From ab0d799aaefc3842de152806e06cb2d731f9a393 Mon Sep 17 00:00:00 2001
From: Travis Lyons <travis.lyons@sourcegraph.com>
Date: Wed, 1 Apr 2026 10:17:48 -0400
Subject: [PATCH] cli: build and release cli executibles

- Adds a new workflow to build, checksum, and upload standalone scip-java launchers for Linux and Windows
- Integrates CLI release generation into the existing Maven publishing pipeline upon tag creation
---
 .github/workflows/release-cli.yml   | 93 +++++++++++++++++++++++++++++
 .github/workflows/release-maven.yml | 10 ++++
 2 files changed, 103 insertions(+)
 create mode 100644 .github/workflows/release-cli.yml

diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
new file mode 100644
index 000000000..24c89852d
--- /dev/null
+++ b/.github/workflows/release-cli.yml
@@ -0,0 +1,93 @@
+name: Release CLI
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: Git tag to release assets for.
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: refs/tags/${{ inputs.tag }}
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 8
+
+      - uses: coursier/setup-action@v3
+        with:
+          apps: ''
+
+      - name: Build standalone launcher
+        shell: bash
+        env:
+          TAG: ${{ inputs.tag }}
+          VERSION: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          VERSION=${VERSION#v}
+          ARTIFACT="com.sourcegraph:scip-java_2.13:${VERSION}"
+
+          for attempt in {1..10}; do
+            if cs resolve "$ARTIFACT" >/dev/null 2>&1; then
+              break
+            fi
+
+            if [ "$attempt" -eq 10 ]; then
+              echo "Artifact $ARTIFACT was not resolvable after 10 attempts" >&2
+              exit 1
+            fi
+
+            sleep 30
+          done
+
+          cs bootstrap \
+            --standalone \
+            --bat=true \
+            -o scip-java \
+            "$ARTIFACT" \
+            --main com.sourcegraph.scip_java.ScipJava
+
+          chmod +x scip-java
+          ./scip-java --help >/dev/null
+
+          mv scip-java "scip-java-${TAG}"
+          mv scip-java.bat "scip-java-${TAG}.bat"
+          shasum -a 256 "scip-java-${TAG}" "scip-java-${TAG}.bat" > "scip-java-${TAG}.sha256"
+
+      - name: Ensure GitHub release exists
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          if ! gh release view "$TAG" >/dev/null 2>&1; then
+            gh release create "$TAG" --verify-tag --title "$TAG" --notes ""
+          fi
+
+      - name: Upload release assets
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          gh release upload "$TAG" \
+            "scip-java-${TAG}" \
+            "scip-java-${TAG}.bat" \
+            "scip-java-${TAG}.sha256" \
+            --clobber
diff --git a/.github/workflows/release-maven.yml b/.github/workflows/release-maven.yml
index 8bfb29f5e..a403227af 100644
--- a/.github/workflows/release-maven.yml
+++ b/.github/workflows/release-maven.yml
@@ -3,6 +3,7 @@ on:
   push:
     branches: [main]
     tags: ["*"]
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -23,3 +24,12 @@ jobs:
           PGP_SECRET: ${{ secrets.PGP_SECRET }}
           SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
           SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+
+  release-cli:
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs: publish
+    permissions:
+      contents: write
+    uses: ./.github/workflows/release-cli.yml
+    with:
+      tag: ${{ github.ref_name }}