publish-release.yml

name: Create Release & Upload Asset

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

jobs:
  # Build LPVS
  build:
    runs-on: ubuntu-latest
    name: Build LPVS
    outputs:
      artifacts: ${{ steps.build.outputs.artifacts }}
      hashes: ${{ steps.hash.outputs.hashes }}
      version:  ${{ steps.lpvs_version.outputs.version }}

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Set up JDK 17
        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: maven

      - name: Build using maven
        id: build
        run: |
          # Your normal build workflow targets here
          # mvn clean package
          mvn -B package --file pom.xml

          # Save the location of the maven output files for easier reference
          ARTIFACT_PATTERN=./target/$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)*.jar
          echo "artifact_pattern=$ARTIFACT_PATTERN" >> "$GITHUB_OUTPUT"

      - name: Generate subject
        id: hash
        run: |
          echo "hashes=$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)" >> "$GITHUB_OUTPUT"
    
      - name: Get LPVS version
        id: lpvs_version
        run: |
          VERSION=${{ github.ref_name }}
          echo "version=lpvs-${VERSION:1}.jar" >> "$GITHUB_OUTPUT"

      - name: Upload build artifacts
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: ${{ steps.lpvs_version.outputs.version }}
          path: ./target/${{ steps.lpvs_version.outputs.version }}
          if-no-files-found: error

  # Create Release
  create-release:
    permissions:
      contents: write  # for marvinpinto/action-automatic-releases to generate pre-release
    needs: [build]
    name: Create Release
    runs-on: "ubuntu-latest"

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
        with:
          egress-policy: audit

      - uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1 # latest
        with:
          repo_token: "${{ secrets.GITHUB_TOKEN }}"
          prerelease: false
          title: "LPVS ${{ github.ref_name }}"

  # Generate Provenance
  provenance:
    needs: [build, create-release]
    name: Generate Provenance
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true # Optional: Upload to a new release

  # Upload Assets
  release:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release  
    needs: [build, create-release, provenance]
    name: Upload Assets
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
        with:
          egress-policy: audit

      - name: Download ${{ needs.build.outputs.version }}
        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: ${{ needs.build.outputs.version }}

      - name: Upload assets
        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        with:
          files: |
            ${{ needs.build.outputs.version }}

  # Publish package to GitHub Packages
  publish_package:
    name: Publish package to GitHub Packages
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Set up JDK 17
        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
        with:
          java-version: '17'
          distribution: 'temurin'
      - name: Publish package
        run: mvn --batch-mode deploy
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # Publish Docker Image to ghcr.io
  publish_docker_image:
    name: Publish Docker Image to ghcr.io
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
        with:
          egress-policy: audit

      - name: Check out the repo
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Log in to the Container registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ghcr.io/${{ github.repository }}

      - name: Build and push Docker image
        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}