java-build-for-release.yml

name: Build Java Release
on:
  push:
    tags:
      # if you change this pattern, make sure jobs.strip-tag still works
      - 'release/java/v[0-9]+.[0-9]+.[0-9]+'
jobs:
  ci:
    uses: ./.github/workflows/java-build.yml

  strip-tag:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: process tag
        id: version
        run: |
          TAG=${{ github.ref_name }}
          echo "version=${TAG#"release/java/v"}" >> $GITHUB_OUTPUT

  build:
    runs-on: ubuntu-latest
    needs: [ci, strip-tag]
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: checkout tag
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
        with:
          ref: "${{ github.ref }}"

      - name: Set up JDK 8
        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
        with:
          java-version: 8
          distribution: 'temurin'

      - name: Build project
        run: |
          # override the version in gradle.properties
          cd java
          ./gradlew clean createReleaseBundle -Pversion=${{ needs.strip-tag.outputs.version }}

      - name: Hash Artifacts
        id: hash
        run: |
          cd java/build/release
          echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT
          sha256sum ./*

      - name: Upload build artifacts
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
        with:
          name: project-release-artifacts
          path: ./java/build/release/
          if-no-files-found: error

  create-release:
    runs-on: ubuntu-latest
    needs: [build]
    permissions:
      contents: write # To draft a release
    steps:
      - name: Download gradle release artifacts
        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
        with:
          name: project-release-artifacts
          path: ./release/
      - name: Create draft release
        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
        with:
          name: ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
          files: ./release/*
          prerelease: true

  provenance:
    needs: [build, strip-tag, create-release]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
    with:
      attestation-name: "protobuf-specs-${{ needs.strip-tag.outputs.version }}.attestation.intoto.jsonl"
      upload-assets: true
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-tag-name: "${{ github.ref_name }}" # Upload to tag rather than generate a new release