Adds automatic release action (#17594)

* Adds automatic release action

* remove test branch usage

* set proper permissions

* use the commit hashes of the versions for external actions

* remove invalid permission property

* use local version of build script

* various improvements

* disallow creating automated tags from branches other than 4.x-dev and next_release

* apply latest build script changes

* manually import gpg key instead of using an action

* remove all remote work

* also attach piwik.* files to the release

* some cleanup

* Adds confirmation box to action run

* apply review feedback

* add password check

* allow releases to be triggered from any development branch

* only allow beta releases from development branches

* improve permissions

* add some comments about required secrets

* use default github token to check group members

3 files changed, 652 insertions, 0 deletions

diff --git a/.github/scripts/build-package.sh b/.github/scripts/build-package.sh
new file mode 100644
index 0000000000..bf02ee997d
--- /dev/null
+++ b/.github/scripts/build-package.sh
@@ -0,0 +1,255 @@
+#!/bin/bash
+# Syntax: build-package.sh version
+
+# Before running this script, tag a new version:
+# $ git tag 1.11-b3
+# $ git push origin tags/1.11-b3
+
+URL_REPO=https://github.com/matomo-org/matomo.git
+
+LOCAL_REPO="matomo_last_version_git"
+LOCAL_ARCH="archives"
+
+# List of Sub-modules that SHOULD be in the packaged release, eg PiwikTracker|CorePluginName
+SUBMODULES_PACKAGED_WITH_CORE='log-analytics|plugins/Morpheus/icons|plugins/TagManager'
+
+# Setting umask so it works for most users, see https://github.com/matomo-org/matomo/issues/3869
+umask 0022
+
+# this is our current folder
+CURRENT_DIR="$(pwd)"
+
+# this is where our build script is.
+WORK_DIR="$CURRENT_DIR/archives/"
+
+echo "Working directory is '$WORK_DIR'..."
+
+function Usage() {
+    echo -e "ERROR: This command is missing one or more option. See help below."
+    echo -e "$0 version [flavour]"
+    echo -e "\t* version: Package version under which you want the archive to be published or path to matomo checkout you want packaged."
+    echo -e "\t* flavour: Base name of your archive. Can either be 'matomo' or 'piwik'. If unspecified, both archives are generated."
+    # exit with code 1 to indicate an error.
+    exit 1
+}
+
+
+# check local environment for all required apps/tools
+function checkEnv() {
+    if [ ! -x "/usr/bin/curl" ] && [ ! -x "$(which curl)" ]
+    then
+        die "Cannot find curl"
+    fi
+
+    if [ ! -x "/usr/bin/git" ] && [ ! -x "$(which git)" ]
+    then
+        die "Cannot find git"
+    fi
+
+    if [ ! -x "/usr/bin/php" ] && [ ! -x "$(which php)" ]
+    then
+        die "Cannot find php"
+    fi
+
+    if [ ! -x "/usr/bin/gpg" ] && [ ! -x "$(which gpg)" ]
+    then
+        die "Cannot find gpg"
+    fi
+
+    if [ ! -x "/usr/bin/zip" ] && [ ! -x "$(which zip)" ]
+    then
+        die "Cannot find zip"
+    fi
+
+    if [ ! -x "/usr/bin/md5sum" ] && [ ! -x "$(which md5sum)" ]
+    then
+        die "Cannot find md5sum"
+    fi
+}
+
+# report error and exit
+function die() {
+    echo -e "$0: $1"
+    exit 2
+}
+
+# organize files for packaging
+function organizePackage() {
+
+    if [ ! -f "composer.phar" ]
+    then
+        EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
+        php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+        ACTUAL_SIGNATURE="$(php -r "echo hash_file('SHA384', 'composer-setup.php');")"
+
+        if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]
+        then
