.github/workflows/release.yml

name: Release
on:
  push:
    tags:
      - "v*"
permissions:
  actions: write
  packages: write
  contents: write
  id-token: write
  attestations: write
jobs:
  goreleaser:
    name: Make a release on GitHub
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          cache: true
          go-version-file: go.mod

      - uses: sigstore/cosign-installer@v3.7.0
      - uses: anchore/sbom-action/download-syft@v0.18.0

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v6.1.0
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6.1.0
        id: release
        with:
          version: latest
          args: release --clean
        env:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Get Checksum file
        id: checksum
        env:
          ARTIFACT_JSON: ${{ steps.release.outputs.artifacts }}
        run: |
          echo $ARTIFACT_JSON > artifacts.json
          CHECKSUM_FILE=$(cat artifacts.json | jq -r '[ .[] | select (.type == "Checksum")] | .[0].path')
          echo "CHECKSUM_FILE=$CHECKSUM_FILE" >> $GITHUB_OUTPUT
      - uses: actions/attest-build-provenance@v2
        with:
          subject-checksums: ${{ steps.checksum.outputs.CHECKSUM_FILE }}