feat: Add region build release workflow for Java Lambda layer

[viw-test1]

Issue #, if available:
N/A

Description of changes:

Add a standalone region-build-release.yml workflow for deploying the Java Lambda layer to specific regions. This is needed for region build releases where we need to build and publish the Lambda layer independently from the full SDK release.

The workflow:

1. Takes a version and target regions as inputs (manual workflow_dispatch)
2. Builds the Java Lambda layer from source
3. Publishes the layer to each specified region in parallel
4. Generates release notes with layer ARN table, Terraform file, and CDK constants
5. Creates a draft GitHub release with the layer artifact
6. Uploads the layer artifact to the latest SDK release

This was previously part of a separate Lambda release workflow before it was merged into release-build.yml in PR #461. Re-adding it as a dedicated workflow to support region-specific deployments without triggering a full SDK release.

V2:

Key difference from previous version:
ey differences:

1. publish-layer-prod now has a Lambda layer "Upload to S3 and Sign" step that checks for a signing profile and signs the layer before publishing. The old version just uploaded and published directly.
2. publish-layer-prod uses LAYER_ARTIFACT_NAME env var instead of a hardcoded filename
3. publish-layer-prod outputs the SigningProfileVersionArn after publishing
4. generate-lambda-release-note outputs layer-note as a job output (for use by publish-github)
5. publish-github is a separate job (old version had everything in generate-release-note), and it doesn't upload to the upstream SDK release (removed that step since this is a region only build, not a full release anymore)
6. Uses the same action versions and pin hashes as the current release-build.yml

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.39%. Comparing base (09e6487) to head (afaea8a).
⚠️ Report is 563 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@              Coverage Diff              @@
##               main    #1355       +/-   ##
=============================================
- Coverage     85.71%   69.39%   -16.33%     
- Complexity       19      704      +685     
=============================================
  Files             3       63       +60     
  Lines            49     3437     +3388     
  Branches          5      487      +482     
=============================================
+ Hits             42     2385     +2343     
- Misses            3      861      +858     
- Partials          4      191      +187     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Bug (High): --clobber is inside the quoted S3 path, making it part of the key name instead of a CLI flag.

The closing double-quote is misplaced. --clobber becomes part of the S3 destination key (e.g. s3://bucket/aws-opentelemetry-java-layer.zip --clobber). The signed layer is NOT placed at the expected key, so the subsequent "Publish Layer Version" step publishes the unsigned layer.

Fix: move the closing quote before --clobber:

aws s3 mv "s3://$BUCKET/$SIGNED" "s3://$BUCKET/$ARTIFACT" --clobber

Note: The same bug exists in release-build.yml at line 325.

[github-actions]

Security concern (Medium): continue-on-error: true silently masks signing failures, allowing unsigned layers to be published.

Because of continue-on-error: true, if the signing step fails entirely (not just individual sub-steps that already exit 0), the workflow continues to "Publish Layer Version" and publishes an unsigned layer without any warning. Combined with the --clobber quoting bug on line 138, even a successful signing run will publish an unsigned layer.

Consider removing continue-on-error: true or at minimum setting an output/env variable to indicate whether signing succeeded, so downstream steps can make an informed decision.

[github-actions]

Security (Low): Direct use of ${{ matrix.aws_region }} in run: scripts risks script injection.

matrix.aws_region is derived from user-supplied workflow_dispatch input. Direct interpolation into shell scripts via ${{ }} can allow script injection if a malicious value is provided. While workflow_dispatch is restricted to users with write access, best practice is to pass the value through an environment variable instead:

env:
  REGION: ${{ matrix.aws_region }}
run: |
  if [[ "$REGION" == ... ]]; then

This pattern also applies to lines 86, 89-90, 103, 159-161, and 186-187.

[github-actions]

Code quality: The version input and VERSION env var are declared but never used anywhere in the workflow.

The workflow accepts a version input and stores it in env.VERSION, but no step references it. The PR description mentions creating a "draft GitHub release" and a publish-github job, but neither exists in this workflow.

Was the publish-github job accidentally omitted? If so, this workflow does not actually create a GitHub release as described in the PR.

[github-actions]

Code quality: generate-lambda-release-note declares a layer-note output but no downstream job consumes it.

This job outputs layer-note, generates a Terraform file, and CDK constants, but the workflow ends here with no publish-github job to use these artifacts. The generated tf and CDK files are also not uploaded as artifacts, so they are lost when the job completes.

[github-actions]

Bug (Low): If aws_region input is empty (the default), the matrix generation produces a single empty-string entry.

The input has a default of empty string and required: true, but an empty string still passes GitHub Actions validation. The loop will produce a JSON array with one empty string element, causing the publish job to run once with an empty aws_region. This will break the AWS credential configuration and all subsequent AWS CLI calls. Consider adding input validation at the start of the workflow.