publish-release.yml

name: Publish release

on:
  workflow_dispatch:
    inputs:
      isPreRelease:
        description: 'Tag created is a pre-release tag'
        required: true
        default: 'false'
      preReleaseSuffix:
        description: 'The text that will be suffixed to the Git tag. e.g., rc1'
        required: false
        default: ''

permissions:
  id-token: write 
  contents: write

jobs:
  publish-release:
    name: Publish Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin'
          java-version: '17.0.7'
      - name: Set version env variable
        id: version-set
        run: |
          SHORT_VERSION=$((grep -w 'version' | cut -d= -f2 | cut -d- -f1) < gradle.properties)
          DIST_VERSION=$((grep -w 'version' | cut -d= -f2) < gradle.properties | rev | cut --complement -d- -f1 | rev)
          LANG_VERSION=$((grep -w "ballerinaLangVersion" | cut -d= -f2 | cut -d- -f1 | xargs) < gradle.properties)
          CODE_NAME=$((grep -w 'codeName' | cut -d= -f2) < gradle.properties)
          RELEASE_VERSION=$DIST_VERSION
          TAGGED_VERSION=$RELEASE_VERSION
          LONG_VERSION=$DIST_VERSION-$CODE_NAME
          if [ -n "${{ github.event.inputs.preReleaseSuffix }}" ]; then
            TAGGED_VERSION=$RELEASE_VERSION-${{ github.event.inputs.preReleaseSuffix }}
          fi
          echo VERSION=$RELEASE_VERSION >> $GITHUB_ENV
          echo GIT_TAG=$TAGGED_VERSION >> $GITHUB_ENV
          echo "::set-output name=version::$RELEASE_VERSION"
          echo "::set-output name=sversion::$SHORT_VERSION"
          echo "::set-output name=taggedVersion::$TAGGED_VERSION"
          echo "::set-output name=longVersion::$LONG_VERSION"
          echo "::set-output name=langVersion::$LANG_VERSION"
      - name: Pre release depenency version update
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        run: |
          echo "Version: ${VERSION}"
          echo "Tagged Version: ${GIT_TAG}"
          git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }}
          git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }}
          git checkout -b release-${GIT_TAG}
      - name: Generate UUID
        run: |
          UUID=$(uuidgen)
          perl -pi -e "s/^\s*installerVersion=.*/installerVersion=$UUID/" gradle.properties
          git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }}
          git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }}
          git add gradle.properties
          git commit -m "Update UUID for installer"
      - name: Grant execute permission for gradlew
        run: chmod +x gradlew
      - name: Publish artifact
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
          packageUser: ${{ secrets.BALLERINA_BOT_USERNAME }}
          packagePAT: ${{ secrets.BALLERINA_BOT_TOKEN }}
          devCentralToken: ${{ secrets.BALLERINA_CENTRAL_DEV_ACCESS_TOKEN }}
          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
          ballerinaBotWorkflow: $ {{ secrets.BALLERINA_BOT_WORKFLOW }}
        run: |
          ./gradlew build -Pversion=${VERSION}
          ./gradlew release -Prelease.useAutomaticVersion=true -x test
      - name: Checkout docker repo
        uses: actions/checkout@v3
        with:
          repository: ballerina-platform/module-ballerina-docker
          path: module-ballerina-docker
      - name: Copy zip artifact
        run: cp ballerina/build/distributions/ballerina-22*.zip module-ballerina-docker/base/docker/
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      - name: Build the docker image
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          context: module-ballerina-docker/base/docker/
          load: true
          push: false
          tags: ballerina/ballerina:release-test
          build-args: |
            BALLERINA_DIST=ballerina-${{ steps.version-set.outputs.sversion }}.zip
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'ballerina/ballerina:release-test'
          skip-dirs: 'ballerina/runtime/examples'
          format: 'table'
          exit-code: '1'
          timeout: "10m0s"
      - name: cosign-installer
        uses: sigstore/cosign-installer@v3.0.3
      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '14'
      - name: Install GitHub CLI
        run: |
          npm install -g github-cli
          gh --version
      - name: Get Markdown file
        id: file-url
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh repo view ballerina-platform/ballerina-dev-website --json url --jq '.clone_url'
          gh api repos/ballerina-platform/ballerina-dev-website/contents/downloads/verify-ballerina-artifacts.md -H 'Accept: application/vnd.github.v3.raw' > release_notes.md
          sed -i '1,10d' release_notes.md
      - name: Retrieve Branch
        id: retrieve-branch
        run: |
          branchName=$(echo ${{ github.ref }} | cut -d'/' -f3)
          echo "::set-output name=branchName::$branchName"
      - name: Update Markdown file
        run: |
          if ${{ github.event.inputs.isPreRelease }} == 'true'; then 
            echo "" > release_notes.md; 
          else sed -i 's/{{ version }}/${{ steps.version-set.outputs.taggedVersion }}/g' release_notes.md; sed -i 's/{{ branch }}/${{ steps.retrieve-branch.outputs.branchName }}/g' release_notes.md; fi
      - name: Read release notes from file
        id: release_notes
        uses: actions/github-script@v4
        with:
          github-token: ${{ secrets.BALLERINA_BOT_TOKEN }}
          script: |
            const fs = require('fs');
            const releaseNotes = fs.readFileSync('release_notes.md', 'utf8');
            core.setOutput('notes', releaseNotes);
      - name: Create release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          tag_name: "v${{ steps.version-set.outputs.taggedVersion }}"
          release_name: ${{ steps.version-set.outputs.taggedVersion }}
          body: ${{ steps.release_notes.outputs.notes }}
          draft: false
          prerelease: ${{ github.event.inputs.isPreRelease }}
      - name: Create linux-deb Installer
        id: run_installers_deb
        run: |
          cd installers/linux-deb
          ./build-ballerina-linux-deb-x64.sh -v ${{ steps.version-set.outputs.longVersion }} -p ./../../ballerina/build/distributions
          echo "Created linux-deb successfully"
      - name: Sign the linux-deb installer
        run: |
          cosign sign-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --yes
      - name: Verify the linux-deb installer
        run: |
          cosign verify-blob installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Create linux-rpm Installer
        id: run_installers_rpm
        run: |
          cd installers/linux-rpm
          ./build-ballerina-linux-rpm-x64.sh -v ${{ steps.version-set.outputs.longVersion }} -p ./../../ballerina/build/distributions
          echo "Created linux-rpm successfully"
      - name: Sign the linux-rpm installer
        run: |
          cosign sign-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --yes
      - name: Verify the linux-rpm installer
        run: |
          cosign verify-blob installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Generate Hashes
        run: |
          openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256 installers/linux-deb/target/ballerina-*-linux-x64.deb
          openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sha256 installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-*-linux-x64.rpm
          openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256 ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip
