Add sign installers workflow, change md update job

.github/workflows/publish-release.yml

@@ -73,7 +73,7 @@ jobs:
  devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }}
  ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }}
  run: |
- ./gradlew build -Pversion=${VERSION} 
+ ./gradlew build -Pversion=${VERSION}
  ./gradlew release -Prelease.useAutomaticVersion=true -x test
  - name: Checkout docker repo
  uses: actions/checkout@v2
@@ -128,10 +128,7 @@ jobs:
  gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verification-notes/release-artfiacts-verification.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md
  - name: Update Markdown file
  run: |
- npm install
- node docs/update-version-notes/update_version.js
- env:
- NEW_VERSION: ${{ steps.version-set.outputs.taggedVersion }}
+ sed -i 's/{{ version }}/${{ steps.version-set.outputs.taggedVersion }}/g' release_notes.md
  - name: Read release notes from file
  id: release_notes
  uses: actions/github-script@v4

.github/workflows/sign-installers.yml

@@ -0,0 +1,74 @@
+name: Sign release artifacts
+
+on:
+ workflow_dispatch:
+
+permissions:
+ id-token: write 
+ contents: write
+
+jobs:
+ sign-release:
+ name: Sign release artifacts
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Repository
+ uses: actions/checkout@v2
+ - name: cosign-installer
+ uses: sigstore/cosign-installer@v3.0.3
+ - name: Install Node
+ uses: actions/setup-node@v2
+ with:
+ node-version: '14'
+ - name: Install GitHub CLI
+ run: |
+ npm install -g github-cli
+ - name: Retrieve Git Tag
+ id: retrieve-tag
+ env:
+ GH_TOKEN : ${{ secrets.BALLERINA_BOT_TOKEN }}
+ run: |
+ release=$(gh release view --json tagName -R ballerina-platform/ballerina-distribution --jq '.tagName' | sed 's/^v//')
+ echo "::set-output name=tag::$release"
+ tag=$(gh release view --json tagName -R ballerina-platform/ballerina-distribution --jq '.tagName')
+ echo "::set-output name=release::$tag"
+ - name: Retrieve MacOS Installer
+ run:
+ |
+ wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg
+ - name: Sign the MacOS Installer
+ run: |
+ cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --yes
+ - name: Verify the MacOS Installer
+ run: |
+ cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com 
+ - name: Retrieve MacOS-ARM Installer
+ run:
+ |
+ wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg
+ - name: Sign the MacOS-ARM Installer
+ run: |
+ cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --yes
+ - name: Verify the MacOS-ARM Installer
+ run: |
+ cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+ - name: Retrieve Windows Installer
+ run:
+ |
+ wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi
+ - name: Sign the Windows Installer
+ run: |
+ cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --yes
+ - name: Verify the Windows Installer
+ run: |
+ cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+ - name: Upload Installers' Verification Files
+ env:
+ GH_TOKEN : ${{ secrets.BALLERINA_BOT_TOKEN }}
+ run: |
+ gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --clobber
+ gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --clobber
+ gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --clobber
+ gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --clobber
+ gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --clobber
+ gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --clobber