java-build-for-release.yml

name: Build Java Release
on:
  push:
    tags:
      # if you change this pattern, make sure jobs.strip-tag still works
      - 'release/java/v[0-9]+.[0-9]+.[0-9]+'
jobs:
  ci:
    uses: ./.github/workflows/java-build.yml

  strip-tag:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: process tag
        id: version
        run: |
          TAG=${{ github.ref_name }}
          echo "version=${TAG#"release/java/v"}" >> $GITHUB_OUTPUT

  build:
    runs-on: ubuntu-latest
    needs: [ci, strip-tag]
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: checkout tag
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: "${{ github.ref }}"

      - name: Set up JDK 8
        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
        with:
          java-version: 8
          distribution: 'temurin'

      - name: Build project
        run: |
          # override the version in gradle.properties
          cd java
          ./gradlew clean createReleaseBundle -Pversion=${{ needs.strip-tag.outputs.version }}

      - name: Hash Artifacts
        id: hash
        run: |
          cd java/build/release
          echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT
          sha256sum ./*

      - name: Upload build artifacts
        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
        with:
          name: project-release-artifacts
          path: ./java/build/release/
          if-no-files-found: error

  provenance:
    needs: [build, strip-tag]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
    with:
      attestation-name: "protobuf-specs-${{ needs.strip-tag.outputs.version }}.attestation.intoto.jsonl"
      base64-subjects: "${{ needs.build.outputs.hashes }}"

  create-release:
    runs-on: ubuntu-latest
    needs: [provenance, build]
    permissions:
      contents: write # To draft a release
    steps:
      - name: Download attestation
        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
        with:
          name: "${{ needs.provenance.outputs.attestation-name }}"
          path: ./release/
      - name: Download gradle release artifacts
        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
        with:
          name: project-release-artifacts
          path: ./release/
      - name: Create draft release
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        with:
          name: ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
          files: ./release/*
          draft: true