          openssl dgst -sha256 -out ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256 ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip
      - name: Sign the zip artifacts
        run: |
          cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --yes
          cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --output-certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --output-signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --yes
          cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig --yes
          cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --yes
          cosign sign-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --output-certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --output-signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --yes
      - name: Verify the zip artifacts
        run: |
          cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
          cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip --certificate ballerina-${{ steps.version-set.outputs.sversion }}.pem --signature ballerina-${{ steps.version-set.outputs.sversion }}.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
          cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
          cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
          cosign verify-blob ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip --certificate ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem --signature ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Upload zip artifacts
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.zip
          asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}.zip
          asset_content_type: application/octet-stream
      - name: Upload zip artifact's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}.pem
          asset_content_type: application/octet-stream
      - name: Upload zip artifact's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}.sig
          asset_content_type: application/octet-stream
      - name: Upload zip without tool artifacts
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.zip
          asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.sversion }}.zip
          asset_content_type: application/octet-stream
      - name: Upload zip without tool artifact's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.sversion }}.pem
          asset_content_type: application/octet-stream
      - name: Upload zip without tool artifact's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.sversion }}.sig
          asset_content_type: application/octet-stream
      - name: Upload Linux deb Installer
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb
          asset_path: installers/linux-deb/target/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb
          asset_content_type: application/octet-stream
      - name: Upload Linux deb Installer's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.pem
          asset_content_type: application/octet-stream
      - name: Upload Linux deb Installer's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sig
          asset_content_type: application/octet-stream
      - name: Upload Linux rpm Installer
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm
          asset_path: installers/linux-rpm/rpmbuild/RPMS/x86_64/ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm
          asset_content_type: application/octet-stream
      - name: Upload Linux rpm Installer's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.pem
          asset_content_type: application/octet-stream
      - name: Upload Linux rpm Installer's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sig
          asset_content_type: application/octet-stream
      - name: Upload MacOS zip artifacts
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip
          asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos.zip
          asset_content_type: application/octet-stream
      - name: Upload MacOS zip artifact's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos.pem
          asset_content_type: application/octet-stream
      - name: Upload MacOS zip artifact's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos.sig
          asset_content_type: application/octet-stream
      - name: Upload MacOS-ARM zip artifacts
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip
          asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.zip
          asset_content_type: application/octet-stream
      - name: Upload MacOS-ARM zip artifact's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.pem
          asset_content_type: application/octet-stream
      - name: Upload MacOS-ARM zip artifact's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-macos-arm.sig
          asset_content_type: application/octet-stream
      - name: Upload Windows zip artifacts
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip
          asset_path: ballerina/build/distributions/ballerina-${{ steps.version-set.outputs.longVersion }}-windows.zip
          asset_content_type: application/octet-stream
      - name: Upload Windows zip artifact's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-windows.pem
          asset_content_type: application/octet-stream
      - name: Upload Windows zip artifact's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig
          asset_path: ./ballerina-${{ steps.version-set.outputs.longVersion }}-windows.sig
          asset_content_type: application/octet-stream
      - name: Upload Linux deb Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256
          asset_path: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.deb.sha256
          asset_content_type: application/octet-stream
      - name: Upload Linux rpm Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sha256
          asset_path: ballerina-${{ steps.version-set.outputs.longVersion }}-linux-x64.rpm.sha256
          asset_content_type: application/octet-stream
      - name: Upload Ballerina zip Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256
          asset_path: ballerina-${{ steps.version-set.outputs.longVersion }}.zip.sha256
          asset_content_type: application/octet-stream
      - name: Upload ballerina Short Name zip Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_name: ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256
          asset_path: ballerina-${{ steps.version-set.outputs.sversion }}.zip.sha256
          asset_content_type: application/octet-stream
      - name: Install Ballerina DEB
        run: sudo dpkg -i installers/linux-deb/target/ballerina-*-linux-x64.deb
      - name: Update Installer Test Configs
        run: |
          DISPLAY_TEXT=${{ steps.version-set.outputs.langVersion }}
          SWAN_LAKE_LATEST_VERSION="swan-lake-"+$DISPLAY_TEXT
          perl -pi -e "s/^\s*swan-lake-latest-version-display-text=.*/swan-lake-latest-version-display-text=$DISPLAY_TEXT/" ballerina-test-automation/gradle.properties
          perl -pi -e "s/^\s*swan-lake-latest-version=.*/swan-lake-latest-version=$SWAN_LAKE_LATEST_VERSION/" ballerina-test-automation/gradle.properties
      - name: Run Installer Tests
        working-directory: ./ballerina-test-automation/installer-test
        run: ./../gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true
        env:
          TEST_MODE_ACTIVE: true
      - name: Post release PR
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        run: |
          curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1
          bin/hub pull-request -m "[Automated] Sync master after "$VERSION" release"

