From d7b4d0e0babffebb0c97cd8afc80432d85b422ce Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Fri, 9 Jun 2023 15:02:44 +0530 Subject: [PATCH 1/9] Integrate cosign into ballerina distribution --- .github/workflows/publish-release.yml | 398 +++++++++++++++++++++----- 1 file changed, 328 insertions(+), 70 deletions(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index f2ac040e19..2ba56a787f 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -12,6 +12,10 @@ on: required: false default: '' +permissions: + id-token: write + contents: write + jobs: publish-release: name: Publish Release @@ -44,32 +48,32 @@ jobs: echo "::set-output name=longVersion::$LONG_VERSION" - name: Pre release depenency version update env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Version: ${VERSION}" echo "Tagged Version: ${GIT_TAG}" - git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }} - git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }} + git config user.name ${{ github.actor }} + git config user.email ${{ secrets.USER_EMAIL }} git checkout -b release-${GIT_TAG} - name: Generate UUID run: | UUID=$(uuidgen) perl -pi -e "s/^\s*installerVersion=.*/installerVersion=$UUID/" gradle.properties - git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }} - git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }} + git config user.name ${{ github.actor }} + git config user.email ${{ secrets.USER_EMAIL }} git add gradle.properties git commit -m "Update UUID for installer" - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Publish artifact env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} - packageUser: ${{ secrets.BALLERINA_BOT_USERNAME }} - packagePAT: ${{ secrets.BALLERINA_BOT_TOKEN }} - devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} - ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + packageUser: ${{ github.actor }} + packagePAT: ${{ secrets.GITHUB_TOKEN }} +# devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} +# ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} run: | - ./gradlew build -Pversion=${VERSION} + ./gradlew build -Pversion=${VERSION} -x centralTests -x test ./gradlew release -Prelease.useAutomaticVersion=true -x test - name: Checkout docker repo uses: actions/checkout@v2 @@ -78,38 +82,40 @@ jobs: path: module-ballerina-docker - name: Copy zip artifact run: cp ballerina/build/distributions/ballerina-22*.zip module-ballerina-docker/base/docker/ - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKER_HUB_USER }} - password: ${{ secrets.DOCKER_HUB_TOKEN }} - - name: Build the docker image - id: docker_build - uses: docker/build-push-action@v2 - with: - context: module-ballerina-docker/base/docker/ - load: true - push: false - tags: ballerina/ballerina:release-test - build-args: | - BALLERINA_DIST=ballerina-${{ steps.version-set.outputs.sversion }}.zip - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'ballerina/ballerina:release-test' - skip-dirs: 'ballerina/runtime/examples' - format: 'table' - exit-code: '1' - timeout: "10m0s" +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v1 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v1 +# - name: Login to DockerHub +# uses: docker/login-action@v1 +# with: +# username: ${{ secrets.DOCKER_HUB_USER }} +# password: ${{ secrets.DOCKER_HUB_TOKEN }} +# - name: Build the docker image +# id: docker_build +# uses: docker/build-push-action@v2 +# with: +# context: module-ballerina-docker/base/docker/ +# load: true +# push: false +# tags: ballerina/ballerina:release-test +# build-args: | +# BALLERINA_DIST=ballerina-${{ steps.version-set.outputs.sversion }}.zip +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: 'ballerina/ballerina:release-test' +# skip-dirs: 'ballerina/runtime/examples' +# format: 'table' +# exit-code: '1' +# timeout: "10m0s" + - name: cosign-installer + uses: sigstore/cosign-installer@v3.0.3 - name: Create release id: create_release uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: tag_name: "v${{ steps.version-set.outputs.taggedVersion }}" release_name: ${{ steps.version-set.outputs.taggedVersion }} @@ -121,85 +127,249 @@ jobs: cd installers/linux-deb ./build-ballerina-linux-deb-x64.sh -v ${{ steps.version-set.outputs.longVersion }} -p ./../../ballerina/build/distributions echo "Created linux-deb successfully" + - name: Sign the linux-deb installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --yes + - name: Verify the linux-deb installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign verify-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Create linux-rpm Installer id: run_installers_rpm run: | cd installers/linux-rpm ./build-ballerina-linux-rpm-x64.sh -v ${{ steps.version-set.outputs.longVersion }} -p ./../../ballerina/build/distributions echo "Created linux-rpm successfully" + - name: Sign the linux-rpm installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --yes + - name: Verify the linux-rpm installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign verify-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256 installers/linux-deb/target/ballerina-*-linux-x64.deb openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sha256 installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-*-linux-x64.rpm openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256 ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip + - name: Sign the zip artifacts + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --yes + cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --output-certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --output-signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --yes + cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig --yes + cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --yes + cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --yes + - name: Verify the zip artifacts + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.zip asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip asset_content_type: application/octet-stream + - name: Upload zip artifact's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}.pem + asset_content_type: application/octet-stream + - name: Upload zip artifact's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}.sig + asset_content_type: application/octet-stream - name: Upload zip without tool artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.zip asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip asset_content_type: application/octet-stream + - name: Upload zip without tool artifact's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.sversion }}.pem + asset_content_type: application/octet-stream + - name: Upload zip without tool artifact's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.sversion }}.sig + asset_content_type: application/octet-stream - name: Upload Linux deb Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb asset_path: installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb asset_content_type: application/octet-stream + - name: Upload Linux deb Installer's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem + asset_content_type: application/octet-stream + - name: Upload Linux deb Installer's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig + asset_content_type: application/octet-stream - name: Upload Linux rpm Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm asset_path: installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm asset_content_type: application/octet-stream + - name: Upload Linux rpm Installer's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem + asset_content_type: application/octet-stream + - name: Upload Linux rpm Installer's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig + asset_content_type: application/octet-stream - name: Upload MacOS zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip asset_content_type: application/octet-stream + - name: Upload MacOS zip artifact's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem + asset_content_type: application/octet-stream + - name: Upload MacOS zip artifact's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig + asset_content_type: application/octet-stream - name: Upload MacOS-ARM zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip asset_content_type: application/octet-stream + - name: Upload MacOS-ARM zip artifact's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem + asset_content_type: application/octet-stream + - name: Upload MacOS-ARM zip artifact's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig + asset_content_type: application/octet-stream - name: Upload Windows zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip asset_content_type: application/octet-stream + - name: Upload Windows zip artifact's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem + asset_content_type: application/octet-stream + - name: Upload Windows zip artifact's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig + asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig + asset_content_type: application/octet-stream - name: Upload Linux deb Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256 @@ -208,7 +378,7 @@ jobs: - name: Upload Linux rpm Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sha256 @@ -217,7 +387,7 @@ jobs: - name: Upload Ballerina zip Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256 @@ -226,18 +396,18 @@ jobs: - name: Upload ballerina Short Name zip Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 asset_path: ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 asset_content_type: application/octet-stream - - name: Post release PR - env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - bin/hub pull-request -m "[Automated] Sync master after "$VERSION" release" +# - name: Post release PR +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# run: | +# curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 +# bin/hub pull-request -m "[Automated] Sync master after "$VERSION" release" outputs: project-version: ${{ steps.version-set.outputs.longVersion }} @@ -259,20 +429,32 @@ jobs: java-version: '11' - name: Download MacOS Intaller Zip run: | - wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos.zip + wget https://github.com/${{ github.actor }}/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos.zip + - name: cosign-installer + uses: sigstore/cosign-installer@v3.0.3 - name: Create macos-pkg Installer id: run_installers_pkg run: | cd installers/mac ./build-ballerina-macos-x64.sh -v ${{ needs.publish-release.outputs.project-version }} -p ./../../ echo "Created macos-pkg successfully" + - name: Sign the MacOS installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --yes + - name: Verify the MacOS installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256 installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg - name: Upload MacOS pkg Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256 @@ -281,28 +463,56 @@ jobs: - name: Upload MacOS pkg Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg asset_path: installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg asset_content_type: application/octet-stream + - name: Upload MacOS installer's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} + asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem + asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem + asset_content_type: application/octet-stream + - name: Upload MacOS installer's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} + asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig + asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig + asset_content_type: application/octet-stream - name: Download MacOS-ARM Intaller Zip run: | - wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm.zip + wget https://github.com/${{ github.actor }}/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm.zip - name: Create macos-arm-pkg Installer id: run_installers_arm_pkg run: | cd installers/mac ./build-ballerina-macos-x64.sh -v ${{ needs.publish-release.outputs.project-version }} -p ./../../ -a arm echo "Created macos-arm-pkg successfully" + - name: Sign the MacOS-ARM installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --yes + - name: Verify the MacOS-ARM installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256 installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg - name: Upload MacOS-ARM pkg Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256 @@ -311,12 +521,30 @@ jobs: - name: Upload MacOS-ARM pkg Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg asset_path: installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg asset_content_type: application/octet-stream + - name: Upload MacOS-ARM installer's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} + asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem + asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem + asset_content_type: application/octet-stream + - name: Upload MacOS-ARM installer's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} + asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig + asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig + asset_content_type: application/octet-stream windows-installer-build: name: Windows Installer Build @@ -340,7 +568,9 @@ jobs: run: choco install wget --no-progress - name: Download Windows Intaller Zip run: | - wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-windows.zip + wget https://github.com/${{ github.actor }}/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-windows.zip + - name: cosign-installer + uses: sigstore/cosign-installer@v3.0.3 - name: Create windows-msi Installer id: run_installers_msi run: | @@ -350,13 +580,23 @@ jobs: cd w .\build-ballerina-windows-x64.bat --version ${{ needs.publish-release.outputs.project-version }} --path .\..\ echo "Created windows-msi successfully" + - name: Sign the Windows installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign sign-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --yes + - name: Verify the Windows installer + env: + COSIGN_EXPERIMENTAL: "true" + run: | + cosign verify-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256 w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi - name: Upload Windows msi Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256 @@ -365,17 +605,35 @@ jobs: - name: Upload Windows msi Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi asset_path: w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi asset_content_type: application/octet-stream + - name: Upload Windows installer's Certificate + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} + asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem + asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem + asset_content_type: application/octet-stream + - name: Upload Windows installer's Signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} + asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig + asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig + asset_content_type: application/octet-stream - name: Install Ballerina msi run: msiexec /i w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi /quiet /qr shell: cmd - - name: Run Installer Tests - working-directory: .\ballerina-test-automation\installer-test - run: | - $env:Path += ";C:\Program Files\Ballerina\bin" - .\..\gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true +# - name: Run Installer Tests +# working-directory: .\ballerina-test-automation\installer-test +# run: | +# $env:Path += ";C:\Program Files\Ballerina\bin" +# .\..\gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true From c1c04241e986f10a91248f84b61736744f7702d9 Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Fri, 9 Jun 2023 17:15:28 +0530 Subject: [PATCH 2/9] Change user details and pat --- .github/workflows/publish-release.yml | 172 +++++++++++++------------- 1 file changed, 86 insertions(+), 86 deletions(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 2ba56a787f..6f579ba232 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -48,30 +48,30 @@ jobs: echo "::set-output name=longVersion::$LONG_VERSION" - name: Pre release depenency version update env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} run: | echo "Version: ${VERSION}" echo "Tagged Version: ${GIT_TAG}" - git config user.name ${{ github.actor }} - git config user.email ${{ secrets.USER_EMAIL }} + git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }} + git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }} git checkout -b release-${GIT_TAG} - name: Generate UUID run: | UUID=$(uuidgen) perl -pi -e "s/^\s*installerVersion=.