+            >&2 echo 'ERROR: Invalid installer signature'
+            rm composer-setup.php
+            exit 1
+        fi
+        php composer-setup.php --quiet || die "Error installing composer "
+        rm composer-setup.php
+    fi
+    # --ignore-platform-reqs in case the building machine does not have one of the packages required ie. GD required by cpchart
+    php composer.phar install --no-dev -o --ignore-platform-reqs || die "Error installing composer packages"
+
+    # delete most submodules
+    for P in $(git submodule status | egrep -v $SUBMODULES_PACKAGED_WITH_CORE | awk '{print $2}')
+    do
+        rm -Rf ./$P
+    done
+
+    cp tests/README.md ../
+
+    $CURRENT_DIR/.github/scripts/clean-build.sh
+
+    SYMLINKS=(`find ./ -type l`)
+    if [ ${#SYMLINKS[@]} -gt 0 ]
+    then
+      echo 'Symlinks detected. Please check if following links should be removed:'
+      echo ${SYMLINKS[*]}
+      exit 1
+    fi
+
+    mkdir tests
+    mv ../README.md tests/
+
+    # Remove and deactivate the TestRunner plugin in production build
+    sed -i '/Plugins\[\] = TestRunner/d' config/global.ini.php
+    rm -rf plugins/TestRunner
+
+    cp misc/How\ to\ install\ Matomo.html ..
+
+    if [ -d "misc/package" ]
+    then
+        rm -rf misc/package/
+    fi
+
+    find ./ -type f -printf '%s ' -exec md5sum {} \; \
+        | grep -v "user/.htaccess" \
+        | egrep -v 'manifest.inc.php|vendor/autoload.php|vendor/composer/autoload_real.php' \
+        | sed '1,$ s/\([0-9]*\) \([a-z0-9]*\) *\.\/\(.*\)/\t\t"\3" => array("\1", "\2"),/;' \
+        | sort \
+        | sed '1 s/^/<?php\n\/\/ This file is automatically generated during the Matomo build process \
+namespace Piwik;\nclass Manifest {\n\tstatic $files=array(\n/; $ s/$/\n\t);\n}/' \
+        > ./config/manifest.inc.php
+
+}
+
+if [ -z "$1" ]; then
+    echo "Expected a version number as a parameter"
+    Usage "$0"
+else
+    VERSION="$1"
+    MAJOR_VERSION=`echo $VERSION | cut -d'.' -f1`
+fi
+
+if [ -z "$2" ]; then
+    FLAVOUR="matomo piwik"
+    echo "Building 'matomo' and 'piwik' archives"
+else
+    if [ "$2" != "matomo" ] && [ "$2" != "piwik" ]; then
+        Usage "$0"
+    else
+        FLAVOUR="$2"
+        echo "Building '$2' archives"
+    fi
+fi
+
+# check for local requirements
+checkEnv
+
+echo -e "Going to build Matomo $VERSION (Major version: $MAJOR_VERSION)"
+
+if ! echo "$VERSION" | grep -E 'rc|b|a|alpha|beta|dev' -i
+then
+    if curl --output /dev/null --silent --head --fail "https://builds.matomo.org/$F-$VERSION.zip"
+    then
+        echo "--> Error: stable version $VERSION has already been built (not expected). <-- "
+    fi
+fi
+
+echo -e "Proceeding..."
+sleep 2
+
+echo "Starting '$FLAVOUR' build...."
+
+mkdir -p "$WORK_DIR"
+cd "$WORK_DIR" || exit
+
+[ -d "$LOCAL_ARCH" ] || mkdir "$LOCAL_ARCH"
+
+cd "$CURRENT_DIR" || exit
+cd "$WORK_DIR" || exit
+
+if [ -d "$LOCAL_REPO" ] ; then
+    rm -rf $LOCAL_REPO
+fi
+
+echo "cloning repository for tag $VERSION..."
+
+# for this to work 'git-lfs' has to be installed on the local machine
+git clone --config filter.lfs.smudge="git-lfs smudge --skip" --single-branch --branch "$VERSION" "$URL_REPO" "$LOCAL_REPO"
+
+if [ "$?" -ne "0" ] || [ ! -d "$LOCAL_REPO" ]; then
+    die "Error: Failed to clone git repository $URL_REPO, maybe tag $VERSION does not exist"
+fi
+
+echo -e "Working in $LOCAL_REPO"
+cd "$LOCAL_REPO" || exit
+
+# clone submodules that should be in the release
+for P in $(git submodule status | egrep $SUBMODULES_PACKAGED_WITH_CORE | awk '{print $2}')
+do
+    echo -e "cloning submodule $P"
+    git submodule update --init --depth=1 $P
