syncthing/.github/workflows/build-syncthing.yaml

name: Build Syncthing

on:
  pull_request:
  push:

env:
  # The go version to use for builds.
  GO_VERSION: "1.19.4"

  # Optimize compatibility on the slow archictures.
  GO386: softfloat
  GOARM: "5"
  GOMIPS: softfloat

  # Avoid hilarious amounts of obscuring log output when running tests.
  LOGGER_DISCARD: "1"

  # Our build metadata
  BUILD_USER: builder
  BUILD_HOST: github.syncthing.net

# A note on actions and third party code... The actions under actions/ (like
# `uses: actions/checkout`) are maintained by GitHub, and we need to trust
# GitHub to maintain their code and infrastructure or we're in deep shit in
# general. The same doesn't necessarily apply to other actions authors, so
# some care needs to be taken when adding steps, especially in the paths
# that lead up to code being packaged and signed.

jobs:

  #
  # Windows, quick build and test, runs always
  #

  build-windows:
    name: Build and test on Windows
    runs-on: windows-latest
    steps:
      - name: Set git to use LF
        # Without this, the checkout will happen with CRLF line endings,
        # which is fine for the source code but messes up tests that depend
        # on data on disk being as expected. Ideally, those tests should be
        # fixed, but not today.
        run: |
          git config --global core.autocrlf false
          git config --global core.eol lf

      - uses: actions/checkout@v3

      - uses: actions/setup-go@v3
        # `cache: true` gives us automatic caching of modules and build
        # cache, speeding up builds. The cache key is dependent on the Go
        # version and our go.sum contents.
        with:
          go-version: ${{ env.GO_VERSION }}
          cache: true

      - name: Build and test
        run: |
          go run build.go
          go run build.go test

  #
  # Windows, build signed packages
  #

  package-windows:
    name: Create packages for Windows
    runs-on: windows-latest
    # We only run this job for release pushes.
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release')
    # This is also enforced by the environment which contains the secrets.
    environment: signing
    needs:
      - build-windows
    steps:
      - name: Set git to use LF
        run: |
          git config --global core.autocrlf false
          git config --global core.eol lf

      - uses: actions/checkout@v3
        # `fetch-depth: 0` because we want to check out the entire repo
        # including tags and branches, not just the latest commit which
        # lacks version info.
        with:
          fetch-depth: 0

      - uses: actions/setup-go@v3
        with:
          go-version: ${{ env.GO_VERSION }}

      - uses: actions/cache@v3
        with:
          path: |
            ~\AppData\Local\go-build
            ~\go\pkg\mod
          key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-package-${{ hashFiles('**/go.sum') }}

      - name: Install dependencies
        run: |
          go install github.com/josephspurrier/goversioninfo/cmd/[email protected]

      - name: Create packages
        run: |
          go run build.go -goarch amd64 zip
          go run build.go -goarch arm zip
          go run build.go -goarch arm64 zip
          go run build.go -goarch 386 zip
        env:
          CODESIGN_SIGNTOOL: ${{ secrets.CODESIGN_SIGNTOOL }}
          CODESIGN_CERTIFICATE_BASE64: ${{ secrets.CODESIGN_CERTIFICATE_BASE64 }}
          CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.CODESIGN_CERTIFICATE_PASSWORD }}
          CODESIGN_TIMESTAMP_SERVER: ${{ secrets.CODESIGN_TIMESTAMP_SERVER }}

      - name: Archive artifacts
        uses: actions/upload-artifact@v3
        with:
          name: packages
          path: syncthing-windows-*.zip