name: Release

on:
  release:
    types: [created]

jobs:
  publish:
    if: startsWith(github.ref, 'refs/tags/v') == true
    name: Publish dockerless
    runs-on: ubuntu-22.04

    permissions:
      id-token: write # This is the key for OIDC cosign!
      packages: write
      contents: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: git fetch --force --tags
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          cache: false
          go-version: "1.21"
      - name: Setup Cosgin
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: "v2.2.3"
      - name: Setup Syft
        uses: anchore/sbom-action/download-syft@v0.15.1
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - id: get_version
        run: |
          RELEASE_VERSION=$(echo $GITHUB_REF | sed -nE 's!refs/tags/!!p')
          echo "release_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
          echo "previous_tag=$(git describe --abbrev=0 --tags $(git rev-list --tags --skip=1 --max-count=1))" >> "$GITHUB_OUTPUT"
      - name: Login to ghcr.io
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: "goreleaser/goreleaser-action@v6.0.0"
        with:
          version: "~> 2"
          args: release --clean --timeout 60m
        env:
          GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
          GORELEASER_CURRENT_TAG: ${{ steps.get_version.outputs.release_version }}
          GORELEASER_PREVIOUS_TAG: ${{ steps.get_version.outputs.previous_tag }}