From 6ecaf7d5647c60b197e9fb8c975001a21e1202ea Mon Sep 17 00:00:00 2001 From: Miran Kurukulasuriya Date: Wed, 21 Jun 2023 22:02:11 +0530 Subject: [PATCH] Add sign installers workflow, change md update job --- .github/workflows/publish-release.yml | 7 +- .github/workflows/sign-installers.yml | 74 +++++++++++++++++++++ docs/update-version-notes/update_version.js | 23 ------- 3 files changed, 76 insertions(+), 28 deletions(-) create mode 100644 .github/workflows/sign-installers.yml delete mode 100644 docs/update-version-notes/update_version.js diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 8669615e18..c3a1ac8405 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -73,7 +73,7 @@ jobs: devCentralToken: ${{ secrets.BALLERINA_DEV_CENTRAL_ACCESS_TOKEN }} ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }} run: | - ./gradlew build -Pversion=${VERSION} + ./gradlew build -Pversion=${VERSION} ./gradlew release -Prelease.useAutomaticVersion=true -x test - name: Checkout docker repo uses: actions/checkout@v2 @@ -128,10 +128,7 @@ jobs: gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verification-notes/release-artfiacts-verification.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md - name: Update Markdown file run: | - npm install - node docs/update-version-notes/update_version.js - env: - NEW_VERSION: ${{ steps.version-set.outputs.taggedVersion }} + sed -i 's/{{ version }}/${{ steps.version-set.outputs.taggedVersion }}/g' release_notes.md - name: Read release notes from file id: release_notes uses: actions/github-script@v4 diff --git a/.github/workflows/sign-installers.yml b/.github/workflows/sign-installers.yml new file mode 100644 index 0000000000..615a8ba1a6 --- /dev/null +++ b/.github/workflows/sign-installers.yml @@ -0,0 +1,74 @@ +name: Sign release artifacts + +on: + workflow_dispatch: + +permissions: + id-token: write + contents: write + +jobs: + sign-release: + name: Sign release artifacts + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + - name: cosign-installer + uses: sigstore/cosign-installer@v3.0.3 + - name: Install Node + uses: actions/setup-node@v2 + with: + node-version: '14' + - name: Install GitHub CLI + run: | + npm install -g github-cli + - name: Retrieve Git Tag + id: retrieve-tag + env: + GH_TOKEN : ${{ secrets.BALLERINA_BOT_TOKEN }} + run: | + release=$(gh release view --json tagName -R ballerina-platform/ballerina-distribution --jq '.tagName' | sed 's/^v//') + echo "::set-output name=tag::$release" + tag=$(gh release view --json tagName -R ballerina-platform/ballerina-distribution --jq '.tagName') + echo "::set-output name=release::$tag" + - name: Retrieve MacOS Installer + run: + | + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg + - name: Sign the MacOS Installer + run: | + cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --yes + - name: Verify the MacOS Installer + run: | + cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Retrieve MacOS-ARM Installer + run: + | + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg + - name: Sign the MacOS-ARM Installer + run: | + cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --yes + - name: Verify the MacOS-ARM Installer + run: | + cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Retrieve Windows Installer + run: + | + wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ steps.retrieve-tag.outputs.tag }}/ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi + - name: Sign the Windows Installer + run: | + cosign sign-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi --output-certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --output-signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --yes + - name: Verify the Windows Installer + run: | + cosign verify-blob ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi --certificate ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --signature ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/sign-installers.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Upload Installers' Verification Files + env: + GH_TOKEN : ${{ secrets.BALLERINA_BOT_TOKEN }} + run: | + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.pem --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-x64.pkg.sig --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.pem --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-macos-arm-x64.pkg.sig --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.pem --clobber + gh release upload ${{ steps.retrieve-tag.outputs.release }} ./ballerina-${{ steps.retrieve-tag.outputs.tag }}-swan-lake-windows-x64.msi.sig --clobber \ No newline at end of file diff --git a/docs/update-version-notes/update_version.js b/docs/update-version-notes/update_version.js deleted file mode 100644 index 850f46b075..0000000000 --- a/docs/update-version-notes/update_version.js +++ /dev/null @@ -1,23 +0,0 @@ -const fs = require('fs'); - -const markdownFile = 'release_notes.md'; -const versionPlaceholder = '{{ version }}'; -const newVersion = process.env.NEW_VERSION; - -fs.readFile(markdownFile, 'utf8', (err, data) => { - if (err) { - console.error(err); - return; - } - - const updatedContent = data.replace(new RegExp(versionPlaceholder, 'g'), newVersion); - - fs.writeFile(markdownFile, updatedContent, 'utf8', (err) => { - if (err) { - console.error(err); - return; - } - - console.log('Markdown file updated successfully!'); - }); -});