123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849 |
- name: Build Syncthing
- on:
- pull_request:
- push:
- schedule:
- # Run nightly build at 05:00 UTC
- - cron: '00 05 * * *'
- workflow_dispatch:
- env:
- # The go version to use for builds. We set check-latest to true when
- # installing, so we get the latest patch version that matches the
- # expression.
- GO_VERSION: "~1.22.0"
- # Optimize compatibility on the slow archictures.
- GO386: softfloat
- GOARM: "5"
- GOMIPS: softfloat
- # Avoid hilarious amounts of obscuring log output when running tests.
- LOGGER_DISCARD: "1"
- # Our build metadata
- BUILD_USER: builder
- BUILD_HOST: github.syncthing.net
- # A note on actions and third party code... The actions under actions/ (like
- # `uses: actions/checkout`) are maintained by GitHub, and we need to trust
- # GitHub to maintain their code and infrastructure or we're in deep shit in
- # general. The same doesn't necessarily apply to other actions authors, so
- # some care needs to be taken when adding steps, especially in the paths
- # that lead up to code being packaged and signed.
- jobs:
- #
- # Tests for all platforms. Runs a matrix build on Windows, Linux and Mac,
- # with the list of expected supported Go versions (current, previous).
- #
- build-test:
- name: Build and test
- strategy:
- fail-fast: false
- matrix:
- runner: ["windows-latest", "ubuntu-latest", "macos-latest"]
- # The oldest version in this list should match what we have in our go.mod.
- # Variables don't seem to be supported here, or we could have done something nice.
- go: ["~1.21.7", "~1.22.0"]
- runs-on: ${{ matrix.runner }}
- steps:
- - name: Set git to use LF
- if: matrix.runner == 'windows-latest'
- # Without this, the Windows checkout will happen with CRLF line
- # endings, which is fine for the source code but messes up tests
- # that depend on data on disk being as expected. Ideally, those
- # tests should be fixed, but not today.
- run: |
- git config --global core.autocrlf false
- git config --global core.eol lf
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ matrix.go }}
- cache: true
- check-latest: true
- - name: Build
- run: |
- go run build.go
- - name: Install go-test-json-to-loki
- run: |
- go install calmh.dev/go-test-json-to-loki@latest
- - name: Test
- run: |
- go version
- go run build.go test | go-test-json-to-loki
- env:
- GOFLAGS: "-json"
- LOKI_URL: ${{ vars.LOKI_URL }}
- LOKI_USER: ${{ vars.LOKI_USER }}
- LOKI_PASSWORD: ${{ secrets.LOKI_PASSWORD }}
- LOKI_LABELS: "go=${{ matrix.go }},runner=${{ matrix.runner }},repo=${{ github.repository }},ref=${{ github.ref }}"
- #
- # Meta checks for formatting, copyright, etc
- #
- correctness:
- name: Check correctness
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Check correctness
- run: |
- go test -v ./meta
- #
- # The basic checks job is a virtual one that depends on the matrix tests,
- # the correctness checks, and various builds that we always do. This makes
- # it easy to have the PR process have a single test as a gatekeeper for
- # merging, instead of having to add all the matrix tests and update them
- # each time the version changes. (The top level test is not available for
- # choosing there, only the matrix "children".)
- #
- basics:
- name: Basic checks passed
- runs-on: ubuntu-latest
- needs:
- - build-test
- - correctness
- - package-linux
- - package-cross
- - package-source
- - package-debian
- - govulncheck
- steps:
- - uses: actions/checkout@v4
- #
- # Windows
- #
- package-windows:
- name: Package for Windows
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release' || startsWith(github.ref, 'refs/heads/release-'))
- environment: signing
- runs-on: windows-latest
- steps:
- - name: Set git to use LF
- # Without this, the checkout will happen with CRLF line endings,
- # which is fine for the source code but messes up tests that depend
- # on data on disk being as expected. Ideally, those tests should be
- # fixed, but not today.
