From 40901142e21ee0e493f72da341e15aaa06d7c10e Mon Sep 17 00:00:00 2001
From: Rob Moffat <rob@kite9.com>
Date: Wed, 18 Mar 2026 10:57:12 +0000
Subject: [PATCH 1/2] Added release github action

---
 .github/workflows/java-release.yml | 52 ++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 .github/workflows/java-release.yml

diff --git a/.github/workflows/java-release.yml b/.github/workflows/java-release.yml
new file mode 100644
index 00000000..7b066589
--- /dev/null
+++ b/.github/workflows/java-release.yml
@@ -0,0 +1,52 @@
+name: Release Java
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to release (e.g. 1.0.0)'
+        required: true
+  push:
+    tags:
+      - "v*"
+
+jobs:
+    release:
+        runs-on: ubuntu-latest
+        defaults:
+            run:
+                working-directory: java
+        steps:
+            - uses: actions/checkout@v4
+
+            - uses: actions/setup-java@v4
+              with:
+                  java-version: "17"
+                  distribution: "temurin"
+                  server-id: central
+                  server-username: MAVEN_USERNAME
+                  server-password: MAVEN_PASSWORD
+                  gpg-private-key: ${{ secrets.CI_GPG_PRIVATE_KEY }}
+                  gpg-passphrase: ${{ secrets.CI_GPG_PASSPHRASE }}
+
+            - name: Extract version
+              id: version
+              run: |
+                if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+                  echo "VERSION=${{ inputs.version }}" >> $GITHUB_OUTPUT
+                else
+                  echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+                fi
+
+            - name: Set version in pom.xml
+              run: mvn versions:set -DnewVersion=${{ steps.version.outputs.VERSION }}
+
+            - name: Build and test
+              run: mvn clean verify
+
+            - name: Deploy to Maven Central
+              run: mvn source:jar javadoc:javadoc deploy -P symphony-release -DskipTests
+              env:
+                  MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+                  MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+                  GPG_PASSPHRASE: ${{ secrets.CI_GPG_PASSPHRASE }}
\ No newline at end of file

From 7dfcc99075762c55e49cc6860dd672876cc37e50 Mon Sep 17 00:00:00 2001
From: Rob Moffat <rob@kite9.com>
Date: Wed, 18 Mar 2026 11:01:57 +0000
Subject: [PATCH 2/2] Fixing injection attack vector

---
 .github/workflows/java-release.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/java-release.yml b/.github/workflows/java-release.yml
index 7b066589..bb19a909 100644
--- a/.github/workflows/java-release.yml
+++ b/.github/workflows/java-release.yml
@@ -31,15 +31,20 @@ jobs:
 
             - name: Extract version
               id: version
+              env:
+                EVENT_NAME: ${{ github.event_name }}
+                INPUT_VERSION: ${{ inputs.version }}
               run: |
-                if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-                  echo "VERSION=${{ inputs.version }}" >> $GITHUB_OUTPUT
+                if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+                  echo "VERSION=$INPUT_VERSION" >> $GITHUB_OUTPUT
                 else
                   echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
                 fi
 
             - name: Set version in pom.xml
-              run: mvn versions:set -DnewVersion=${{ steps.version.outputs.VERSION }}
+              env:
+                VERSION: ${{ steps.version.outputs.VERSION }}
+              run: mvn versions:set -DnewVersion="$VERSION"
 
             - name: Build and test
               run: mvn clean verify