.github/workflows/release.yaml

name: release
on:
  push:
    branches:
    - main
permissions: {}
jobs:
  release-tag:
    permissions:
      # create tag
      contents: write
    runs-on: ubuntu-latest
    outputs:
      new-tag: ${{ steps.bump-tag.outputs.new }}
      new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }}
    steps:
    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      with:
        fetch-depth: 0
    - name: Configure git
      run: |
        git config --global user.name "$GITHUB_ACTOR"
        git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
      with:
        go-version: stable
    - name: Install ccv
      run: >
        curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz
        | sudo tar -xz -C /usr/local/bin ccv
    - name: Bump tag if necessary
      id: bump-tag
      run: |
        if [ -z "$(git tag -l "$(ccv)")" ]; then
          git tag "$(ccv)"
          git push --tags
          echo "new=true" >> "$GITHUB_OUTPUT"
          echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT"
        fi
  release-build:
    permissions:
      # create release
      contents: write
      # push docker images to regsitry
      packages: write
      # use OIDC token for signing
      id-token: write
    needs: release-tag
    if: needs.release-tag.outputs.new-tag == 'true'
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      with:
        fetch-depth: 0
    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
      with:
        go-version: stable
    - name: Login to GHCR
      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Set up environment
      run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
    - uses: anchore/sbom-action/download-syft@9fece9e20048ca9590af301449208b2b8861333b # v0.15.9
    - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
      with:
        version: latest
        args: release --clean
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}