.github/workflows/jib-cli-release.yml

name: Release Jib CLI
on:
  workflow_dispatch:
    inputs:
      release_version:
        description: new release version
        required: true
        default: (for example, 0.1.0)

jobs:
  release:
    name: Release Jib CLI
    runs-on: ubuntu-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
      upload_url: ${{ steps.create-release.outputs.upload_url }}
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Build project
        run: |
          if [[ ! "${{ github.event.inputs.release_version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo 'version "${{ github.event.inputs.release_version }}" not in ###.###.### format'
            exit 1
          fi
          # TODO: run integration test? (Requries auth with GCP.)
          ./gradlew clean build --stacktrace

      - name: Run Gradle release
        run: |
          git checkout -b cli-release-v${{ github.event.inputs.release_version }}
          git config user.email ${{ github.actor }}@users.noreply.github.com
          git config user.name ${{ github.actor }}
          # This creates the tag (e.g., "v0.1.0-cli") and pushes the updated
          # branch (e.g., "cli-release-v0.1.0") and the new tag.
          ./gradlew jib-cli:release \
            -Prelease.useAutomaticVersion=true \
            -Prelease.releaseVersion=${{ github.event.inputs.release_version }}

      - name: Build Jib CLI release binaries
        run: |
          git checkout v${{ github.event.inputs.release_version }}-cli
          ./gradlew jib-cli:instDist --stacktrace

          cd jib-cli/build/distributions
          mv jib-${{ github.event.inputs.release_version }}.zip jib-jre-${{ github.event.inputs.release_version }}.zip
          sha256sum jib-jre-${{ github.event.inputs.release_version }}.zip > zip.sha256

      - name: Generate SLSA subject for Jib CLI release binaries
        id: hash
        working-directory: jib-cli/build/distributions
        run: echo "hashes=$(cat zip.sha256 | base64 -w0)" >> $GITHUB_OUTPUT

      - name: Create pull request
        uses: repo-sync/pull-request@v2.12.1
        id: create-pr
        with:
          # Use a personal token to file a PR as a non-bot author to trigger other workflows (e.g., unit tests):
          # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token;
          github_token: ${{ secrets.GA_RELEASE_PR_PERSONAL_TOKEN }}
          source_branch: cli-release-v${{ github.event.inputs.release_version }}
          pr_title: "CLI release v${{ github.event.inputs.release_version }}"
          pr_body: "To be merged after the release is complete."
          pr_label: "PR: Merge After Release"

      - name: Draft GitHub release
        uses: actions/create-release@v1.1.4
        id: create-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: v${{ github.event.inputs.release_version }}-cli
          release_name: jib-cli v${{ github.event.inputs.release_version }}
          draft: true
          body: |
            ### Major Changes

            See [CHANGELOG.md](https://github.com/GoogleContainerTools/jib/blob/master/jib-cli/CHANGELOG.md) for more details.

      - name: Upload Jib CLI
        uses: actions/upload-release-asset@v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create-release.outputs.upload_url }}
          asset_path: ./jib-cli/build/distributions/jib-jre-${{ github.event.inputs.release_version }}.zip
          asset_name: jib-jre-${{ github.event.inputs.release_version }}.zip
          asset_content_type: application/zip

      - name: Upload Jib CLI checksum
        uses: actions/upload-release-asset@v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ steps.create-release.outputs.upload_url }}
          asset_path: ./jib-cli/build/distributions/zip.sha256
          asset_name: jib-jre-${{ github.event.inputs.release_version }}.zip.sha256
          asset_content_type: text/plain

      - name: Create Jib CLI release checklist issue
        uses: JasonEtco/create-an-issue@v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          RELEASE_NAME: v${{ github.event.inputs.release_version }}-cli
          CHANGELOG_URL: https://github.com/GoogleContainerTools/jib/blob/master/jib-cli/CHANGELOG.md
          README_URL: https://github.com/GoogleContainerTools/jib/blob/master/jib-cli/README.md
          GCS_UPDATE_SCRIPT: "`./jib-cli/scripts/update_gcs_latest.sh ${{ github.event.inputs.release_version }}`"
          RELEASE_DRAFT: ${{ steps.create-release.outputs.html_url }}
          RELEASE_PR: ${{steps.create-pr.outputs.pr_url}}
        with:
          filename: .github/RELEASE_TEMPLATES/cli_release_checklist.md

  provenance:
    needs: [release]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
    with:
      base64-subjects: "${{ needs.release.outputs.hashes }}"

  upload:
    needs: [release, provenance]
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Download attestation
        uses: actions/download-artifact@v3
        with:
          name: "${{ needs.provenance.outputs.attestation-name }}"

      - uses: actions/upload-release-asset@v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.release.outputs.upload_url }}
          asset_path: "${{ needs.provenance.outputs.attestation-name }}"
          asset_name: "${{ needs.provenance.outputs.attestation-name }}"
          asset_content_type: application/json