Stirling-PDF/.github/workflows/releaseArtifacts.yml

name: Release Artifacts

on:
  workflow_dispatch:
  release:
    types: [created]

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        disable_security: [true, false]
        include:
          - disable_security: false
            file_suffix: "-with-login"
          - disable_security: true
            file_suffix: ""
    outputs:
      version: ${{ steps.versionNumber.outputs.versionNumber }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set up JDK 17
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: "17"
          distribution: "temurin"

      - uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
        with:
          gradle-version: 8.14

      - name: Generate jar (Disable Security=${{ matrix.disable_security }})
        run: ./gradlew clean createExe
        env:
          DISABLE_ADDITIONAL_FEATURES: ${{ matrix.disable_security }}
          STIRLING_PDF_DESKTOP_UI: false

      - name: Get version number
        id: versionNumber
        run: |
          VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}')
          echo "versionNumber=$VERSION" >> $GITHUB_OUTPUT

      - name: Rename binaries
        run: |
          mv ./build/launch4j/Stirling-PDF.exe ./build/launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe
          mv ./build/libs/Stirling-PDF-${{ steps.versionNumber.outputs.versionNumber }}.jar ./build/libs/Stirling-PDF${{ matrix.file_suffix }}.jar

      - name: Debug build artifacts
        run: |
          echo "Current Directory: $(pwd)"
          ls -R ./build/libs
          ls -R ./build/launch4j

      - name: Upload build artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: binaries${{ matrix.file_suffix }}
          path: |
            ./build/launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.*
            ./build/libs/Stirling-PDF${{ matrix.file_suffix }}.*

  sign_verify:
    needs: build
    runs-on: ubuntu-latest
    strategy:
      matrix:
        disable_security: [true, false]
        include:
          - disable_security: false
            file_suffix: "-with-login"
          - disable_security: true
            file_suffix: ""
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Download build artifacts
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: binaries${{ matrix.file_suffix }}
      - name: Display structure of downloaded files
        run: ls -R

      - name: Install Cosign
        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

      - name: Generate key pair
        run: cosign generate-key-pair

      - name: Sign and generate attestations
        run: |
          cosign sign-blob \
            --key ./cosign.key \
            --yes \
            --output-signature ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar.sig \
            ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar

          cosign attest-blob \
            --predicate - \
            --key ./cosign.key \
            --yes \
            --output-attestation ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar.intoto.jsonl \
            ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar

          cosign verify-blob \
            --key ./cosign.pub \
            --signature ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar.sig \
            ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar

          cosign sign-blob \
            --key ./cosign.key \
            --yes \
            --output-signature ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe.sig \
            ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe

          cosign attest-blob \
            --predicate - \
            --key ./cosign.key \
            --yes \
            --output-attestation ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe.intoto.jsonl \
            ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe

          cosign verify-blob \
            --key ./cosign.pub \
            --signature ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe.sig \
            ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe

      - name: Upload signed artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: signed${{ matrix.file_suffix }}
          path: |
            ./libs/Stirling-PDF${{ matrix.file_suffix }}.*
            ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.*

  release:
    needs: [build, sign_verify]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    strategy:
      matrix:
        disable_security: [true, false]
        include:
          - disable_security: false
            file_suffix: "-with-login"
          - disable_security: true
            file_suffix: ""
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Download signed artifacts
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: signed${{ matrix.file_suffix }}

      - name: Upload binaries, attestations and signatures to Release and create GitHub Release
        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
        with:
          tag_name: v${{ needs.build.outputs.version }}
          generate_release_notes: true
          files: |
            ./libs/Stirling-PDF*
            ./launch4j/Stirling-PDF-Server*