*/installerVersion=$UUID/" gradle.properties - git config user.name ${{ github.actor }} - git config user.email ${{ secrets.USER_EMAIL }} + git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }} + git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }} git add gradle.properties git commit -m "Update UUID for installer" - name: Grant execute permission for gradlew run: chmod +x gradlew - name: Publish artifact env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - packageUser: ${{ github.actor }} - packagePAT: ${{ secrets.GITHUB_TOKEN }} -# devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} -# ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + packageUser: ${{ secrets.BALLERINA_BOT_USERNAME }} + packagePAT: ${{ secrets.BALLERINA_BOT_TOKEN }} + devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} + ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} run: | ./gradlew build -Pversion=${VERSION} -x centralTests -x test ./gradlew release -Prelease.useAutomaticVersion=true -x test @@ -82,40 +82,40 @@ jobs: path: module-ballerina-docker - name: Copy zip artifact run: cp ballerina/build/distributions/ballerina-22*.zip module-ballerina-docker/base/docker/ -# - name: Set up QEMU -# uses: docker/setup-qemu-action@v1 -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v1 -# - name: Login to DockerHub -# uses: docker/login-action@v1 -# with: -# username: ${{ secrets.DOCKER_HUB_USER }} -# password: ${{ secrets.DOCKER_HUB_TOKEN }} -# - name: Build the docker image -# id: docker_build -# uses: docker/build-push-action@v2 -# with: -# context: module-ballerina-docker/base/docker/ -# load: true -# push: false -# tags: ballerina/ballerina:release-test -# build-args: | -# BALLERINA_DIST=ballerina-${{ steps.version-set.outputs.sversion }}.zip -# - name: Run Trivy vulnerability scanner -# uses: aquasecurity/trivy-action@master -# with: -# image-ref: 'ballerina/ballerina:release-test' -# skip-dirs: 'ballerina/runtime/examples' -# format: 'table' -# exit-code: '1' -# timeout: "10m0s" + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_HUB_USER }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Build the docker image + id: docker_build + uses: docker/build-push-action@v2 + with: + context: module-ballerina-docker/base/docker/ + load: true + push: false + tags: ballerina/ballerina:release-test + build-args: | + BALLERINA_DIST=ballerina-${{ steps.version-set.outputs.sversion }}.zip + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ballerina/ballerina:release-test' + skip-dirs: 'ballerina/runtime/examples' + format: 'table' + exit-code: '1' + timeout: "10m0s" - name: cosign-installer uses: sigstore/cosign-installer@v3.0.3 - name: Create release id: create_release uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: tag_name: "v${{ steps.version-set.outputs.taggedVersion }}" release_name: ${{ steps.version-set.outputs.taggedVersion }} @@ -180,7 +180,7 @@ jobs: - name: Upload zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.zip @@ -189,7 +189,7 @@ jobs: - name: Upload zip artifact's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.pem @@ -198,7 +198,7 @@ jobs: - name: Upload zip artifact's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.sig @@ -207,7 +207,7 @@ jobs: - name: Upload zip without tool artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.zip @@ -216,7 +216,7 @@ jobs: - name: Upload zip without tool artifact's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.pem @@ -225,7 +225,7 @@ jobs: - name: Upload zip without tool artifact's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.sig @@ -234,7 +234,7 @@ jobs: - name: Upload Linux deb Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb @@ -243,7 +243,7 @@ jobs: - name: Upload Linux deb Installer's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem @@ -252,7 +252,7 @@ jobs: - name: Upload Linux deb Installer's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig @@ -261,7 +261,7 @@ jobs: - name: Upload Linux rpm Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm @@ -270,7 +270,7 @@ jobs: - name: Upload Linux rpm Installer's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem @@ -279,7 +279,7 @@ jobs: - name: Upload Linux rpm Installer's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig @@ -288,7 +288,7 @@ jobs: - name: Upload MacOS zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip @@ -297,7 +297,7 @@ jobs: - name: Upload MacOS zip artifact's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem @@ -306,7 +306,7 @@ jobs: - name: Upload MacOS zip artifact's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig @@ -315,7 +315,7 @@ jobs: - name: Upload MacOS-ARM zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip @@ -324,7 +324,7 @@ jobs: - name: Upload MacOS-ARM zip artifact's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem @@ -333,7 +333,7 @@ jobs: - name: Upload MacOS-ARM zip artifact's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig @@ -342,7 +342,7 @@ jobs: - name: Upload Windows zip artifacts uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip @@ -351,7 +351,7 @@ jobs: - name: Upload Windows zip artifact's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem @@ -360,7 +360,7 @@ jobs: - name: Upload Windows zip artifact's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig @@ -369,7 +369,7 @@ jobs: - name: Upload Linux deb Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256 @@ -378,7 +378,7 @@ jobs: - name: Upload Linux rpm Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sha256 @@ -387,7 +387,7 @@ jobs: - name: Upload Ballerina zip Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256 @@ -396,18 +396,18 @@ jobs: - name: Upload ballerina Short Name zip Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 asset_path: ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 asset_content_type: application/octet-stream -# - name: Post release PR -# env: -# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# run: | -# curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 -# bin/hub pull-request -m "[Automated] Sync master after "$VERSION" release" + - name: Post release PR + env: + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + run: | + curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 + bin/hub pull-request -m "[Automated] Sync master after "$VERSION" release" outputs: project-version: ${{ steps.version-set.outputs.longVersion }} @@ -454,7 +454,7 @@ jobs: - name: Upload MacOS pkg Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256 @@ -463,7 +463,7 @@ jobs: - name: Upload MacOS pkg Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg @@ -472,7 +472,7 @@ jobs: - name: Upload MacOS installer's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem @@ -481,7 +481,7 @@ jobs: - name: Upload MacOS installer's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig @@ -512,7 +512,7 @@ jobs: - name: Upload MacOS-ARM pkg Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256 @@ -521,7 +521,7 @@ jobs: - name: Upload MacOS-ARM pkg Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg @@ -530,7 +530,7 @@ jobs: - name: Upload MacOS-ARM installer's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem @@ -539,7 +539,7 @@ jobs: - name: Upload MacOS-ARM installer's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig @@ -596,7 +596,7 @@ jobs: - name: Upload Windows msi Hashes uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256 @@ -605,7 +605,7 @@ jobs: - name: Upload Windows msi Installer uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi @@ -614,7 +614,7 @@ jobs: - name: Upload Windows installer's Certificate uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem @@ -623,7 +623,7 @@ jobs: - name: Upload Windows installer's Signature uses: actions/upload-release-asset@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} with: upload_url: ${{ needs.publish-release.outputs.upload-asset-url }} asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig @@ -632,8 +632,8 @@ jobs: - name: Install Ballerina msi run: msiexec /i w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi /quiet /qr shell: cmd -# - name: Run Installer Tests -# working-directory: .\ballerina-test-automation\installer-test -# run: | -# $env:Path += ";C:\Program Files\Ballerina\bin" -# .\..\gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true + - name: Run Installer Tests + working-directory: .\ballerina-test-automation\installer-test + run: | + $env:Path += ";C:\Program Files\Ballerina\bin" + .\..\gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true From e5ab216f2843a8f1cf264816697e0345e760355c Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Mon, 12 Jun 2023 17:07:38 +0530 Subject: [PATCH 3/9] Add release notes and change urls --- .github/workflows/publish-release.yml | 36 +++++++++++++++++---------- docs/release_notes.md | 35 ++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 13 deletions(-) create mode 100644 docs/release_notes.md diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 6f579ba232..3a0dc21b5d 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -111,6 +111,15 @@ jobs: timeout: "10m0s" - name: cosign-installer uses: sigstore/cosign-installer@v3.0.3 + - name: Read release notes from file + id: release_notes + uses: actions/github-script@v4 + with: + github-token: ${{ secrets.BALLERINA_BOT_TOKEN }} + script: | + const fs = require('fs'); + const releaseNotes = fs.readFileSync('docs/release_notes.md', 'utf8'); + core.setOutput('notes', releaseNotes); - name: Create release id: create_release uses: actions/create-release@v1 @@ -119,6 +128,7 @@ jobs: with: tag_name: "v${{ steps.version-set.outputs.taggedVersion }}" release_name: ${{ steps.version-set.outputs.taggedVersion }} + body: ${{ steps.release_notes.outputs.notes }} draft: false prerelease: ${{ github.event.inputs.isPreRelease }} - name: Create linux-deb Installer @@ -136,7 +146,7 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" run: | - cosign verify-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Create linux-rpm Installer id: run_installers_rpm run: | @@ -152,7 +162,7 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" run: | - cosign verify-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256 installers/linux-deb/target/ballerina-*-linux-x64.deb @@ -172,11 +182,11 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" run: | - cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload zip artifacts uses: actions/upload-release-asset@v1 env: @@ -429,7 +439,7 @@ jobs: java-version: '11' - name: Download MacOS Intaller Zip run: | - wget https://github.com/${{ github.actor }}/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos.zip + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos.zip - name: cosign-installer uses: sigstore/cosign-installer@v3.0.3 - name: Create macos-pkg Installer @@ -447,7 +457,7 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" run: | - cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256 installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg @@ -489,7 +499,7 @@ jobs: asset_content_type: application/octet-stream - name: Download MacOS-ARM Intaller Zip run: | - wget https://github.com/${{ github.actor }}/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm.zip + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm.zip - name: Create macos-arm-pkg Installer id: run_installers_arm_pkg run: | @@ -505,7 +515,7 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" run: | - cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256 installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg @@ -568,7 +578,7 @@ jobs: run: choco install wget --no-progress - name: Download Windows Intaller Zip run: | - wget https://github.com/${{ github.actor }}/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-windows.zip + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-windows.zip - name: cosign-installer uses: sigstore/cosign-installer@v3.0.3 - name: Create windows-msi Installer @@ -589,7 +599,7 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" run: | - cosign verify-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --certificate-identity=https://github.com/${{ github.actor }}/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/integrate-cosign --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes run: | openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256 w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi diff --git a/docs/release_notes.md b/docs/release_notes.md new file mode 100644 index 0000000000..1c5fd4a00b --- /dev/null +++ b/docs/release_notes.md @@ -0,0 +1,35 @@ +# Official Ballerina 2201.7.0 Release Artifacts + + +## Linux + +- **[ballerina-2201.7.0-swan-lake-linux-x64.deb](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.deb)** +- **[ballerina-2201.7.0-swan-lake-linux-x64.rpm](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.rpm)** + + +## MacOS + +- **[ballerina-2201.7.0-swan-lake-macos-x64.pkg](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-x64.pkg)** + +## MacOS-ARM + +- **[ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg)** + +## Windows + +- **[ballerina-2201.7.0-swan-lake-windows-x64.msi](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-windows-x64.msi)** + + +For more builds across platforms and architectures see the `Assets` section below. + + +## Signatures and Verification + +`Ballerina` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying the release artifacts. + + +Below is an example of using `cosign` to verify the release artifact: + +``` +cosign verify-blob ballerina-2201.7.0-swan-lake-linux-x64.deb --certificate ballerina-2201.7.0-swan-lake-linux-x64.deb.pem --signature ballerina-2201.7.0-swan-lake-linux-x64.deb.sig --certificate-identity=https://github.com/Miranlfk/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` From 36195ac32adb5dac04b0b162075ce1b01d418d08 Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Mon, 12 Jun 2023 17:09:42 +0530 Subject: [PATCH 4/9] Change release note details --- docs/release_notes.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/release_notes.md b/docs/release_notes.md index 1c5fd4a00b..a7443a718c 100644 --- a/docs/release_notes.md +++ b/docs/release_notes.md @@ -3,21 +3,21 @@ ## Linux -- **[ballerina-2201.7.0-swan-lake-linux-x64.deb](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.deb)** -- **[ballerina-2201.7.0-swan-lake-linux-x64.rpm](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.rpm)** +- **[ballerina-2201.7.0-swan-lake-linux-x64.deb](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.deb)** +- **[ballerina-2201.7.0-swan-lake-linux-x64.rpm](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.rpm)** ## MacOS -- **[ballerina-2201.7.0-swan-lake-macos-x64.pkg](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-x64.pkg)** +- **[ballerina-2201.7.0-swan-lake-macos-x64.pkg](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-x64.pkg)** ## MacOS-ARM -- **[ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg)** +- **[ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg)** ## Windows -- **[ballerina-2201.7.0-swan-lake-windows-x64.msi](https://github.com/Miranlfk/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-windows-x64.msi)** +- **[ballerina-2201.7.0-swan-lake-windows-x64.msi](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-windows-x64.msi)** For more builds across platforms and architectures see the `Assets` section below. @@ -31,5 +31,5 @@ For more builds across platforms and architectures see the `Assets` section belo Below is an example of using `cosign` to verify the release artifact: ``` -cosign verify-blob ballerina-2201.7.0-swan-lake-linux-x64.deb --certificate ballerina-2201.7.0-swan-lake-linux-x64.deb.pem --signature ballerina-2201.7.0-swan-lake-linux-x64.deb.sig --certificate-identity=https://github.com/Miranlfk/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com +cosign verify-blob ballerina-2201.7.0-swan-lake-linux-x64.deb --certificate ballerina-2201.7.0-swan-lake-linux-x64.deb.pem --signature ballerina-2201.7.0-swan-lake-linux-x64.deb.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` From 8e8e6529cba243f1b262b47895344e00e8e7b58f Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Mon, 12 Jun 2023 17:12:34 +0530 Subject: [PATCH 5/9] Include tests in gradle build --- .github/workflows/publish-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 3a0dc21b5d..26b94b7e2c 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -73,7 +73,7 @@ jobs: devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} run: | - ./gradlew build -Pversion=${VERSION} -x centralTests -x test + ./gradlew build -Pversion=${VERSION} ./gradlew release -Prelease.useAutomaticVersion=true -x test - name: Checkout docker repo uses: actions/checkout@v2 From 88860b12099a76abba9fd0713d92f0be2f36aee9 Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Mon, 12 Jun 2023 17:37:29 +0530 Subject: [PATCH 6/9] Remove experimental flag --- .github/workflows/publish-release.yml | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 26b94b7e2c..59d9389b4b 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -138,13 +138,9 @@ jobs: ./build-ballerina-linux-deb-x64.sh -v ${{ steps.version-set.outputs.longVersion }} -p ./../../ballerina/build/distributions echo "Created linux-deb successfully" - name: Sign the linux-deb installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign sign-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --yes - name: Verify the linux-deb installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign verify-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Create linux-rpm Installer @@ -154,13 +150,9 @@ jobs: ./build-ballerina-linux-rpm-x64.sh -v ${{ steps.version-set.outputs.longVersion }} -p ./../../ballerina/build/distributions echo "Created linux-rpm successfully" - name: Sign the linux-rpm installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign sign-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --yes - name: Verify the linux-rpm installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign verify-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes @@ -170,8 +162,6 @@ jobs: openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256 ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip - name: Sign the zip artifacts - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --yes cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --output-certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --output-signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --yes @@ -179,8 +169,6 @@ jobs: cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --yes cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --yes - name: Verify the zip artifacts - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com @@ -449,13 +437,9 @@ jobs: ./build-ballerina-macos-x64.sh -v ${{ needs.publish-release.outputs.project-version }} -p ./../../ echo "Created macos-pkg successfully" - name: Sign the MacOS installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign sign-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --yes - name: Verify the MacOS installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes @@ -507,13 +491,9 @@ jobs: ./build-ballerina-macos-x64.sh -v ${{ needs.publish-release.outputs.project-version }} -p ./../../ -a arm echo "Created macos-arm-pkg successfully" - name: Sign the MacOS-ARM installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign sign-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --yes - name: Verify the MacOS-ARM installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes @@ -591,13 +571,9 @@ jobs: .\build-ballerina-windows-x64.bat --version ${{ needs.publish-release.outputs.project-version }} --path .\..\ echo "Created windows-msi successfully" - name: Sign the Windows installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign sign-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --yes - name: Verify the Windows installer - env: - COSIGN_EXPERIMENTAL: "true" run: | cosign verify-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Generate Hashes From 4e22db59e1429c21ddd512a1afc8140fbf7a5a3b Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Tue, 20 Jun 2023 11:28:34 +0530 Subject: [PATCH 7/9] Retrieve and add release notes --- .github/workflows/publish-release.yml | 23 +++++++++++++- docs/release_notes.md | 35 --------------------- docs/update-version-notes/update_version.js | 23 ++++++++++++++ 3 files changed, 45 insertions(+), 36 deletions(-) delete mode 100644 docs/release_notes.md create mode 100644 docs/update-version-notes/update_version.js diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 59d9389b4b..85eea217d7 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -111,6 +111,27 @@ jobs: timeout: "10m0s" - name: cosign-installer uses: sigstore/cosign-installer@v3.0.3 + - name: Set up Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + - name: Install GitHub CLI + run: | + npm install -g github-cli + gh --version + - name: Get Markdown file + id: file-url + env: + GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} + run: | + gh repo view ballerina-platform/ballerina-dev-website --json url --jq '.clone_url' + gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verification-notes/verification_notes_template.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md + - name: Update Markdown file + run: | + npm install + node docs/update-version-notes/update_version.js + env: + NEW_VERSION: ${{ steps.version-set.outputs.taggedVersion }} - name: Read release notes from file id: release_notes uses: actions/github-script@v4 @@ -118,7 +139,7 @@ jobs: github-token: ${{ secrets.BALLERINA_BOT_TOKEN }} script: | const fs = require('fs'); - const releaseNotes = fs.readFileSync('docs/release_notes.md', 'utf8'); + const releaseNotes = fs.readFileSync('release_notes.md', 'utf8'); core.setOutput('notes', releaseNotes); - name: Create release id: create_release diff --git a/docs/release_notes.md b/docs/release_notes.md deleted file mode 100644 index a7443a718c..0000000000 --- a/docs/release_notes.md +++ /dev/null @@ -1,35 +0,0 @@ -# Official Ballerina 2201.7.0 Release Artifacts - - -## Linux - -- **[ballerina-2201.7.0-swan-lake-linux-x64.deb](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.deb)** -- **[ballerina-2201.7.0-swan-lake-linux-x64.rpm](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-linux-x64.rpm)** - - -## MacOS - -- **[ballerina-2201.7.0-swan-lake-macos-x64.pkg](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-x64.pkg)** - -## MacOS-ARM - -- **[ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg)** - -## Windows - -- **[ballerina-2201.7.0-swan-lake-windows-x64.msi](https://github.com/ballerina-platform/ballerina-distribution/releases/download/v2201.7.0/ballerina-2201.7.0-swan-lake-windows-x64.msi)** - - -For more builds across platforms and architectures see the `Assets` section below. - - -## Signatures and Verification - -`Ballerina` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying the release artifacts. - - -Below is an example of using `cosign` to verify the release artifact: - -``` -cosign verify-blob ballerina-2201.7.0-swan-lake-linux-x64.deb --certificate ballerina-2201.7.0-swan-lake-linux-x64.deb.pem --signature ballerina-2201.7.0-swan-lake-linux-x64.deb.