- run: |
- git config --global core.autocrlf false
- git config --global core.eol lf
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Get actual Go version
- run: |
- go version
- echo "GO_VERSION=$(go version | sed 's#^.*go##;s# .*##')" >> $GITHUB_ENV
- - uses: actions/cache@v4
- with:
- path: |
- ~\AppData\Local\go-build
- ~\go\pkg\mod
- key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-package-${{ hashFiles('**/go.sum') }}
- - name: Install dependencies
- run: |
- go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@v1.4.0
- - name: Create packages
- run: |
- go run build.go -goarch amd64 zip
- go run build.go -goarch arm zip
- go run build.go -goarch arm64 zip
- go run build.go -goarch 386 zip
- env:
- CGO_ENABLED: "0"
- CODESIGN_SIGNTOOL: ${{ secrets.CODESIGN_SIGNTOOL }}
- CODESIGN_CERTIFICATE_BASE64: ${{ secrets.CODESIGN_CERTIFICATE_BASE64 }}
- CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.CODESIGN_CERTIFICATE_PASSWORD }}
- CODESIGN_TIMESTAMP_SERVER: ${{ secrets.CODESIGN_TIMESTAMP_SERVER }}
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: packages-windows
- path: syncthing-windows-*.zip
- #
- # Linux
- #
- package-linux:
- name: Package for Linux
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Get actual Go version
- run: |
- go version
- echo "GO_VERSION=$(go version | sed 's#^.*go##;s# .*##')" >> $GITHUB_ENV
- - uses: actions/cache@v4
- with:
- path: |
- ~/.cache/go-build
- ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-package-${{ hashFiles('**/go.sum') }}
- - name: Create packages
- run: |
- archs=$(go tool dist list | grep linux | sed 's#linux/##')
- for goarch in $archs ; do
- go run build.go -goarch "$goarch" tar
- done
- env:
- CGO_ENABLED: "0"
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: packages-linux
- path: syncthing-linux-*.tar.gz
- #
- # macOS
- #
- package-macos:
- name: Package for macOS
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release' || startsWith(github.ref, 'refs/heads/release-'))
- environment: signing
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Get actual Go version
- run: |
- go version
- echo "GO_VERSION=$(go version | sed 's#^.*go##;s# .*##')" >> $GITHUB_ENV
- - uses: actions/cache@v4
- with:
- path: |
- ~/.cache/go-build
- ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-package-${{ hashFiles('**/go.sum') }}
- - name: Import signing certificate
- run: |
- # Set up a run-specific keychain, making it available for the
- # `codesign` tool.
- umask 066
- KEYCHAIN_PATH=$RUNNER_TEMP/codesign.keychain
- KEYCHAIN_PASSWORD=$(uuidgen)
- security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- security default-keychain -s "$KEYCHAIN_PATH"
- security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
- # Import the certificate
- CERTIFICATE_PATH=$RUNNER_TEMP/codesign.p12
- echo "$DEVELOPER_ID_CERTIFICATE_BASE64" | base64 -d -o "$CERTIFICATE_PATH"
- security import "$CERTIFICATE_PATH" -k "$KEYCHAIN_PATH" -P "$DEVELOPER_ID_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
- security set-key-partition-list -S apple-tool:,apple: -s -k actions "$KEYCHAIN_PATH"
- # Set the codesign identity for following steps
- echo "CODESIGN_IDENTITY=$CODESIGN_IDENTITY" >> $GITHUB_ENV
- env:
- DEVELOPER_ID_CERTIFICATE_BASE64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE64 }}
- DEVELOPER_ID_CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }}
- CODESIGN_IDENTITY: ${{ secrets.CODESIGN_IDENTITY }}
- - name: Create package (amd64)
- run: |
- go run build.go -goarch amd64 zip
- env:
- CGO_ENABLED: "1"
- - name: Create package (arm64 cross)
- run: |
- cat <<EOT > xgo.sh
- #!/bin/bash
- CGO_ENABLED=1 \
- CGO_CFLAGS="-target arm64-apple-macos10.15" \
- CGO_LDFLAGS="-target arm64-apple-macos10.15" \
- go "\$@"
- EOT
- chmod 755 xgo.sh
- go run build.go -gocmd ./xgo.sh -goarch arm64 zip
- env:
- CGO_ENABLED: "1"
- - name: Create package (universal)
