.github/workflows/release.yaml

name: Release

on:
  push:
    tags: [ 'v*.*.*' ]

permissions: {}

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
      id-token: write
      attestations: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
        with:
          fetch-depth: 0
      - name: Get latest Go version
        id: gover
        run: echo goversion=$(grep "AS apk" Dockerfile.test | awk -F':|-' '!/^#/ {print $2}') >> "$GITHUB_OUTPUT"
      - name: Set up Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # tag=v5.3.0
        with:
          go-version: "${{ steps.gover.outputs.goversion }}"
      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # tag=v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Release
        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # tag=v6.2.1
        with:
          distribution: goreleaser
          version: v2.0.1
          args: release --clean --parallelism=1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: "Set up for signing"
        run: |
          mkdir -p to_sign
          mv dist/*.tar.gz to_sign/
          mv dist/*.deb to_sign/
          mv dist/*.apk to_sign/
      - name: "Sign artifacts"
        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
        with:
          subject-path: "to_sign/*"