+done
+
+echo "Preparing release $VERSION"
+echo "Git tag: $(git describe --exact-match --tags HEAD)"
+echo "Git path: $WORK_DIR/$LOCAL_REPO"
+echo "Matomo version in core/Version.php: $(grep "'$VERSION'" core/Version.php)"
+
+[ "$(grep "'$VERSION'" core/Version.php | wc -l)" = "1" ] || die "version $VERSION does not match core/Version.php";
+
+echo "Organizing files and generating manifest file..."
+organizePackage
+
+for F in $FLAVOUR; do
+    echo "Creating '$F' release package"
+
+    # leave $LOCAL_REPO folder
+    cd "$WORK_DIR" || exit
+
+    echo "copying files to a new directory..."
+    [ -d "$F" ] && rm -rf "$F"
+    cp -pdr "$LOCAL_REPO" "$F"
+    cd "$F" || exit
+
+    # leave $F folder
+    cd ..
+
+    echo "packaging release..."
+    rm "../$LOCAL_ARCH/$F-$VERSION.zip" 2> /dev/null
+    zip -9 -r "../$LOCAL_ARCH/$F-$VERSION.zip" "$F" How\ to\ install\ Matomo.html > /dev/null
+
+    gpg --armor --detach-sign "../$LOCAL_ARCH/$F-$VERSION.zip" || die "Failed to sign $F-$VERSION.zip"
+
+    rm "../$LOCAL_ARCH/$F-$VERSION.tar.gz"  2> /dev/null
+    tar -czf "../$LOCAL_ARCH/$F-$VERSION.tar.gz" "$F" How\ to\ install\ Matomo.html
+
+    gpg --armor --detach-sign "../$LOCAL_ARCH/$F-$VERSION.tar.gz" || die "Failed to sign $F-$VERSION.tar.gz"
+
+done
+
+# Check File signatures are correct
+for ext in zip tar.gz
+do
+    for F in $FLAVOUR; do
+        gpg --verify ../$LOCAL_ARCH/$F-$VERSION.$ext.asc
+        if [ "$?" -ne "0" ]; then
+            die "Failed to verify signature for ../$LOCAL_ARCH/$F-$VERSION.$ext"
+        fi
+    done
+done
\ No newline at end of file
diff --git a/.github/scripts/clean-build.sh b/.github/scripts/clean-build.sh
new file mode 100644
index 0000000000..cefed53615
--- /dev/null
+++ b/.github/scripts/clean-build.sh
@@ -0,0 +1,230 @@
+#!/bin/bash
+# This script removes all files that shouldn't be included in a release
+# It should be called from within the root directory of Matomo
+
+# ------------
+# WARNING:
+# if you add files below, also update the Integration test in ReleaseCheckListTest.php
+# in isFileDeletedFromPackage()
+# ------------
+
+echo -e "Deleting un-needed files..."
+
+# Delete all `tests/` and `Tests/` folders
+find ./ -iname 'tests' -type d -prune -exec rm -rf {} \;
+
+# Delete all di config files for test environments
+rm -rf config/environment/test.php
+rm -rf config/environment/ui-test.php
+rm -rf plugins/*/config/test.php
+rm -rf plugins/*/config/ui-test.php
+
+# Delete un-used files from the matomo-icons repository
+rm -rf plugins/Morpheus/icons/src*
+rm -rf plugins/Morpheus/icons/tools*
+rm -rf plugins/Morpheus/icons/flag-icon-css*
+rm -rf plugins/Morpheus/icons/submodules*
+rm -rf plugins/Morpheus/icons/.git*
+rm -rf plugins/Morpheus/icons/*.py
+rm -rf plugins/Morpheus/icons/*.sh
+rm -rf plugins/Morpheus/icons/*.json
+rm -rf plugins/Morpheus/icons/*.lock
+rm -rf plugins/Morpheus/icons/*.svg
+rm -rf plugins/Morpheus/icons/*.txt
+rm -rf plugins/Morpheus/icons/*.php
+rm -rf plugins/Morpheus/icons/*.yml
+
+# Delete all Example plugins
+rm -rf plugins/Example*
+
+rm -rf composer.phar
+rm -rf vendor/bin/
+rm -rf vendor/container-interop/container-interop/docs
+rm -rf vendor/davaxi/sparkline/composer-8.json
+rm -rf vendor/davaxi/sparkline/docker-compose.yml
+rm -rf vendor/davaxi/sparkline/Dockerfile
+rm -rf vendor/geoip2/geoip2/examples/
+rm -rf vendor/lox/xhprof/bin
+rm -rf vendor/lox/xhprof/examples
+rm -rf vendor/lox/xhprof/scripts
+rm -rf vendor/lox/xhprof/extension
+rm -rf vendor/lox/xhprof/xhprof_html
+rm -rf vendor/maxmind-db/reader/ext/
+rm -rf vendor/maxmind-db/reader/autoload.php