- run: |
- rm -rf _tmp
- mkdir _tmp
- pushd _tmp
- unzip ../syncthing-macos-amd64-*.zip
- unzip ../syncthing-macos-arm64-*.zip
- lipo -create syncthing-macos-amd64-*/syncthing syncthing-macos-arm64-*/syncthing -o syncthing
- amd64=(syncthing-macos-amd64-*)
- universal="${amd64/amd64/universal}"
- mv "$amd64" "$universal"
- mv syncthing "$universal"
- zip -r "../$universal.zip" "$universal"
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: packages-macos
- path: syncthing-*.zip
- notarize-macos:
- name: Notarize for macOS
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release' || startsWith(github.ref, 'refs/heads/release-'))
- environment: signing
- needs:
- - package-macos
- - basics
- runs-on: macos-latest
- steps:
- - name: Download artifacts
- uses: actions/download-artifact@v4
- with:
- name: packages-macos
- - name: Notarize binaries
- run: |
- APPSTORECONNECT_API_KEY_PATH="$RUNNER_TEMP/apikey.p8"
- echo "$APPSTORECONNECT_API_KEY" | base64 -d -o "$APPSTORECONNECT_API_KEY_PATH"
- for file in syncthing-macos-*.zip ; do
- xcrun notarytool submit \
- -k "$APPSTORECONNECT_API_KEY_PATH" \
- -d "$APPSTORECONNECT_API_KEY_ID" \
- -i "$APPSTORECONNECT_API_KEY_ISSUER" \
- $file
- done
- env:
- APPSTORECONNECT_API_KEY: ${{ secrets.APPSTORECONNECT_API_KEY }}
- APPSTORECONNECT_API_KEY_ID: ${{ secrets.APPSTORECONNECT_API_KEY_ID }}
- APPSTORECONNECT_API_KEY_ISSUER: ${{ secrets.APPSTORECONNECT_API_KEY_ISSUER }}
- #
- # Cross compile other unixes
- #
- package-cross:
- name: Package cross compiled
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Get actual Go version
- run: |
- go version
- echo "GO_VERSION=$(go version | sed 's#^.*go##;s# .*##')" >> $GITHUB_ENV
- - uses: actions/cache@v4
- with:
- path: |
- ~/.cache/go-build
- ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-cross-${{ hashFiles('**/go.sum') }}
- - name: Create packages
- run: |
- platforms=$(go tool dist list \
- | grep -v aix/ppc64 \
- | grep -v android/ \
- | grep -v darwin/ \
- | grep -v ios/ \
- | grep -v js/ \
- | grep -v linux/ \
- | grep -v nacl/ \
- | grep -v plan9/ \
- | grep -v windows/ \
- | grep -v /wasm \
- )
- # Build for each platform with errors silenced, because we expect
- # some oddball platforms to fail. This avoids a bunch of errors in
- # the GitHub Actions output, instead summarizing each build
- # failure as a warning.
- for plat in $platforms; do
- goos="${plat%/*}"
- goarch="${plat#*/}"
- echo "::group ::$plat"
- if ! go run build.go -goos "$goos" -goarch "$goarch" tar 2>/dev/null; then
- echo "::warning ::Failed to build for $plat"
- fi
- echo "::endgroup::"
- done
- env:
- CGO_ENABLED: "0"
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: packages-other
- path: syncthing-*.tar.gz
- #
- # Source
- #
- package-source:
- name: Package source code
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Package source
- run: |
- version=$(go run build.go version)
- echo "$version" > RELEASE
- go mod vendor
- go run build.go assets
- cd ..
- tar c -z -f "syncthing-source-$version.tar.gz" \
- --exclude .git \
- syncthing
- mv "syncthing-source-$version.tar.gz" syncthing
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: packages-source
- path: syncthing-source-*.tar.gz
- #
- # Sign binaries for auto upgrade, generate ASC signature files
- #
- sign-for-upgrade:
- name: Sign for upgrade
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release' || startsWith(github.ref, 'refs/heads/release-'))
- environment: signing
- needs:
- - basics
- - package-windows
- - package-linux
- - package-macos
- - package-cross
- - package-source
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/checkout@v4
- with:
- repository: syncthing/release-tools
- path: tools
- fetch-depth: 0
- - name: Download artifacts
- uses: actions/download-artifact@v4
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Install signing tool
- run: |
