.github/workflows/java-release.yml

name: Build Java Release
on:
  push:
    tags:
      # if you change this pattern, make sure jobs.strip-tag still works
      - 'release/java/v[0-9]+.[0-9]+.[0-9]+'

permissions: {}

jobs:
  ci:
    permissions:
      contents: read
    uses: ./.github/workflows/java-build.yml

  strip-tag:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: process tag
        id: version
        env:
          TAG: ${{ github.ref_name }}
        run: |
          echo "version=${TAG#"release/java/v"}" >> $GITHUB_OUTPUT

  build:
    runs-on: ubuntu-latest
    needs: [ci, strip-tag]
    permissions:
      contents: read  # to checkout code
      id-token: write # to sign with sigstore
    steps:
      - name: checkout tag
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Set up JDK 11
        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          java-version: 11 
          distribution: 'temurin'

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
        with:
          workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
          service_account: protobuf-specs-releaser@sigstore-secrets.iam.gserviceaccount.com

      - uses: google-github-actions/get-secretmanager-secrets@a8440875e1c2892062aef9061228d4f1af8f919b # v2.2.3
        id: secrets
        with:
          secrets: |-
            signing_key:sigstore-secrets/sigstore-java-pgp-priv-key
            signing_password:sigstore-secrets/sigstore-java-pgp-priv-key-password
            sonatype_username:sigstore-secrets/sigstore-java-sonatype-username
            sonatype_password:sigstore-secrets/sigstore-java-sonatype-password

      - name: Build, Sign and Push to Maven Central
        # TODO: someone still needs to close and release this, but that can be automated next
        working-directory: ./java
        env:
          VERSION: ${{ needs.strip-tag.outputs.version }}
          ORG_GRADLE_PROJECT_signingKey: ${{ steps.secrets.outputs.signing_key }}
          ORG_GRADLE_PROJECT_signingPassword: ${{ steps.secrets.outputs.signing_password }}
          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ steps.secrets.outputs.sonatype_username }}
          ORG_GRADLE_PROJECT_sonatypePassword: ${{ steps.secrets.outputs.sonatype_password }}
        run: |
          ./gradlew clean :publishProtoPublicationToSonatypeRepository -Pversion=${VERSION} -Prelease