on: push: tags: - 'v[0-9]+.[0-9]+.[0-9]*' name: Create release and upload binaries jobs: build-linux: name: Build Linux/BSD All runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: '1.22' check-latest: true - name: Build run: | make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" release-linux release-freebsd release-openbsd release-netbsd mkdir release mv build/*.tar.gz release - name: Upload artifacts uses: actions/upload-artifact@v4 with: name: linux-latest path: release build-windows: name: Build Windows runs-on: windows-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: '1.22' check-latest: true - name: Build run: | echo $Env:GITHUB_REF.Substring(11) mkdir build\windows-amd64 $Env:GOARCH = "amd64" go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-amd64\nebula.exe ./cmd/nebula-service go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-amd64\nebula-cert.exe ./cmd/nebula-cert mkdir build\windows-arm64 $Env:GOARCH = "arm64" go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-arm64\nebula.exe ./cmd/nebula-service go build -trimpath -ldflags "-X main.Build=$($Env:GITHUB_REF.Substring(11))" -o build\windows-arm64\nebula-cert.exe ./cmd/nebula-cert mkdir build\dist\windows mv dist\windows\wintun build\dist\windows\ - name: Upload artifacts uses: actions/upload-artifact@v4 with: name: windows-latest path: build build-darwin: name: Build Universal Darwin env: HAS_SIGNING_CREDS: ${{ secrets.AC_USERNAME != '' }} runs-on: macos-11 steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: '1.22' check-latest: true - name: Import certificates if: env.HAS_SIGNING_CREDS == 'true' uses: Apple-Actions/import-codesign-certs@v2 with: p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} - name: Build, sign, and notarize env: AC_USERNAME: ${{ secrets.AC_USERNAME }} AC_PASSWORD: ${{ secrets.AC_PASSWORD }} run: | rm -rf release mkdir release make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" service build/darwin-amd64/nebula build/darwin-amd64/nebula-cert make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" service build/darwin-arm64/nebula build/darwin-arm64/nebula-cert lipo -create -output ./release/nebula ./build/darwin-amd64/nebula ./build/darwin-arm64/nebula lipo -create -output ./release/nebula-cert ./build/darwin-amd64/nebula-cert ./build/darwin-arm64/nebula-cert if [ -n "$AC_USERNAME" ]; then codesign -s "10BC1FDDEB6CE753550156C0669109FAC49E4D1E" -f -v --timestamp --options=runtime -i "net.defined.nebula" ./release/nebula codesign -s "10BC1FDDEB6CE753550156C0669109FAC49E4D1E" -f -v --timestamp --options=runtime -i "net.defined.nebula-cert" ./release/nebula-cert fi zip -j release/nebula-darwin.zip release/nebula-cert release/nebula if [ -n "$AC_USERNAME" ]; then xcrun notarytool submit ./release/nebula-darwin.zip --team-id "576H3XS7FP" --apple-id "$AC_USERNAME" --password "$AC_PASSWORD" --wait fi - name: Upload artifacts uses: actions/upload-artifact@v4 with: name: darwin-latest path: ./release/* build-docker: name: Create and Upload Docker Images # Technically we only need build-linux to succeed, but if any platforms fail we'll # want to investigate and restart the build needs: [build-linux, build-darwin, build-windows] runs-on: ubuntu-latest env: HAS_DOCKER_CREDS: ${{ vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} # XXX It's not possible to write a conditional here, so instead we do it on every step #if: ${{ env.HAS_DOCKER_CREDS == 'true' }} steps: # Be sure to checkout the code before downloading artifacts, or they will # be overwritten - name: Checkout code if: ${{ env.HAS_DOCKER_CREDS == 'true' }} uses: actions/checkout@v4 - name: Download artifacts if: ${{ env.HAS_DOCKER_CREDS == 'true' }} uses: actions/download-artifact@v4 with: name: linux-latest path: artifacts - name: Login to Docker Hub if: ${{ env.HAS_DOCKER_CREDS == 'true' }} uses: docker/login-action@v3 with: username: ${{ vars.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx if: ${{ env.HAS_DOCKER_CREDS == 'true' }} uses: docker/setup-buildx-action@v3 - name: Build and push images if: ${{ env.HAS_DOCKER_CREDS == 'true' }} env: DOCKER_IMAGE_REPO: ${{ vars.DOCKER_IMAGE_REPO || 'nebulaoss/nebula' }} DOCKER_IMAGE_TAG: ${{ vars.DOCKER_IMAGE_TAG || 'latest' }} run: | mkdir -p build/linux-{amd64,arm64} tar -zxvf artifacts/nebula-linux-amd64.tar.gz -C build/linux-amd64/ tar -zxvf artifacts/nebula-linux-arm64.tar.gz -C build/linux-arm64/ docker buildx build . --push -f docker/Dockerfile --platform linux/amd64,linux/arm64 --tag "${DOCKER_IMAGE_REPO}:${DOCKER_IMAGE_TAG}" --tag "${DOCKER_IMAGE_REPO}:${GITHUB_REF#refs/tags/v}" release: name: Create and Upload Release needs: [build-linux, build-darwin, build-windows] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Download artifacts uses: actions/download-artifact@v4 with: path: artifacts - name: Zip Windows run: | cd artifacts/windows-latest cp windows-amd64/* . zip -r nebula-windows-amd64.zip nebula.exe nebula-cert.exe dist cp windows-arm64/* . zip -r nebula-windows-arm64.zip nebula.exe nebula-cert.exe dist - name: Create sha256sum run: | cd artifacts for dir in linux-latest darwin-latest windows-latest do ( cd $dir if [ "$dir" = windows-latest ] then sha256sum