- go install ./cmd/stsigtool
- - name: Sign archives
- run: |
- export PRIVATE_KEY="$RUNNER_TEMP/privkey.pem"
- export PATH="$PATH:$(go env GOPATH)/bin"
- echo "$STSIGTOOL_PRIVATE_KEY" | base64 -d > "$PRIVATE_KEY"
- mkdir packages
- mv packages-*/* packages
- pushd packages
- "$GITHUB_WORKSPACE/tools/sign-only"
- rm -f "$PRIVATE_KEY"
- env:
- STSIGTOOL_PRIVATE_KEY: ${{ secrets.STSIGTOOL_PRIVATE_KEY }}
- - name: Create and sign .asc files
- run: |
- sudo apt update
- sudo apt -y install gnupg
- export SIGNING_KEY="$RUNNER_TEMP/gpg-secret.asc"
- echo "$GNUPG_SIGNING_KEY_BASE64" | base64 -d > "$SIGNING_KEY"
- gpg --import < "$SIGNING_KEY"
- pushd packages
- files=(*.tar.gz *.zip)
- sha1sum "${files[@]}" | gpg --clearsign > sha1sum.txt.asc
- sha256sum "${files[@]}" | gpg --clearsign > sha256sum.txt.asc
- gpg --sign --armour --detach syncthing-source-*.tar.gz
- popd
- rm -f "$SIGNING_KEY" .gnupg
- env:
- GNUPG_SIGNING_KEY_BASE64: ${{ secrets.GNUPG_SIGNING_KEY_BASE64 }}
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: packages-signed
- path: packages/*
- #
- # Debian
- #
- package-debian:
- name: Package for Debian
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Get actual Go version
- run: |
- go version
- echo "GO_VERSION=$(go version | sed 's#^.*go##;s# .*##')" >> $GITHUB_ENV
- - uses: ruby/setup-ruby@v1
- with:
- ruby-version: '3.0'
- - name: Install fpm
- run: |
- gem install fpm
- - uses: actions/cache@v4
- with:
- path: |
- ~/.cache/go-build
- ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-debian-${{ hashFiles('**/go.sum') }}
- - name: Package for Debian
- run: |
- for arch in amd64 i386 armhf armel arm64 ; do
- go run build.go -no-upgrade -installsuffix=no-upgrade -goarch "$arch" deb
- done
- env:
- BUILD_USER: debian
- - name: Archive artifacts
- uses: actions/upload-artifact@v4
- with:
- name: debian-packages
- path: "*.deb"
- #
- # Nightlies
- #
- publish-nightly:
- name: Publish nightly build
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref, 'refs/heads/release-nightly')
- environment: signing
- needs:
- - sign-for-upgrade
- - notarize-macos
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- repository: syncthing/release-tools
- path: tools
- fetch-depth: 0
- - name: Download artifacts
- uses: actions/download-artifact@v4
- with:
- name: packages-signed
- path: packages
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Create release json
- run: |
- cd packages
- "$GITHUB_WORKSPACE/tools/generate-release-json" "$BASE_URL" > nightly.json
- env:
- BASE_URL: https://syncthing.ams3.digitaloceanspaces.com/nightly/
- - name: Push artifacts
- uses: docker://docker.io/rclone/rclone:latest
- env:
- RCLONE_CONFIG_SPACES_TYPE: s3
- RCLONE_CONFIG_SPACES_PROVIDER: DigitalOcean
- RCLONE_CONFIG_SPACES_ACCESS_KEY_ID: ${{ secrets.SPACES_KEY }}
- RCLONE_CONFIG_SPACES_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET }}
- RCLONE_CONFIG_SPACES_ENDPOINT: ams3.digitaloceanspaces.com
- RCLONE_CONFIG_SPACES_ACL: public-read
- with:
- args: sync packages spaces:syncthing/nightly
- #
- # Push release artifacts to Spaces
- #
- publish-release-files:
- name: Publish release files
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/release'
- environment: signing
- needs:
- - sign-for-upgrade
- - package-debian
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - name: Download signed packages
- uses: actions/download-artifact@v4
- with:
- name: packages-signed
- path: packages
- - name: Download debian packages
- uses: actions/download-artifact@v4
- with:
- name: debian-packages
- path: packages
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Set version
- run: |
- version=$(go run build.go version)
- echo "VERSION=$version" >> $GITHUB_ENV
- - name: Push to Spaces (${{ env.VERSION }})
- uses: docker://docker.io/rclone/rclone:latest
- env:
- RCLONE_CONFIG_SPACES_TYPE: s3
- RCLONE_CONFIG_SPACES_PROVIDER: DigitalOcean
