }} | |
# where to publish releases for non-tagged commits | |
NON_TAG_RELEASE_REPO: ${{ secrets.NON_TAG_RELEASE_REPO }} | |
# RPM and APT packages GCS bucket/hostname. | |
PACKAGES_HOST: ${{ secrets.PACKAGES_HOST }} | |
jobs: | |
build: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [windows-latest, ubuntu-latest, macos-latest] | |
include: | |
- os: [self-hosted, ARM64] | |
# - os: [self-hosted, ARMHF] | |
name: Make | |
runs-on: ${{ matrix.os }} | |
continue-on-error: ${{ contains(matrix.os, 'self-hosted') }} | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
id: go | |
if: ${{ !contains(matrix.os, 'ARMHF') }} | |
- name: Install GoLang for ARMHF | |
run: "echo /usr/local/go/bin >> $GITHUB_PATH; rm -rf /usr/local/go && mkdir -p /usr/local/go && curl -s -L https://go.dev/dl/go1.19.2.linux-armv6l.tar.gz | tar -C /usr/local -xz" | |
if: ${{ contains(matrix.os, 'ARMHF') }} | |
- name: Install Windows-specific packages | |
run: "choco install --no-progress -y make zip unzip curl" | |
if: ${{ contains(matrix.os, 'windows') }} | |
- name: Install macOS-specific packages | |
run: "sudo xcode-select -r" | |
if: ${{ contains(matrix.os, 'macos') }} | |
- name: Setup | |
run: make -j4 ci-setup | |
- name: Install macOS certificates | |
# install signing tools and credentials for macOS and Windows outside of main | |
# build process. | |
run: make macos-certificates | |
env: | |
# macOS signing certificate (base64-encoded), used by Electron Builder | |
CSC_LINK: ${{ secrets.CSC_LINK }} | |
CSC_KEYCHAIN: ${{ secrets.CSC_KEYCHAIN }} | |
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} | |
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
if: ${{ contains(matrix.os, 'macos') }} | |
- name: Install Windows signing tools | |
# install signing tools and credentials for macOS and Windows outside of main | |
# build process. | |
run: make windows-signing-tools | |
env: | |
# tool to install Windows signing certificate | |
WINDOWS_SIGNING_TOOLS_URL: ${{ secrets.WINDOWS_SIGNING_TOOLS_URL }} | |
WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} | |
if: ${{ contains(matrix.os, 'windows') }} | |
- name: Build | |
run: make ci-build | |
timeout-minutes: 40 | |
env: | |
# Apple credentials for notarizaton, used by Electron Builder | |
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} | |
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} | |
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} | |
KOPIA_UI_NOTARIZE: ${{ secrets.KOPIA_UI_NOTARIZE }} | |
# tool to install Windows signing certificate | |
WINDOWS_SIGN_USER: ${{ secrets.WINDOWS_SIGN_USER }} | |
WINDOWS_SIGN_AUTH: ${{ secrets.WINDOWS_SIGN_AUTH }} | |
WINDOWS_CERT_SHA1: ${{ secrets.WINDOWS_CERT_SHA1 }} | |
WINDOWS_SIGN_TOOL: ${{ secrets.WINDOWS_SIGN_TOOL }} | |
# macOS signing certificate (base64-encoded), used by Electron Builder | |
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
- name: Upload Kopia Artifacts | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: kopia | |
path: | | |
dist/*.md | |
dist/*.rb | |
dist/*.zip | |
dist/*.tar.gz | |
dist/*.rpm | |
dist/*.deb | |
dist/*.exe | |
dist/kopia-ui/*.zip | |
dist/kopia-ui/*.tar.gz | |
dist/kopia-ui/*.dmg | |
dist/kopia-ui/*.rpm | |
dist/kopia-ui/*.deb | |
dist/kopia-ui/*.exe | |
dist/kopia-ui/*.AppImage | |
dist/kopia-ui/*.yml | |
if-no-files-found: ignore | |
if: ${{ !contains(matrix.os, 'self-hosted') }} | |
- name: Upload Kopia Binary | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: kopia_binaries | |
path: | | |
dist/*/kopia | |
dist/*/kopia.exe | |
dist/*/rclone | |
dist/*/rclone.exe | |
if-no-files-found: ignore | |
if: ${{ !contains(matrix.os, 'self-hosted') }} | |
publish: | |
name: Stage And Publish Artifacts | |
runs-on: ubuntu-latest | |
needs: build | |
if: github.event_name != 'pull_request' && github.repository == 'kopia/kopia' | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Download Artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: kopia | |
path: dist | |
- name: Download Kopia Binaries | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: kopia_binaries | |
path: dist_binaries | |
- name: Display structure of downloaded files | |
run: ls -lR dist/ dist_binaries/ | |
- name: Install GPG Key | |
run: make ci-gpg-key | |
env: | |
GPG_KEYRING: ${{secrets.GPG_KEYRING}} | |
- name: Stage Release | |
run: make stage-release | |
- name: Push Github Release | |
run: make push-github-release | |
env: | |
GITHUB_TOKEN: ${{secrets.GH_TOKEN}} | |
- name: Install GCS Credentials | |
run: make ci-gcs-creds | |
env: | |
GCS_CREDENTIALS: ${{secrets.GCS_CREDENTIALS}} | |
- name: Publish APT | |
# this needs GCS credentials and GPG keys installed before. | |
run: make publish-apt | |
- name: Publish RPM | |
# this needs GCS credentials and GPG keys installed before. | |
run: make publish-rpm | |
- name: Publish Homebrew | |
# this only pushes to a GitHub repository. | |
run: make publish-homebrew | |
env: | |
GITHUB_TOKEN: ${{secrets.GH_TOKEN}} | |
- name: Publish Scoop | |
# this only pushes to a GitHub repository. | |
run: make publish-scoop | |
env: | |
GITHUB_TOKEN: ${{secrets.GH_TOKEN}} | |
- name: Publish Docker | |
run: make publish-docker | |
env: | |
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Bump Homebrew formula | |
uses: dawidd6/action-homebrew-bump-formula@d3667e5ae14df19579e4414897498e3e88f2f458 # v3.10.0 | |
# only bump formula for tags which don't contain '-' | |
# this excludes vx.y.z-rc1 | |
if: github.ref_type == 'tag' && !contains(github.ref_name, '-') | |
with: | |
token: ${{ secrets.HOMEBREW_PUSH_TOKEN }} | |
formula: kopia |