+rm -rf vendor/maxmind-db/reader/CHANGELOG.md
+rm -rf vendor/maxmind/web-service-common/dev-bin/
+rm -rf vendor/maxmind/web-service-common/CHANGELOG.md
+rm -rf vendor/pear/archive_tar/docs
+rm -rf vendor/php-di/invoker/doc/
+rm -rf vendor/php-di/php-di/benchmarks/
+rm -rf vendor/symfony/console/Symfony/Component/Console/Resources/bin
+rm -rf vendor/szymach/c-pchart/resources/doc
+rm -rf vendor/szymach/c-pchart/coverage.sh
+rm -rf vendor/szymach/c-pchart/codeception.yml
+rm -rf vendor/tecnickcom/tcpdf/examples
+rm -rf vendor/tecnickcom/tcpdf/tools
+rm -rf vendor/tecnickcom/tcpdf/CHANGELOG.TXT
+rm -rf vendor/twig/twig/test/
+rm -rf vendor/twig/twig/doc/
+rm -rf vendor/twig/twig/.php-cs-fixer.dist.php
+
+# Delete un-used fonts
+rm -rf vendor/tecnickcom/tcpdf/fonts/ae_fonts_2.0
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavu-fonts-ttf-2.33
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavu-fonts-ttf-2.34
+rm -rf vendor/tecnickcom/tcpdf/fonts/freefont-20100919
+rm -rf vendor/tecnickcom/tcpdf/fonts/freefont-20120503
+rm -rf vendor/tecnickcom/tcpdf/fonts/freemon*
+rm -rf vendor/tecnickcom/tcpdf/fonts/cid*
+rm -rf vendor/tecnickcom/tcpdf/fonts/courier*
+rm -rf vendor/tecnickcom/tcpdf/fonts/aefurat*
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavusansb*
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavusansi*
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavusansmono*
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavusanscondensed*
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavusansextralight*
+rm -rf vendor/tecnickcom/tcpdf/fonts/dejavuserif*
+rm -rf vendor/tecnickcom/tcpdf/fonts/freesansi*
+rm -rf vendor/tecnickcom/tcpdf/fonts/freesansb*
+rm -rf vendor/tecnickcom/tcpdf/fonts/freeserifb*
+rm -rf vendor/tecnickcom/tcpdf/fonts/freeserifi*
+rm -rf vendor/tecnickcom/tcpdf/fonts/pdf*
+rm -rf vendor/tecnickcom/tcpdf/fonts/times*
+rm -rf vendor/tecnickcom/tcpdf/fonts/uni2cid*
+
+rm -rf vendor/szymach/c-pchart/resources/fonts/advent_light*
+rm -rf vendor/szymach/c-pchart/resources/fonts/Bedizen*
+rm -rf vendor/szymach/c-pchart/resources/fonts/calibri*
+rm -rf vendor/szymach/c-pchart/resources/fonts/Forgotte*
+rm -rf vendor/szymach/c-pchart/resources/fonts/MankSans*
+rm -rf vendor/szymach/c-pchart/resources/fonts/pf_arma_five*
+rm -rf vendor/szymach/c-pchart/resources/fonts/Silkscreen*
+rm -rf vendor/szymach/c-pchart/resources/fonts/verdana*
+
+# not needed js files
+rm -rf node_modules/angular/angular.min.js.gzip
+rm -rf node_modules/angular/angular.js
+
+rm -rf node_modules/angular-animate/angular-animate.min.js.gzip
+rm -rf node_modules/angular-animate/angular-animate.js
+
+rm -rf node_modules/angular-sanitize/angular-sanitize.min.js.gzip
+rm -rf node_modules/angular-sanitize/angular-sanitize.js
+
+rm -rf node_modules/angular-cookies/angular-cookies.min.js.gzip
+rm -rf node_modules/angular-cookies/angular-cookies.js
+
+rm -rf node_modules/chroma-js/Makefile
+rm -rf node_modules/chroma-js/chroma.js
+rm -rf node_modules/chroma-js/doc
+rm -rf node_modules/chroma-js/readme.md
+rm -rf node_modules/chroma-js/src
+rm -rf node_modules/chroma-js/test
+
+rm -rf node_modules/iframe-resizer/js/iframeResizer.contentWindow.js
+rm -rf node_modules/iframe-resizer/js/iframeResizer.js
+rm -rf node_modules/iframe-resizer/src/ie8.polyfils.js
+rm -rf node_modules/iframe-resizer/src/iframeResizer.contentWindow.js
+rm -rf node_modules/iframe-resizer/src/iframeResizer.js
+rm -rf node_modules/iframe-resizer/test-main.js
+
+rm -rf node_modules/jquery/dist/jquery.js
+rm -rf node_modules/jquery/src
+rm -rf node_modules/jquery/external
