{"id":13561642,"url":"https://github.com/google/copybara","last_synced_at":"2026-02-16T13:10:24.525Z","repository":{"id":37428542,"uuid":"67722017","full_name":"google/copybara","owner":"google","description":"Copybara: A tool for transforming and moving code between repositories.","archived":false,"fork":false,"pushed_at":"2026-02-12T16:24:24.000Z","size":14153,"stargazers_count":2627,"open_issues_count":100,"forks_count":303,"subscribers_count":47,"default_branch":"master","last_synced_at":"2026-02-13T00:30:28.235Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-09-08T16:44:40.000Z","updated_at":"2026-02-12T16:14:16.000Z","dependencies_parsed_at":"2023-02-15T12:01:21.497Z","dependency_job_id":"e10e44d1-5720-4109-b151-0d07009289f3","html_url":"https://github.com/google/copybara","commit_stats":{"total_commits":3084,"total_committers":89,"mean_commits":"34.651685393258425","dds":0.7146562905317769,"last_synced_commit":"a8b4ff06c25fd53a8a9670416ac3954b589f3eb7"},"previous_names":[],"tags_count":44,"template":false,"template_full_name":null,"purl":"pkg:github/google/copybara","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcopybara","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcopybara/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcopybara/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcopybara/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/copybara/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcopybara/sbom","scorecard":{"id":162416,"data":{"date":"2025-08-11","repo":{"name":"github.com/google/copybara","commit":"5c2f6e158214fc166548b0160d90f14b7ccf0d93"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.7,"checks":[{"name":"Code-Review","score":7,"reason":"Found 22/30 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yaml:4","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/google/copybara/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/google/copybara/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/google/copybara/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/google/copybara/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/google/copybara/release.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:18","Warn: containerImage not pinned by hash: Dockerfile:22","Warn: containerImage not pinned by hash: Dockerfile:38: pin your Docker image by updating docker.io/eclipse-temurin:21-jre-jammy to docker.io/eclipse-temurin:21-jre-jammy@sha256:8234720ae5083d3b972fe20b4a997b7c56546db8bf8da5f4c54c6470901e2e67","Warn: containerImage not pinned by hash: ci.Dockerfile:16","Warn: goCommand not pinned by hash: Dockerfile:19","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   4 containerImage dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v20250811 not signed: https://api.github.com/repos/google/copybara/releases/238978195","Warn: release artifact v20250804 not signed: https://api.github.com/repos/google/copybara/releases/237311739","Warn: release artifact v20250728 not signed: https://api.github.com/repos/google/copybara/releases/235601920","Warn: release artifact v20250721 not signed: https://api.github.com/repos/google/copybara/releases/233874971","Warn: release artifact v20250714 not signed: https://api.github.com/repos/google/copybara/releases/232190483","Warn: release artifact v20250811 does not have provenance: https://api.github.com/repos/google/copybara/releases/238978195","Warn: release artifact v20250804 does not have provenance: https://api.github.com/repos/google/copybara/releases/237311739","Warn: release artifact v20250728 does not have provenance: https://api.github.com/repos/google/copybara/releases/235601920","Warn: release artifact v20250721 does not have provenance: https://api.github.com/repos/google/copybara/releases/233874971","Warn: release artifact v20250714 does not have provenance: https://api.github.com/repos/google/copybara/releases/232190483"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/google/.github/SECURITY.md:1","Info: Found linked content: github.com/google/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1","Info: Found text in security policy: github.com/google/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}}]},"last_synced_at":"2025-08-16T13:52:11.116Z","repository_id":37428542,"created_at":"2025-08-16T13:52:11.116Z","updated_at":"2025-08-16T13:52:11.116Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29508742,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T09:05:14.864Z","status":"ssl_error","status_checked_at":"2026-02-16T08:55:59.364Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T13:00:59.455Z","updated_at":"2026-02-16T13:10:24.505Z","avatar_url":"https://github.com/google.png","language":"Java","readme":"# Copybara\n\n*A tool for transforming and moving code between repositories.*\n\nCopybara is a tool used internally at Google. It transforms and moves code between repositories.