    outputs:
      project-version: ${{ steps.version-set.outputs.longVersion }}
      upload-asset-url: ${{ steps.create_release.outputs.upload_url }}
      release-version: ${{ steps.version-set.outputs.taggedVersion }}
      lang-version: ${{ steps.version-set.outputs.langVersion }}

  macos-installer-build:
    name: MacOS Installer Build
    needs: publish-release
    runs-on: macos-latest

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up JDK 17
        uses: actions/setup-java@v2
        with:
          distribution: 'temurin'
          java-version: '17.0.7'
      - name: Download MacOS Intaller Zip
        run: |
          wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos.zip
      - name: cosign-installer
        uses: sigstore/cosign-installer@v3.0.3
      - name: Create macos-pkg Installer
        id: run_installers_pkg
        run: |
          cd installers/mac
          ./build-ballerina-macos-x64.sh -v ${{ needs.publish-release.outputs.project-version }} -p ./../../
          echo "Created macos-pkg successfully"
      - name: Sign the MacOS installer
        run: |
          cosign sign-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --yes
      - name: Verify the MacOS installer
        run: |
          cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Generate Hashes
        run: |
          openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256 installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg
      - name: Upload MacOS pkg Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256
          asset_path: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sha256
          asset_content_type: application/octet-stream
      - name: Upload MacOS pkg Installer
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg
          asset_path: installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg
          asset_content_type: application/octet-stream
      - name: Upload MacOS installer's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem
          asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.pem
          asset_content_type: application/octet-stream
      - name: Upload MacOS installer's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig
          asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-x64.pkg.sig
          asset_content_type: application/octet-stream
      - name: Install Ballerina PKG
        run: sudo installer -pkg installers/mac/target/pkg/ballerina-*-macos-x64.pkg -target /
      - name: Update Installer Test Configs
        run: |
          DISPLAY_TEXT=${{ needs.publish-release.outputs.lang-version }}
          SWAN_LAKE_LATEST_VERSION="swan-lake-"+$DISPLAY_TEXT
          perl -pi -e "s/^\s*swan-lake-latest-version-display-text=.*/swan-lake-latest-version-display-text=$DISPLAY_TEXT/" ballerina-test-automation/gradle.properties
          perl -pi -e "s/^\s*swan-lake-latest-version=.*/swan-lake-latest-version=$SWAN_LAKE_LATEST_VERSION/" ballerina-test-automation/gradle.properties
      - name: Run Installer Tests
        working-directory: ./ballerina-test-automation/installer-test
        run: ./../gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true
        env:
          TEST_MODE_ACTIVE: true
      - name: Download MacOS-ARM Intaller Zip
        run: |
          wget https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm.zip
      - name: Create macos-arm-pkg Installer
        id: run_installers_arm_pkg
        run: |
          cd installers/mac
          ./build-ballerina-macos-x64.sh -v ${{ needs.publish-release.outputs.project-version }} -p ./../../ -a arm
          echo "Created macos-arm-pkg successfully"
      - name: Sign the MacOS-ARM installer
        run: |
          cosign sign-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --yes
      - name: Verify the MacOS-ARM installer
        run: |
          cosign verify-blob installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Generate Hashes
        run: |
          openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256 installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg
      - name: Upload MacOS-ARM pkg Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256
          asset_path: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sha256
          asset_content_type: application/octet-stream
      - name: Upload MacOS-ARM pkg Installer
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg
          asset_path: installers/mac/target/pkg/ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg
          asset_content_type: application/octet-stream
      - name: Upload MacOS-ARM installer's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem
          asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.pem
          asset_content_type: application/octet-stream
      - name: Upload MacOS-ARM installer's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig
          asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-macos-arm-x64.pkg.sig
          asset_content_type: application/octet-stream