+
+rm -rf node_modules/jquery-ui-dist/component.json
+rm -rf node_modules/jquery-ui-dist/external
+rm -rf node_modules/jquery-ui-dist/images
+rm -rf node_modules/jquery-ui-dist/index.html
+rm -rf node_modules/jquery-ui-dist/jquery-ui.css
+rm -rf node_modules/jquery-ui-dist/jquery-ui.js
+rm -rf node_modules/jquery-ui-dist/jquery-ui.structure.css
+rm -rf node_modules/jquery-ui-dist/jquery-ui.theme.css
+
+rm -rf node_modules/jquery.browser/test
+rm -rf node_modules/jquery.browser/dist/jquery.browser.js
+
+rm -rf node_modules/jquery.dotdotdot/gulpfile.js
+rm -rf node_modules/jquery.dotdotdot/index.html
+rm -rf node_modules/jquery.dotdotdot/dotdotdot.jquery.json
+rm -rf node_modules/jquery.dotdotdot/src
+
+rm -rf node_modules/jquery.scrollto/jquery.scrollTo.js
+rm -rf node_modules/jquery.scrollto/scrollTo.jquery.json
+rm -rf node_modules/jquery.scrollto/changes.txt
+rm -rf node_modules/jquery.scrollto/demo
+
+rm -rf node_modules/materialize-css/extras
+rm -rf node_modules/materialize-css/js
+rm -rf node_modules/materialize-css/sass
+rm -rf node_modules/materialize-css/dist/js/materialize.js
+rm -rf node_modules/materialize-css/dist/css/materialize.css
+
+rm -rf node_modules/mousetrap/mousetrap.js
+rm -rf node_modules/mousetrap/plugins
+rm -rf node_modules/mousetrap/mousetrap.sublime-project
+
+rm -rf node_modules/ng-dialog/CONTRIBUTING.md
+rm -rf node_modules/ng-dialog/css
+rm -rf node_modules/ng-dialog/example
+rm -rf node_modules/ng-dialog/protractor.conf.js
+rm -rf node_modules/ng-dialog/server.js
+
+rm -rf node_modules/qrcodejs2/index-svg.html
+rm -rf node_modules/qrcodejs2/index.html
+rm -rf node_modules/qrcodejs2/index.svg
+rm -rf node_modules/qrcodejs2/jquery.min.js
+rm -rf node_modules/qrcodejs2/qrcode.js
+
+rm -rf node_modules/sprintf-js/CONTRIBUTORS.MD
+rm -rf node_modules/sprintf-js/README.md
+rm -rf node_modules/sprintf-js/src
+
+rm -rf node_modules/visibilityjs/ChangeLog.md
+rm -rf node_modules/visibilityjs/component.json
+rm -rf node_modules/visibilityjs/index.d.ts
+rm -rf node_modules/visibilityjs/index.js
+rm -rf node_modules/visibilityjs/README.md
+
+rm -rf node_modules/vue/dist/vue.cjs.js
+rm -rf node_modules/vue/dist/vue.cjs.prod.js
+rm -rf node_modules/vue/dist/vue.d.ts
+rm -rf node_modules/vue/dist/vue.esm-browser.js
+rm -rf node_modules/vue/dist/vue.esm-browser.prod.js
+rm -rf node_modules/vue/dist/vue.esm-bundler.js
+rm -rf node_modules/vue/dist/vue.runtime.esm-browser.js
+rm -rf node_modules/vue/dist/vue.runtime.esm-browser.prod.js
+rm -rf node_modules/vue/dist/vue.runtime.esm-bundler.js
+rm -rf node_modules/vue/dist/vue.runtime.global.js
+rm -rf node_modules/vue/dist/vue.runtime.global.prod.js
+
+rm -f libs/jqplot/jqplot.core.js
+rm -f libs/jqplot/jqplot.lineRenderer.js
+rm -f libs/jqplot/jqplot.linearAxisRenderer.js
+rm -f libs/jqplot/jqplot.themeEngine.js
+rm -f libs/jqplot/plugins/jqplot.barRenderer.js
+rm -f libs/jqplot/plugins/jqplot.pieRenderer.js
+
+rm -f $(find config -type f -name '*.ini.php' -not -name global.ini.php)
+rm -f config/config.php
+
+rm -rf tmp/*
+rm -f HIRING.md
+
+# delete unwanted git folders, recursively
+for x in .git .github ; do
+    find . -name "$x" -exec rm -rf {} \; 2>/dev/null
+done
+
+# delete unwanted common files, recursively
+for x in .gitignore .gitmodules .gitattributes .bowerrc .bower.json bower.json \
+    .coveralls.yml .editorconfig .gitkeep .jshintrc .php_cs .php_cs.dist \
+    phpunit.xml.dist phpunit.xml .phpcs.xml.dist phpcs.xml Gruntfile.js gruntfile.js \
+    *.map .travis.yml installed.json package.json package-lock.json yarn.lock\