\n\nOften, source code needs to exist in multiple repositories, and Copybara allows you to transform\nand move source code between these repositories. A common case is a project that involves\nmaintaining a confidential repository and a public repository in sync.\n\nCopybara requires you to choose one of the repositories to be the authoritative repository, so that\nthere is always one source of truth. However, the tool allows contributions to any repository, and\nany repository can be used to cut a release.\n\nThe most common use case involves repetitive movement of code from one repository to another.\nCopybara can also be used for moving code once to a new repository.\n\nExamples uses of Copybara include:\n\n  - Importing sections of code from a confidential repository to a public repository.\n\n  - Importing code from a public repository to a confidential repository.\n\n  - Importing a change from a non-authoritative repository into the authoritative repository. When\n    a change is made in the non-authoritative repository (for example, a contributor in the public\n    repository), Copybara transforms and moves that change into the appropriate place in the\n    authoritative repository. Any merge conflicts are dealt with in the same way as an out-of-date\n    change within the authoritative repository.\n\nOne of the main features of Copybara is that it is stateless, or more specifically, that it stores\nthe state in the destination repository (As a label in the commit message). This allows several\nusers (or a service) to use Copybara for the same config/repositories and get the same result.\n\nCurrently, the only supported type of repository is Git. Copybara is also able\nto read from Mercurial repositories, but the feature is still experimental.\nThe extensible architecture allows adding bespoke origins and destinations\nfor almost any use case.\nOfficial support for other repositories types will be added in the future.\n\n## Example\n\n```python\ncore.workflow(\n    name = \"default\",\n    origin = git.github_origin(\n      url = \"https://github.com/google/copybara.git\",\n      ref = \"master\",\n    ),\n    destination = git.destination(\n        url = \"file:///tmp/foo\",\n    ),\n\n    # Copy everything but don't remove a README_INTERNAL.txt file if it exists.\n    destination_files = glob([\"third_party/copybara/**\"], exclude = [\"README_INTERNAL.txt\"]),\n\n    authoring = authoring.pass_thru(\"Default email \u003cdefault@default.com\u003e\"),\n    transformations = [\n        core.replace(\n                before = \"//third_party/bazel/bashunit\",\n                after = \"//another/path:bashunit\",\n                paths = glob([\"**/BUILD\"])),\n        core.move(\"\", \"third_party/copybara\")\n    ],\n)\n```\n\nRun:\n\n```shell\n$ (mkdir /tmp/foo ; cd /tmp/foo ; git init --bare)\n$ copybara copy.bara.sky\n```\n\n## Getting Started using Copybara\n\nThe easiest way to start is with weekly \"snapshot\" releases, that include pre-built a binary.\nNote that these are released automatically without any manual testing, version compatibility or correctness guarantees.\n\nChoose a release from https://github.com/google/copybara/releases.\n\n### Building from Source\n\nTo use an unreleased version of copybara, so you need to compile from HEAD.\nIn order to do that, you need to do the following:\n\n  * [Install JDK 11](https://www.oracle.com/java/technologies/downloads/#java11).\n  * [Install Bazel](https://bazel.build/install).\n  * Clone the copybara source locally:\n      * `git clone https://github.com/google/copybara.git`\n  * Build:\n      * `bazel build //java/com/google/copybara`\n      * `bazel build //java/com/google/copybara:copybara_deploy.jar` to create an executable uberjar.\n  * Tests: `bazel test //...` if you want to ensure you are not using a broken version. Note that\n    certain tests require the underlying tool to be installed(e.g. Mercurial, Quilt, etc.). It is\n    fine to skip those tests if your Pull Request is unrelated to those modules (And our CI will\n    run all the tests anyway).\n\n### System packages\n\nThese packages can be installed using the appropriate package manager for your\nsystem.\n\n#### Arch Linux\n\n  * [`aur/copybara-git`][install/archlinux/aur-git]\n\n[install/archlinux/aur-git]: https://aur.archlinux.org/packages/copybara-git \"Copybara on the AUR\"\n\n### Using Intellij with Bazel plugin\n\nIf you use Intellij and the Bazel plugin, use this project configuration:\n\n```\ndirectories:\n  copybara/integration\n  java/com/google/copybara\n  javatests/com/google/copybara\n  third_party\n\ntargets:\n  //copybara/integration/...\n  //java/com/google/copybara/...\n  //javatests/com/google/copybara/...\n  //third_party/...\n```\n\nNote: configuration files can be stored in any place, even in a local folder.\nWe recommend using a VCS (like git) to store them; treat them as source code.