  windows-installer-build:
    name: Windows Installer Build
    needs: publish-release
    runs-on: windows-latest

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up JDK 17
        uses: actions/setup-java@v2
        with:
          distribution: 'temurin'
          java-version: '17.0.7'
      - uses: actions/setup-dotnet@v1
        with:
          dotnet-version: '2.1.x'
      - name: Install GUID Generator
        run: dotnet tool install -g dotnet-guid --version 0.5.2
      - name: Set up Wix toolkit
        run: echo "${WIX}bin" >> $GITHUB_PATH
        shell: bash
      - name: Set cosign-installer
        uses: sigstore/cosign-installer@v3.0.3
      - name: Download Windows Installer Zip
        run: |
          echo default login ${{ secrets.BALLERINA_BOT_USERNAME }} password ${{ secrets.BALLERINA_BOT_TOKEN }} >> _netrc
          curl --netrc-file _netrc -L -o ballerina-${{ needs.publish-release.outputs.project-version }}-windows.zip https://github.com/ballerina-platform/ballerina-distribution/releases/download/v${{ needs.publish-release.outputs.release-version }}/ballerina-${{ needs.publish-release.outputs.project-version }}-windows.zip
      - name: Create windows-msi Installer
        id: run_installers_msi
        run: |
          move installers\windows .\
          ren windows w
          cd w
          .\build-ballerina-windows-x64.bat --version ${{ needs.publish-release.outputs.project-version }} --path .\..\
      - name: Sign the Windows installer
        run: |
          cosign sign-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --output-certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --output-signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --yes
      - name: Verify the Windows installer
        run: |
          cosign verify-blob w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi --certificate ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem --signature ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@${{ github.ref }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
      - name: Generate Hashes
        run: |
          openssl dgst -sha256 -out ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256 w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi
      - name: Upload Windows msi Hashes
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256
          asset_path: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sha256
          asset_content_type: application/octet-stream
      - name: Upload Windows msi Installer
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi
          asset_path: w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi
          asset_content_type: application/octet-stream
      - name: Upload Windows installer's Certificate 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem
          asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.pem
          asset_content_type: application/octet-stream
      - name: Upload Windows installer's Signature 
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.BALLERINA_BOT_TOKEN }}
        with:
          upload_url: ${{ needs.publish-release.outputs.upload-asset-url }}
          asset_name: ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig
          asset_path: ./ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi.sig
          asset_content_type: application/octet-stream
      - name: Install Ballerina msi
        run: msiexec /i w\target\msi\ballerina-${{ needs.publish-release.outputs.project-version }}-windows-x64.msi /quiet /qr
        shell: cmd
      - name: Update Installer Test Configs
        run: |
          set DISPLAY_TEXT=${{ needs.publish-release.outputs.lang-version }}
          set SWAN_LAKE_LATEST_VERSION=swan-lake-%DISPLAY_TEXT%
          perl -pi -e "s/^\s*swan-lake-latest-version-display-text=.*/swan-lake-latest-version-display-text=%DISPLAY_TEXT%/" ballerina-test-automation/gradle.properties
          perl -pi -e "s/^\s*swan-lake-latest-version=.*/swan-lake-latest-version=%SWAN_LAKE_LATEST_VERSION%/" ballerina-test-automation/gradle.properties
        shell: cmd
      - name: Run Installer Tests
        working-directory: .\ballerina-test-automation\installer-test
        run: |
          $env:Path += ";C:\Program Files\Ballerina\bin"
          .\..\gradlew build --stacktrace -scan --console=plain --no-daemon -DballerinaInstalled=true