+    .scrutinizer.yml .gitstats.yml composer.json composer.lock *.spec.js \
+    .phpstorm.meta.php .lfsconfig .travis.sh tsconfig.json tsconfig.spec.json \
+    .eslintrc.js .eslintignore .eslintrc .browserslistrc babel.config.js jest.config.js \
+    karma.conf.js karma-conf.js vue.config.js .npmignore .ncurc.json .prettierrc .jscsrc \
+    phpstan.neon phpstan.neon.dist package.xml; do
+    find . -name "$x" -exec rm -f {} \;
+done
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000000..ee8a5e9f14
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,167 @@
+# Matomo Release Action
+# 
+# Required GitHub secrets:
+# 
+# RELEASE_PASSWORD  |  password that needs to be provided to start the action
+# GPG_CERTIFICATE  |  ASCII armored or Base64 encoded GPG certificate that is used to create the signatures for the archives
+# GPG_CERTIFICATE_PASS  |  Passphrase of the GPG key
+
+name: Build release
+
+permissions:
+  actions: none
+  checks: none
+  contents: write  # required to create tag and release
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Or specify a tag to build from'
+        required: false
+        default: ''
+      password:
+        description: 'Release password'
+        required: true
+
+env:
+  RELEASE_PASSWORD: ${{ secrets.RELEASE_PASSWORD }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Check release password"
+        if: ${{ github.event.inputs.password != env.RELEASE_PASSWORD }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+              core.setFailed('Release password didn\'t match')
+      - name: "Check if user is in group"
+        run: |
+          MEMBER=$( curl -s \
+                 --request GET \
+                 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
+                 --header 'content-type: application/json' \
+                 --url https://api.github.com/orgs/matomo-org/teams/release-team/members \
+                 | jq '.[] | select(.login == "${{ github.actor }}")' )
+
+          if [[ -z "$MEMBER" ]]
+          then
+           echo "Action was not triggered by a member with release permission"
+           exit 1;
+          fi
+        shell: bash
+      - uses: actions/checkout@v2
+        with:
+          lfs: false
+      - name: Import GPG key
+        id: import_gpg
+        run: |
+          echo "${{ secrets.GPG_CERTIFICATE }}" > $HOME/private.asc
+          gpg --import --batch --yes $HOME/private.asc
+          echo "default-cache-ttl 7200
+          max-cache-ttl 31536000
+          allow-preset-passphrase" > $HOME/.gnupg/gpg-agent.conf
+          keygrip=$(gpg --import --import-options show-only --with-keygrip $HOME/private.asc | grep "Keygrip" | grep -oP "([A-F0-9]+)" | head -1)
+          hexPassphrase=$( echo -n "${{ secrets.GPG_CERTIFICATE_PASS }}" | od -A n -t x1 -w100 | sed 's/ *//g' )
+          gpg-connect-agent "RELOADAGENT" /bye
+          gpg-connect-agent "PRESET_PASSPHRASE ${keygrip} -1 ${hexPassphrase}" /bye
+          gpg-connect-agent "KEYINFO ${keygrip}" /bye
+      - name: Check preconditions, create tag, build and publish release
+        id: tag
+        run: |
+          if [[ -n "${{ github.event.inputs.version }}" ]]
+          then
+            version="${{ github.event.inputs.version }}"
+            echo "Version to re-build: '$version'"
+
+            git fetch --tags -q 2>/dev/null
+            tag_exists=$( git tag --list "$version" )
+
+            if [[ -z "$tag_exists" ]]
+            then
+              echo "A tag for $version does not exist."
+              exit 1
+            fi
+
+            echo ::set-output name=update::true
