name: Test Installers Build on: workflow_dispatch: release: types: [created] permissions: contents: read jobs: read_versions: runs-on: ubuntu-latest outputs: version: ${{ steps.versionNumber.outputs.versionNumber }} versionMac: ${{ steps.versionNumberMac.outputs.versionNumberMac }} steps: - name: Harden Runner uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Get version number - name: Get version number id: versionNumber run: | VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}') echo "versionNumber=$VERSION" >> $GITHUB_OUTPUT - name: Get version number mac id: versionNumberMac run: | VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}') CURRENT_YEAR=$(date +'%Y') IFS='.' read -r -a VERSION_PARTS <<< "$VERSION" MAC_VERSION="$CURRENT_YEAR.${VERSION_PARTS[1]:-0}.${VERSION_PARTS[2]:-0}" echo "versionNumberMac=$MAC_VERSION" >> $GITHUB_OUTPUT build-portable: needs: read_versions runs-on: ubuntu-latest strategy: matrix: enable_security: [true, false] include: - enable_security: true file_suffix: "with-login-" - enable_security: false file_suffix: "" steps: - name: Harden Runner uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 21 uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: java-version: "21" distribution: "temurin" - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 with: gradle-version: 8.12 - name: Generate jar (With Security=${{ matrix.enable_security }}) run: ./gradlew clean createExe env: DOCKER_ENABLE_SECURITY: ${{ matrix.enable_security }} STIRLING_PDF_DESKTOP_UI: false - name: Rename binaries run: | mv ./build/launch4j/Stirling-PDF.exe ./win-Stirling-PDF-portable-Server-${{ matrix.file_suffix }}${{ needs.read_versions.outputs.version }}.exe mv ./build/libs/Stirling-PDF-${{ needs.read_versions.outputs.version }}.jar ./Stirling-PDF-${{ matrix.file_suffix }}${{ needs.read_versions.outputs.version }}.jar - name: Upload build artifacts uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: retention-days: 1 if-no-files-found: error name: stirling-${{ matrix.file_suffix }}binaries path: | ./win-Stirling-PDF-portable-Server-${{ matrix.file_suffix }}${{ needs.read_versions.outputs.version }}.exe ./Stirling-PDF-${{ matrix.file_suffix }}${{ needs.read_versions.outputs.version }}.jar sign_verify-portable: needs: [build-portable, read_versions] runs-on: ubuntu-latest strategy: matrix: enable_security: [true, false] include: - enable_security: true file_suffix: "with-login-" - enable_security: false file_suffix: "" steps: - name: Harden Runner uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - name: Download build artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: stirling-${{ matrix.file_suffix }}binaries - name: Display structure of downloaded files run: ls -R - name: Upload signed artifacts uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: retention-days: 1 if-no-files-found: error name: stirling-${{ matrix.file_suffix }}signed path: | ./* !cosign.* build-installers: needs: read_versions strategy: matrix: include: - os: windows-latest extra: "-installer" platform: win- ext: exe # - os: macos-latest # extra: "" # platform: mac- # ext: dmg # - os: ubuntu-latest # extra: "" # platform: linux- # ext: deb runs-on: ${{ matrix.os }} permissions: contents: write steps: - name: Harden Runner uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 21 uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: java-version: "21" distribution: "temurin" - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 with: gradle-version: 8.12 # Install Windows dependencies - name: Install WiX Toolset if: matrix.os == 'windows-latest' run: | curl -L -o wix.exe https://github.com/wixtoolset/wix3/releases/download/wix3141rtm/wix314.exe .\wix.exe /install /quiet # Build installer - name: Build Installer run: ./gradlew build jpackage -x test --info env: DOCKER_ENABLE_SECURITY: false STIRLING_PDF_DESKTOP_UI: true # Rename and collect artifacts based on OS - name: Prepare artifacts id: prepare shell: bash run: | if [ "${{ matrix.os }}" = "windows-latest" ]; then mv "./build/jpackage/Stirling-PDF-${{ needs.read_versions.outputs.version }}.exe" "${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }}" elif [ "${{ matrix.os }}" = "macos-latest" ]; then mv "./build/jpackage/Stirling-PDF-${{ needs.read_versions.outputs.versionMac }}.dmg" "${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }}" else mv "./build/jpackage/stirling-pdf_${{ needs.read_versions.outputs.version }}-1_amd64.deb" "${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }}" fi - name: Upload build artifacts uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: retention-days: 1 if-no-files-found: error name: ${{ matrix.platform }}binaries path: | ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }} sign_verify: needs: [read_versions, build-installers] strategy: matrix: include: - os: windows-latest extra: "-installer" platform: win- ext: exe # - os: macos-latest # extra: "" # platform: mac- # ext: dmg # - os: ubuntu-latest # extra: "" # platform: linux- # ext: deb runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - name: Download build artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ matrix.platform }}binaries - name: Display structure of downloaded files run: ls -R - name: Install Cosign if: matrix.os == 'windows-latest' uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Generate key pair if: matrix.os == 'windows-latest' run: cosign generate-key-pair - name: Sign and generate attestations if: matrix.os == 'windows-latest' run: | cosign sign-blob \ --key ./cosign.key \ --yes \ --output-signature ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }}.sig \ ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }} cosign attest-blob \ --predicate - \ --key ./cosign.key \ --yes \ --output-attestation ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }}.intoto.jsonl \ ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }} cosign verify-blob \ --key ./cosign.pub \ --signature ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }}.sig \ ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.${{ matrix.ext }} - name: Upload signed artifacts uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: retention-days: 1 if-no-files-found: error name: ${{ matrix.platform }}signed path: | ./${{ matrix.platform }}Stirling-PDF${{ matrix.extra }}-${{ needs.read_versions.outputs.version }}.* !cosign.* create-release: needs: [read_versions, sign_verify, sign_verify-portable] runs-on: ubuntu-latest permissions: contents: write steps: - name: Harden Runner uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - name: Download signed artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - name: Display structure of downloaded files run: ls -R - name: Upload binaries, attestations and signatures to Release and create GitHub Release uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: tag_name: v${{ needs.read_versions.outputs.version }} generate_release_notes: true files: | ./*signed/*