| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218 |
- on:
- push:
- tags:
- - 'v[0-9]+.[0-9]+.[0-9]*'
- name: Create release and upload binaries
- jobs:
- build-linux:
- name: Build Linux/BSD All
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
- with:
- go-version: '1.23'
- check-latest: true
- - name: Build
- run: |
- make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" release-linux release-freebsd release-openbsd release-netbsd
- mkdir release
- mv build/*.tar.gz release
- - name: Upload artifacts
- uses: actions/upload-artifact@v4
- with:
- name: linux-latest
- path: release
- build-windows:
- name: Build Windows
- runs-on: windows-latest
- steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
- with:
- go-version: '1.23'
- check-latest: true
- - name: Build
- run: |
- echo $Env:GITHUB_REF.Substring(11)
- mkdir build\windows-amd64
- $Env:GOARCH = "amd64"
- go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-amd64\nebula.exe ./cmd/nebula-service
- go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-amd64\nebula-cert.exe ./cmd/nebula-cert
- mkdir build\windows-arm64
- $Env:GOARCH = "arm64"
- go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-arm64\nebula.exe ./cmd/nebula-service
- go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-arm64\nebula-cert.exe ./cmd/nebula-cert
- mkdir build\dist\windows
- mv dist\windows\wintun build\dist\windows\
- - name: Upload artifacts
- uses: actions/upload-artifact@v4
- with:
- name: windows-latest
- path: build
- build-darwin:
- name: Build Universal Darwin
- env:
- HAS_SIGNING_CREDS: ${{ secrets.AC_USERNAME != '' }}
- runs-on: macos-latest
- steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
- with:
- go-version: '1.23'
- check-latest: true
- - name: Import certificates
- if: env.HAS_SIGNING_CREDS == 'true'
- uses: Apple-Actions/import-codesign-certs@v3
- with:
- p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
- p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
- - name: Build, sign, and notarize
- env:
- AC_USERNAME: ${{ secrets.AC_USERNAME }}
- AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
- run: |
- rm -rf release
- mkdir release
- make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" service build/darwin-amd64/nebula build/darwin-amd64/nebula-cert
- make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" service build/darwin-arm64/nebula build/darwin-arm64/nebula-cert
- lipo -create -output ./release/nebula ./build/darwin-amd64/nebula ./build/darwin-arm64/nebula
- lipo -create -output ./release/nebula-cert ./build/darwin-amd64/nebula-cert ./build/darwin-arm64/nebula-cert
- if [ -n "$AC_USERNAME" ]; then
- codesign -s "10BC1FDDEB6CE753550156C0669109FAC49E4D1E" -f -v --timestamp --options=runtime -i "net.defined.nebula" ./release/nebula
- codesign -s "10BC1FDDEB6CE753550156C0669109FAC49E4D1E" -f -v --timestamp --options=runtime -i "net.defined.nebula-cert" ./release/nebula-cert
- fi
- zip -j release/nebula-darwin.zip release/nebula-cert release/nebula
- if [ -n "$AC_USERNAME" ]; then
- xcrun notarytool submit ./release/nebula-darwin.zip --team-id "576H3XS7FP" --apple-id "$AC_USERNAME" --password "$AC_PASSWORD" --wait
- fi
- - name: Upload artifacts
- uses: actions/upload-artifact@v4
- with:
- name: darwin-latest
- path: ./release/*
- build-docker:
- name: Create and Upload Docker Images
- # Technically we only need build-linux to succeed, but if any platforms fail we'll
- # want to investigate and restart the build
- needs: [build-linux, build-darwin, build-windows]
- runs-on: ubuntu-latest
- env:
- HAS_DOCKER_CREDS: ${{ vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
- # XXX It's not possible to write a conditional here, so instead we do it on every step
- #if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
- steps:
- # Be sure to checkout the code before downloading artifacts, or they will
- # be overwritten
- - name: Checkout code
- if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
- uses: actions/checkout@v4
- - name: Download artifacts
- if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
- uses: actions/download-artifact@v4
- with:
- name: linux-latest
- path: artifacts
- - name: Login to Docker Hub
- if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
- uses: docker/login-action@v3
- with:
- username: ${{ vars.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
- - name: Set up Docker Buildx
- if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
- uses: docker/setup-buildx-action@v3
- - name: Build and push images
- if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
- env:
- DOCKER_IMAGE_REPO: ${{ vars.DOCKER_IMAGE_REPO || 'nebulaoss/nebula' }}
- DOCKER_IMAGE_TAG: ${{ vars.DOCKER_IMAGE_TAG || 'latest' }}
- run: |
- mkdir -p build/linux-{amd64,arm64}
- tar -zxvf artifacts/nebula-linux-amd64.tar.gz -C build/linux-amd64/
- tar -zxvf artifacts/nebula-linux-arm64.tar.gz -C build/linux-arm64/
- docker buildx build . --push -f docker/Dockerfile --platform linux/amd64,linux/arm64 --tag "${DOCKER_IMAGE_REPO}:${DOCKER_IMAGE_TAG}" --tag "${DOCKER_IMAGE_REPO}:${GITHUB_REF#refs/tags/v}"
- release:
- name: Create and Upload Release
- needs: [build-linux, build-darwin, build-windows]
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - name: Download artifacts
- uses: actions/download-artifact@v4
- with:
- path: artifacts
- - name: Zip Windows
- run: |
- cd artifacts/windows-latest
- cp windows-amd64/* .
- zip -r nebula-windows-amd64.zip nebula.exe nebula-cert.exe dist
- cp windows-arm64/* .
- zip -r nebula-windows-arm64.zip nebula.exe nebula-cert.exe dist
- - name: Create sha256sum
- run: |
- cd artifacts
- for dir in linux-latest darwin-latest windows-latest
- do
- (
- cd $dir
- if [ "$dir" = windows-latest ]
- then
- sha256sum <windows-amd64/nebula.exe | sed 's=-$=nebula-windows-amd64.zip/nebula.exe='
- sha256sum <windows-amd64/nebula-cert.exe | sed 's=-$=nebula-windows-amd64.zip/nebula-cert.exe='
- sha256sum <windows-arm64/nebula.exe | sed 's=-$=nebula-windows-arm64.zip/nebula.exe='
- sha256sum <windows-arm64/nebula-cert.exe | sed 's=-$=nebula-windows-arm64.zip/nebula-cert.exe='
- sha256sum nebula-windows-amd64.zip
- sha256sum nebula-windows-arm64.zip
- elif [ "$dir" = darwin-latest ]
- then
- sha256sum <nebula-darwin.zip | sed 's=-$=nebula-darwin.zip='
- sha256sum <nebula | sed 's=-$=nebula-darwin.zip/nebula='
- sha256sum <nebula-cert | sed 's=-$=nebula-darwin.zip/nebula-cert='
- else
- for v in *.tar.gz
- do
- sha256sum $v
- tar zxf $v --to-command='sh -c "sha256sum | sed s=-$='$v'/$TAR_FILENAME="'
- done
- fi
- )
- done | sort -k 2 >SHASUM256.txt
- - name: Create Release
- id: create_release
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: |
- cd artifacts
- gh release create \
- --verify-tag \
- --title "Release ${{ github.ref_name }}" \
- "${{ github.ref_name }}" \
- SHASUM256.txt *-latest/*.zip *-latest/*.tar.gz
|