+          else
+            version=$( cat core/Version.php | grep -oP "VERSION = '\K([^\']+)" )
+            echo "Version to build: '$version'"
+
+            git fetch --tags -q 2>/dev/null
+            tag_exists=$( git tag --list "$version" )
+
+            if [[ -n "$tag_exists" ]]
+            then
+              echo "A tag for $tag_exists already exists."
+              exit 1
+            fi
+
+            if ! [[ ${GITHUB_REF#refs/heads/} =~ ^[4-9]\.x-dev$ || ${GITHUB_REF#refs/heads/} == "next_release" ]]
+            then
+              echo "A tag can only be created from branches '4.x-dev' and 'next_release'. Please create the tag manually if a release needs to be built from another branch."
+              exit 1
+            fi
+
+            if [[ ${GITHUB_REF#refs/heads/} =~ ^[4-9]\.x-dev$ && $version =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$ ]]
+            then
+              echo "Only beta release tags can be created from ${GITHUB_REF#refs/heads/} branch."
+              exit 1
+            fi
+
+            echo "Creating a tag for $version"
+
+            git tag $version
+            git push origin tags/$version
+
+            echo ::set-output name=update::false
+          fi
+
+          if [[ "$version" =~ "-" ]]
+          then
+            echo ::set-output name=prerelease::true
+            body="## Matomo ${version} (Pre-release)
+
+            We recommend to read [this FAQ](http://matomo.org/faq/how-to-update/faq_159/) before using a pre-release in a production environment.
+
+            Please use the attached archives for installing or updating Matomo.
+            The source code download is only meant for developers and will require extra work to install it.
+             - Latest stable production release can be found at https://matomo.org/download/ ([learn more](https://matomo.org/docs/installation/)) (recommended)
+             - Beta and Release Candidates releases can be found at https://builds.matomo.org/ ([learn more](http://matomo.org/faq/how-to-update/faq_159/))"
+          else
+            echo ::set-output name=prerelease::false
+            body="## [Matomo ${version} Changelog](https://matomo.org/changelog/matomo-${version//./-}/)
+
+            Please use the attached archives for installing or updating Matomo.
+            The source code download is only meant for developers and will require extra work to install it.
+             - Latest stable production release can be found at https://matomo.org/download/ ([learn more](https://matomo.org/docs/installation/)) (recommended)
+             - Beta and Release Candidates releases can be found at https://builds.matomo.org/ ([learn more](http://matomo.org/faq/how-to-update/faq_159/))"
+          fi
+
+          body="${body//'%'/'%25'}"
+          body="${body//$'\n'/'%0A'}"
+          body="${body//$'\r'/'%0D'}"
+          echo ::set-output name=version::$version
+          echo ::set-output name=body::$body
+
+          cd $GITHUB_WORKSPACE
+          chmod 755 ./.github/scripts/*.sh
+          ./.github/scripts/build-package.sh $version
+        shell: bash
+      - uses: ncipollo/release-action@c4bf6c1ab090090498fb7f3ddc9f99ba5ab619b9
+        with:
+          artifacts: "archives/matomo-${{ steps.tag.outputs.version }}.*,archives/piwik-${{ steps.tag.outputs.version }}.*"
+          allowUpdates: ${{ steps.tag.outputs.update }}
+          tag: ${{ steps.tag.outputs.version }}
+          body: ${{ steps.tag.outputs.body }}
+          prerelease: ${{ steps.tag.outputs.prerelease }}
+          token: ${{ secrets.GITHUB_TOKEN }}