#
# Releaser workflow setup
# https://goreleaser.com/ci/actions/
#
name: release

# run only on tags
on:
  push:
    tags:
      - "v*"

permissions:
  contents: write # needed to write releases
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access
  attestations: write # needed for attestations

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true
      - uses: sigstore/cosign-installer@v3.9.2 # installs cosign
      - uses: anchore/sbom-action/download-syft@v0.20.5 # installs syft
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3 # login to ghcr
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: goreleaser/goreleaser-action@v6 # run goreleaser
        with:
          version: nightly
          args: release --clean --verbose
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # After GoReleaser runs, attest all the files in ./dist/checksums.txt:
      - uses: actions/attest-build-provenance@v3
        with:
          subject-checksums: ./dist/checksums.txt
      # After GoReleaser runs, attest all the images in ./dist/digests.txt:
      - uses: actions/attest-build-provenance@v3
        with:
          subject-checksums: ./dist/digests.txt