From a91569186c91516535e46b3c05b58ab154608576 Mon Sep 17 00:00:00 2001
From: Miran Kurukulasuriya <miran@wso2.com>
Date: Wed, 28 Jun 2023 15:13:21 +0530
Subject: [PATCH 1/2] Integrate notation signature to ballerina image

---
 .../workflows/publish-release-artifacts.yml   | 44 +++++++++++++++++--
 1 file changed, 41 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml
index 80856a16af..225b1569e3 100644
--- a/.github/workflows/publish-release-artifacts.yml
+++ b/.github/workflows/publish-release-artifacts.yml
@@ -7,6 +7,9 @@ on:
         description: 'Release Version e.g., 2201.1.1, 2201.1.1-rc1'
         default: '2201.1.1'
         required: true
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ballerina
 
 jobs:
   publish-artifacts:
@@ -133,12 +136,11 @@ jobs:
         run: |
           DOCKER_REPO=${{ steps.process-docker.outputs.dockerRepo }}
           cp $VERSION/ballerina-$VERSION.zip $DOCKER_REPO/base/docker/
-
+          
           docker build --no-cache=true --squash --build-arg BALLERINA_DIST=ballerina-$VERSION.zip -t ballerina/ballerina:$GIT_TAG  $DOCKER_REPO/base/docker/
           rm $DOCKER_REPO/base/docker/ballerina-$VERSION.zip
           docker push ballerina/ballerina:$GIT_TAG
-          docker rmi ballerina/ballerina:$GIT_TAG
-          docker image prune -f
+          
 
       - name: Build and push dev container
         run: |
@@ -151,6 +153,42 @@ jobs:
           docker rmi ballerina/ballerina-devcontainer:$GIT_TAG
           docker image prune -f
 
+      - name: azure-resource-login
+        uses: Azure/azure-resource-login-action@v1.0.0
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Setup Notation with azure-kv plugin
+        uses: Duffney/setup-notation@v1.0.0
+        with:
+          version: 1.0.0-rc.7
+          key_name: ${{ secrets.AZURE_KEY_NAME }}
+          certificate_key_id: ${{ secrets.AZURE_KEY_ID }}
+          plugin_name: notation-azure-kv
+          plugin_version:  0.5.0-rc.1
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image to Github Container Registry
+        run: |
+          docker tag ballerina/ballerina:$GIT_TAG ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+          docker push ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+      
+      - name: Verify key generation
+        run: notation key list 
+     
+      - name: Sign the published Docker image
+        run: | 
+          notation sign --key ${{ secrets.AZURE_KEY_NAME }} ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+          docker rmi ballerina/ballerina:$GIT_TAG
+          docker rmi ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+          docker image prune -f
+
       - name: Publish Artifacts
         run: |
           sudo apt-get install python3-setuptools

From 8b1bba05dd7b02ada5b951305fccf5a4c8336ecb Mon Sep 17 00:00:00 2001
From: Miran Kurukulasuriya <miran@wso2.com>
Date: Wed, 28 Jun 2023 15:24:06 +0530
Subject: [PATCH 2/2] Change tokens and org details

---
 .github/workflows/publish-release-artifacts.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml
index 225b1569e3..fcf01fe6a8 100644
--- a/.github/workflows/publish-release-artifacts.yml
+++ b/.github/workflows/publish-release-artifacts.yml
@@ -9,6 +9,7 @@ on:
         required: true
 env:
   REGISTRY: ghcr.io
+  ORGNAME: ballerina-platform 
   IMAGE_NAME: ballerina
 
 jobs:
@@ -141,7 +142,6 @@ jobs:
           rm $DOCKER_REPO/base/docker/ballerina-$VERSION.zip
           docker push ballerina/ballerina:$GIT_TAG
           
-
       - name: Build and push dev container
         run: |
           DOCKER_REPO=${{ steps.process-docker.outputs.dockerRepo }}
@@ -171,22 +171,22 @@ jobs:
         uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ env.ORGNAME }}
+          password: ${{ secrets.BALLERINA_BOT_TOKEN }}
 
       - name: Push image to Github Container Registry
         run: |
-          docker tag ballerina/ballerina:$GIT_TAG ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
-          docker push ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+          docker tag ballerina/ballerina:$GIT_TAG ${{ env.REGISTRY }}/${{ env.ORGNAME }}/${{ env.IMAGE_NAME }}:$GIT_TAG
+          docker push ${{ env.REGISTRY }}/${{ env.ORGNAME }}/${{ env.IMAGE_NAME }}:$GIT_TAG
       
       - name: Verify key generation
         run: notation key list 
      
       - name: Sign the published Docker image
         run: | 
-          notation sign --key ${{ secrets.AZURE_KEY_NAME }} ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+          notation sign --key ${{ secrets.AZURE_KEY_NAME }} ${{ env.REGISTRY }}/${{ env.ORGNAME }}/${{ env.IMAGE_NAME }}:$GIT_TAG
           docker rmi ballerina/ballerina:$GIT_TAG
-          docker rmi ${{ env.REGISTRY }}/ballerina-platform/${{ env.IMAGE_NAME }}:$GIT_TAG
+          docker rmi ${{ env.REGISTRY }}/${{ env.ORGNAME }}/${{ env.IMAGE_NAME }}:$GIT_TAG
           docker image prune -f
 
       - name: Publish Artifacts