Update java build workflow (#228)

This updates the generation and upload of the provenance, which broke due to the actions/artifact-upload breaking change. We now generate a draft release first, then generate provenance and upload to the existing draft release. Signed-off-by: Hayden B <[email protected]>
sigstore · Feb 13, 2024 · 78f491a · 78f491a
1 parent 6d5c983
commit 78f491a
Showing 1 changed file with 14 additions and 16 deletions.
diff --git a/.github/workflows/java-build-for-release.yml b/.github/workflows/java-build-for-release.yml
@@ -56,28 +56,12 @@ jobs:
           path: ./java/build/release/
           if-no-files-found: error
 
-  provenance:
-    needs: [build, strip-tag]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      attestation-name: "protobuf-specs-${{ needs.strip-tag.outputs.version }}.attestation.intoto.jsonl"
-      base64-subjects: "${{ needs.build.outputs.hashes }}"
-
   create-release:
     runs-on: ubuntu-latest
     needs: [provenance, build]
     permissions:
       contents: write # To draft a release
     steps:
-      - name: Download attestation
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
-        with:
-          name: "${{ needs.provenance.outputs.attestation-name }}"
-          path: ./release/
       - name: Download gradle release artifacts
         uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
         with:
@@ -90,3 +74,17 @@ jobs:
           tag_name: ${{ github.ref_name }}
           files: ./release/*
           draft: true
+
+  provenance:
+    needs: [build, strip-tag, create-release]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      attestation-name: "protobuf-specs-${{ needs.strip-tag.outputs.version }}.attestation.intoto.jsonl"
+      upload-assets: true
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-tag-name: "${{ github.ref_name }}" # Upload to tag rather than generate a new release
+      draft-release: true