name: release
on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:
    inputs:
      tag:
        description: 'image tag prefix'
        default: 'rc'
        required: true

permissions:
  contents: read

env:
  IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}"

jobs:
  release-flagger:
    outputs:
      hashes: ${{ steps.slsa.outputs.hashes }}
    runs-on:
      group: "Default Larger Runners"
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access
    steps:
      - uses: actions/checkout@v5
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: 1.25.x
      - uses: fluxcd/flux2/action@main
      - uses: sigstore/cosign-installer@v3.10.0
      - name: Prepare
        id: prep
        run: |
          if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then
            VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
          else
            VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"')
          fi
          CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')"
          echo "[CHANGELOG](${CHANGELOG})" > notes.md
          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
      - name: Setup QEMU
        uses: docker/setup-qemu-action@v3
      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Generate image meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.IMAGE }}
          tags: |
            type=raw,value=${{ steps.prep.outputs.VERSION }}
      - name: Publish image
        id: build-push
        uses: docker/build-push-action@v6
        with:
          sbom: true
          provenance: true
          push: true
          builder: ${{ steps.buildx.outputs.name }}
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          build-args: |
            REVISON=${{ github.sha }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - name: Sign image
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
      - name: Publish signed manifests to GHCR
        if: startsWith(github.ref, 'refs/tags/v')
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          OCI_URL=$(flux push artifact \
            oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
            --path="./kustomize" \
            --source="$(git config --get remote.origin.url)" \
            --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" \
            --output json | \
            jq -r '. | .repository + "@" + .digest')
          cosign sign --yes ${OCI_URL}
      - name: Publish Helm charts
        if: startsWith(github.ref, 'refs/tags/v')
        uses: stefanprodan/helm-gh-pages@v1.7.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          charts_url: https://flagger.app
          linting: off
      - uses: fluxcd/pkg/actions/helm@main
        with:
          version: 3.12.3
      - name: Publish signed Helm chart to GHCR
        if: startsWith(github.ref, 'refs/tags/v')
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          helm package charts/flagger
          helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts |& tee .digest
          cosign sign --yes ghcr.io/fluxcd/charts/flagger@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
          rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
          rm .digest
      - uses: anchore/sbom-action/download-syft@v0
      - name: Create release and SBOM
        id: run-goreleaser
        uses: goreleaser/goreleaser-action@v6
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          version: latest
          args: release --release-notes=notes.md --clean --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Generate SLSA metadata
        id: slsa
        if: startsWith(github.ref, 'refs/tags/v')
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
          
          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "hashes=$hashes" >> $GITHUB_OUTPUT

  release-provenance:
    needs: [release-flagger]
    if: startsWith(github.ref, 'refs/tags/v')
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flagger.outputs.hashes }}"
      upload-assets: true