.github/workflows/release.yml

---
name: Release

on:
  push:
    branches:
      - main

permissions:
  contents: write
  pull-requests: write
  packages: write
  id-token: write
  attestations: write

env:
  GO111MODULE: "on"

jobs:
  release:
    runs-on: ubuntu-latest
    name: Release
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}

    steps:
      - uses: googleapis/release-please-action@v4
        id: release

  provider:
    if: needs.release.outputs.release_created
    runs-on: ubuntu-latest
    name: Publish Provider
    needs:
      - release
    strategy:
      max-parallel: 4
      matrix:
        go-version: [1.23.x]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: "${{ matrix.go-version }}"

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.6.0
      - name: Download Syft
        uses: anchore/sbom-action/download-syft@v0.17.2

      - name: Setup QEMU
        uses: docker/setup-qemu-action@v3
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to ghcr.io
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Release via GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          args: -p 3 release --clean --timeout 60m0s
          version: latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CI_COMMIT_TIMESTAMP: ${{ github.event.repository.updated_at }}
          CI_COMMIT_SHA: ${{ github.sha }}
          CI_COMMIT_TAG: ${{ needs.release.outputs.tag_name }}
      
      - name: Parse Published Artifacts
        run: |
          echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
          echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
        id: image_metadata
        env:
          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
      - name: Publish Container Attestations
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ${{ steps.image_metadata.outputs.name }}
          subject-digest: ${{ steps.image_metadata.outputs.digest }}
          push-to-registry: true
      - name: Publish Attestations
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: |
            dist/*.tar.gz
            dist/*.sbom.json
            dist/*_checksums.txt
            dist/*.sig
            dist/*.pem