go-cli-github/.github/workflows/release.yaml at main · smlx/go-cli-github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: release
on:
  push:
    branches:
    - main
permissions: {}
jobs:
  release-tag:
    permissions:
      # create tag
      contents: write
    runs-on: ubuntu-latest
    outputs:
      new-tag: ${{ steps.ccv.outputs.new-tag }}
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        fetch-depth: 0
    - name: Bump tag if necessary
      id: ccv
      uses: smlx/ccv@7318e2f25a52dcd550e75384b84983973251a1f8 # v0.10.0
  release-build:
    permissions:
      # create release
      contents: write
      # push docker images to registry
      packages: write
      # required by attest-build-provenance
      id-token: write
      attestations: write
    needs: release-tag
    if: needs.release-tag.outputs.new-tag == 'true'
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        fetch-depth: 0
    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version: stable
    # The setup-buildx-action enables the docker-container driver, which allows
    # SBOM generation for the resulting container image using the syft
    # container which is automatically pulled and run during the container
    # image build. However, because the release process also generates an SBOM
    # for the binaries attached to the GitHub release (see the "sboms" section
    # in .goreleaser.yaml), it also needs to install syft into the action
    # environment.
    - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
    - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
    - name: Login to GHCR
      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
      id: goreleaser
      with:
        version: latest
        args: release --verbose
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    # attest artifacts
    - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
      with:
        subject-checksums: ./dist/checksums.txt
    # attest images
    - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
      with:
        subject-checksums: ./dist/digests.txt
        push-to-registry: true