\n\n### Using pre-built Copybara in Bazel\n\nIf using a weekly snapshot release, install Copybara as follows:\n\n1. Copybara ships with class files with version 65.0, so it must be run with Java Runtime 21 or greater. Add to your `.bazelrc` file: `run --java_runtime_version=remotejdk_21`\n2. Use `http_jar` to download the release artifact.\n   - In WORKSPACE: `load(\"@bazel_tools//tools/build_defs/repo:http.bzl\", \"http_jar\")`\n   - In MODULE.bazel: `http_jar = use_repo_rule(\"@bazel_tools//tools/build_defs/repo:http.bzl\", \"http_jar\")`\n3. In WORKSPACE or MODULE.bazel, fill in the `[version]` placeholder:\n    ```starlark\n    http_jar(\n        name = \"com_github_google_copybara\",\n        # Fill in from https://github.com/google/copybara/releases/download/[version]/copybara_deploy.jar.sha256\n        # sha256 = \"\",\n        urls = [\"https://github.com/google/copybara/releases/download/[version]/copybara_deploy.jar\"],\n    )\n    ```\n4. In any BUILD file (perhaps `/tools/BUILD.bazel`) declare the `java_binary`:\n   ```starlark\n   load(\"@rules_java//java:java_binary.bzl\", \"java_binary\")\n   java_binary(\n      name = \"copybara\",\n      main_class = \"com.google.copybara.Main\",\n      runtime_deps = [\"@com_github_google_copybara//jar\"],\n   )\n   ```\n5. Use that target with `bazel run`, for example `bazel run //tools:copybara -- migrate copy.bara.sky`\n\n### Building Copybara from Source as an external Bazel repository\n\nThere are convenience macros defined for all of Copybara's dependencies. Add the\nfollowing code to your `WORKSPACE` file, replacing `{{ sha256sum }}` and\n`{{ commit }}` as necessary.\n\n```bzl\nhttp_archive(\n  name = \"com_github_google_copybara\",\n  sha256 = \"{{ sha256sum }}\",\n  strip_prefix = \"copybara-{{ commit }}\",\n  url = \"https://github.com/google/copybara/archive/{{ commit }}.zip\",\n)\n\nload(\"@com_github_google_copybara//:repositories.bzl\", \"copybara_repositories\")\n\ncopybara_repositories()\n\nload(\"@com_github_google_copybara//:repositories.maven.bzl\", \"copybara_maven_repositories\")\n\ncopybara_maven_repositories()\n\nload(\"@com_github_google_copybara//:repositories.go.bzl\", \"copybara_go_repositories\")\n\ncopybara_go_repositories()\n```\n\nYou can then build and run the Copybara tool from within your workspace:\n\n```sh\nbazel run @com_github_google_copybara//java/com/google/copybara -- \u003cargs...\u003e\n```\n\n### Using Docker to build and run Copybara\n\n*NOTE: Docker use is currently experimental, and we encourage feedback or contributions.*\n\nYou can build copybara using Docker like so\n\n```sh\ndocker build --rm -t copybara .\n```\n\nOnce this has finished building, you can run the image like so from the root of\nthe code you are trying to use Copybara on:\n\n```sh\ndocker run -it -v \"$(pwd)\":/usr/src/app copybara help\n```\n\n#### Environment variables\n\nIn addition to passing cmd args to the container, you can also set the following\nenvironment variables as an alternative:\n* `COPYBARA_SUBCOMMAND=migrate`\n  * allows you to change the command run, defaults to `migrate`\n* `COPYBARA_CONFIG=copy.bara.sky`\n  * allows you to specify a path to a config file, defaults to root `copy.bara.sky`\n* `COPYBARA_WORKFLOW=default`\n  * allows you to specify the workflow to run, defaults to `default`\n* `COPYBARA_SOURCEREF=''`\n  * allows you to specify the sourceref, defaults to none\n* `COPYBARA_OPTIONS=''`\n  * allows you to specify options for copybara, defaults to none\n\n```sh\ndocker run \\\n    -e COPYBARA_SUBCOMMAND='validate' \\\n    -e COPYBARA_CONFIG='other.config.sky' \\\n    -v \"$(pwd)\":/usr/src/app \\\n    -it copybara\n```\n\n#### Git Config and Credentials\n\nThere are a number of ways by which to share your git config and ssh credentials\nwith the Docker container, an example is below:\n\n```sh\ndocker run \\\n    -v ~/.gitconfig:/root/.gitconfig:ro \\\n    -v ~/.ssh:/root/.ssh \\\n    -v ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK} -e SSH_AUTH_SOCK\n    -v \"$(pwd)\":/usr/src/app \\\n    -it copybara\n```\n\n## Documentation\n\nWe are still working on the documentation. Here are some resources:\n\n  * [Reference documentation](docs/reference.md)\n  * [Examples](docs/examples.md)\n  * [Tutorial on how to get started](https://blog.kubesimplify.com/moving-code-between-git-repositories-with-copybara)\n\n## Contact us\n\nIf you have any questions about how Copybara works, please contact us at our\n[mailing list](https://groups.google.com/forum/#!forum/copybara-discuss).\n\n## Optional tips\n\n* If you want to see the test errors in Bazel, instead of having to `cat` the\n  logs, add this line to your `~/.bazelrc`:\n\n  ```\n  test --test_output=streamed\n  ```\n","funding_links":[],"categories":["Users","Java","Projects built with Bazel","Java (78)","others","GitHub Management"],"sub_categories":["Google projects"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fcopybara","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fcopybara","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fcopybara/lists"}