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com -``` diff --git a/docs/update-version-notes/update_version.js b/docs/update-version-notes/update_version.js new file mode 100644 index 0000000000..850f46b075 --- /dev/null +++ b/docs/update-version-notes/update_version.js @@ -0,0 +1,23 @@ +const fs = require('fs'); + +const markdownFile = 'release_notes.md'; +const versionPlaceholder = '{{ version }}'; +const newVersion = process.env.NEW_VERSION; + +fs.readFile(markdownFile, 'utf8', (err, data) => { + if (err) { + console.error(err); + return; + } + + const updatedContent = data.replace(new RegExp(versionPlaceholder, 'g'), newVersion); + + fs.writeFile(markdownFile, updatedContent, 'utf8', (err) => { + if (err) { + console.error(err); + return; + } + + console.log('Markdown file updated successfully!'); + }); +}); From 9ce967f0cda43017c0d5b8aa6454ca402075fd1c Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Tue, 20 Jun 2023 12:07:45 +0530 Subject: [PATCH 8/9] Change md file retrieve api call --- .github/workflows/publish-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 85eea217d7..8669615e18 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -125,7 +125,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }} run: | gh repo view ballerina-platform/ballerina-dev-website --json url --jq '.clone_url' - gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verification-notes/verification_notes_template.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md + gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verification-notes/release-artfiacts-verification.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md - name: Update Markdown file run: | npm install From 6ecaf7d5647c60b197e9fb8c975001a21e1202ea Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Wed, 21 Jun 2023 22:02:11 +0530 Subject: [PATCH 9/9] Add sign installers workflow, change md update job --- .github/workflows/publish-release.yml | 7 +- .github/workflows/sign-installers.yml | 74 +++++++++++++++++++++ docs/update-version-notes/update_version.js | 23 ------- 3 files changed, 76 insertions(+), 28 deletions(-) create mode 100644 .github/workflows/sign-installers.yml delete mode 100644 docs/update-version-notes/update_version.js diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 8669615e18..c3a1ac8405 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -73,7 +73,7 @@ jobs: devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} run: | - ./gradlew build -Pversion=${VERSION} + ./gradlew build -Pversion=${VERSION} ./gradlew release -Prelease.useAutomaticVersion=true -x test - name: Checkout docker repo uses: actions/checkout@v2 @@ -128,10 +128,7 @@ jobs: gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verification-notes/release-artfiacts-verification.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md - name: Update Markdown file run: | - npm install - node docs/update-version-notes/update_version.js - env: - NEW_VERSION: ${{ steps.version-set.outputs.taggedVersion }} + sed -i 's/{{ version }}/${{ steps.version-set.outputs.taggedVersion }}/g' release_notes.md - name: Read release notes from file id: release_notes uses: actions/github-script@v4 diff --git a/.github/workflows/sign-installers.yml b/.github/workflows/sign-installers.yml new file mode 100644 index 0000000000..615a8ba1a6 --- /dev/null +++ b/.github/workflows/sign-installers.yml @@ -0,0 +1,74 @@ +name: Sign release artifacts + +on: + workflow_dispatch: + +permissions: + id-token: write + contents: write + +jobs: + sign-release: + name: Sign release artifacts + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + - name: cosign-installer + uses: sigstore/cosign-installer@v3.0.3 + - name: Install Node + uses: actions/setup-node@v2 + with: + node-version: '14' + - name: Install GitHub CLI + run: | + npm install -g github-cli + - name: Retrieve Git Tag + id: retrieve-tag + env: + GH_TOKEN : ${{ secrets.BALLERINA_BOT_TOKEN }} + run: | + release=$(gh release view --json tagName -R ballerina-platform/ballerina-distribution --jq '.tagName' | sed 's/^v//') + echo "::set-output name=tag::$release" + tag=$(gh release view --json tagName -R ballerina-platform/ballerina-distribution --jq '.tagName') + echo "::set-output name=release::$tag" + - name: Retrieve MacOS Installer + run: + | + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg + - name: Sign the MacOS Installer + run: | + cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --yes + - name: Verify the MacOS Installer + run: | + cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Retrieve MacOS-ARM Installer + run: + | + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg + - name: Sign the MacOS-ARM Installer + run: | + cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --yes + - name: Verify the MacOS-ARM Installer + run: | + cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Retrieve Windows Installer + run: + | + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi + - name: Sign the Windows Installer + run: | + cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --yes + - name: Verify the Windows Installer + run: | + cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Upload Installers' Verification Files + env: + GH_TOKEN : ${{ secrets.BALLERINA_BOT_TOKEN }} + run: | + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --clobber \ No newline at end of file diff --git a/docs/update-version-notes/update_version.js b/docs/update-version-notes/update_version.js deleted file mode 100644 index 850f46b075..0000000000 --- a/docs/update-version-notes/update_version.js +++ /dev/null @@ -1,23 +0,0 @@ -const fs = require('fs'); - -const markdownFile = 'release_notes.md'; -const versionPlaceholder = '{{ version }}'; -const newVersion = process.env.NEW_VERSION; - -fs.readFile(markdownFile, 'utf8', (err, data) => { - if (err) { - console.error(err); - return; - } - - const updatedContent = data.replace(new RegExp(versionPlaceholder, 'g'), newVersion); - - fs.writeFile(markdownFile, updatedContent, 'utf8', (err) => { - if (err) { - console.error(err); - return; - } - - console.log('Markdown file updated successfully!'); - }); -});