- RCLONE_CONFIG_SPACES_ACCESS_KEY_ID: ${{ secrets.SPACES_KEY }}
- RCLONE_CONFIG_SPACES_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET }}
- RCLONE_CONFIG_SPACES_ENDPOINT: ams3.digitaloceanspaces.com
- RCLONE_CONFIG_SPACES_ACL: public-read
- with:
- args: sync packages spaces:syncthing/release/${{ env.VERSION }}
- - name: Push to Spaces (latest)
- uses: docker://docker.io/rclone/rclone:latest
- env:
- RCLONE_CONFIG_SPACES_TYPE: s3
- RCLONE_CONFIG_SPACES_PROVIDER: DigitalOcean
- RCLONE_CONFIG_SPACES_ACCESS_KEY_ID: ${{ secrets.SPACES_KEY }}
- RCLONE_CONFIG_SPACES_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET }}
- RCLONE_CONFIG_SPACES_ENDPOINT: ams3.digitaloceanspaces.com
- RCLONE_CONFIG_SPACES_ACL: public-read
- with:
- args: sync spaces:syncthing/release/${{ env.VERSION }} spaces:syncthing/release/latest
- #
- # Build and push to Docker Hub
- #
- docker-syncthing:
- name: Build and push Docker images
- runs-on: ubuntu-latest
- if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/infrastructure' || startsWith(github.ref, 'refs/heads/release-'))
- environment: docker
- strategy:
- matrix:
- pkg:
- - syncthing
- - strelaysrv
- - stdiscosrv
- include:
- - pkg: syncthing
- dockerfile: Dockerfile
- image: syncthing/syncthing
- - pkg: strelaysrv
- dockerfile: Dockerfile.strelaysrv
- image: syncthing/relaysrv
- - pkg: stdiscosrv
- dockerfile: Dockerfile.stdiscosrv
- image: syncthing/discosrv
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: Get actual Go version
- run: |
- go version
- echo "GO_VERSION=$(go version | sed 's#^.*go##;s# .*##')" >> $GITHUB_ENV
- - uses: actions/cache@v4
- with:
- path: |
- ~/.cache/go-build
- ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-docker-${{ matrix.pkg }}-${{ hashFiles('**/go.sum') }}
- - name: Build binaries
- run: |
- for arch in amd64 arm64 arm; do
- go run build.go -goos linux -goarch "$arch" -no-upgrade build ${{ matrix.pkg }}
- mv ${{ matrix.pkg }} ${{ matrix.pkg }}-linux-"$arch"
- done
- env:
- CGO_ENABLED: "0"
- BUILD_USER: docker
- - name: Check if we will be able to push images
- run: |
- if [[ "${{ secrets.DOCKERHUB_TOKEN }}" != "" ]]; then
- echo "DOCKER_PUSH=true" >> $GITHUB_ENV;
- fi
- - name: Login to Docker Hub
- uses: docker/login-action@v3
- if: env.DOCKER_PUSH == 'true'
- with:
- username: ${{ secrets.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
- - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
- - name: Set version tags
- run: |
- version=$(go run build.go version)
- version=${version#v}
- if [[ $version == @([0-9]|[0-9][0-9]).@([0-9]|[0-9][0-9]).@([0-9]|[0-9][0-9]) ]] ; then
- echo Release version, pushing to :latest and version tags
- major=${version%.*.*}
- minor=${version%.*}
- tags=${{ matrix.image }}:$version,${{ matrix.image }}:$major,${{ matrix.image }}:$minor,${{ matrix.image }}:latest
- elif [[ $version == *-rc.@([0-9]|[0-9][0-9]) ]] ; then
- echo Release candidate, pushing to :rc
- tags=${{ matrix.image }}:rc
- else
- echo Development version, pushing to :edge
- tags=${{ matrix.image }}:edge
- fi
- echo "DOCKER_TAGS=$tags" >> $GITHUB_ENV
- echo "VERSION=$version" >> $GITHUB_ENV
- - name: Build and push Docker image
- uses: docker/build-push-action@v5
- with:
- context: .
- file: ${{ matrix.dockerfile }}
- platforms: linux/amd64,linux/arm64,linux/arm/7
- push: ${{ env.DOCKER_PUSH == 'true' }}
- tags: ${{ env.DOCKER_TAGS }}
- labels: |
- org.opencontainers.image.version=${{ env.VERSION }}
- org.opencontainers.image.revision=${{ github.sha }}
- #
- # Check for known vulnerabilities in Go dependencies
- #
- govulncheck:
- runs-on: ubuntu-latest
- name: Run govulncheck
- steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
- with:
- go-version: ${{ env.GO_VERSION }}
- cache: false
- check-latest: true
- - name: run govulncheck
- run: |
- go run build.go assets
- go install golang.org/x/vuln/cmd/govulncheck@latest
- govulncheck ./...
|