k3k/.github/workflows/release.yml

name: Release

on:
  push:
    tags:
    - "v*"
  workflow_dispatch:
    inputs:
      commit:
        type: string
        description: Checkout a specific commit

permissions:
    contents: write
    packages: write
    id-token: write

env:
  GORELEASER_VERSION: v2.15.2
  GORELEASER_CHECKSUM_x86_64: 0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc

jobs:
  release:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      with:
        fetch-depth: 0
        fetch-tags: true

    - name: Checkout code at the specific commit
      if: inputs.commit != ''
      run: git checkout ${{ inputs.commit }}

    - name: Set up Go
      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
      with:
        go-version-file: go.mod

    - name: Set up QEMU
      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
      with:
        image: tonistiigi/binfmt:qemu-v10.0.4-56

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      with:
        version: v0.30.1

    - name: "Read secrets"
      uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
      if: github.repository_owner == 'rancher'
      with:
        secrets: |
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;

    # Manually dispatched workflows (or forks) will use ghcr.io
    - name: Setup ghcr.io
      if: github.event_name == 'workflow_dispatch' || github.repository_owner != 'rancher'
      run: |
        echo "REGISTRY=ghcr.io"                     >> $GITHUB_ENV
        echo "DOCKER_USERNAME=${{ github.actor }}"  >> $GITHUB_ENV
        echo "DOCKER_PASSWORD=${{ github.token }}"  >> $GITHUB_ENV

    - name: Login to container registry
      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ env.DOCKER_USERNAME }}
        password: ${{ env.DOCKER_PASSWORD }}

    # If the tag does not exists the workflow was manually triggered.
    # That means we are creating temporary nightly builds, with a "fake" local tag
    - name: Check release tag
      id: release-tag
      run: |
        CURRENT_TAG=$(git describe --tag --always --match="v[0-9]*")

        if git show-ref --tags ${CURRENT_TAG} --quiet; then
          echo "tag ${CURRENT_TAG} already exists";
        else
          echo "tag ${CURRENT_TAG} does not exist"
          git tag ${CURRENT_TAG}
        fi

        echo "CURRENT_TAG=${CURRENT_TAG}" >> "$GITHUB_OUTPUT"

    - name: Setup goreleaser
      env:
        FILENAME: goreleaser.tar.gz
      run: |-
        curl -sSfL -o ${{ env.FILENAME }} https://github.com/goreleaser/goreleaser/releases/download/${{ env.GORELEASER_VERSION }}/goreleaser_Linux_x86_64.tar.gz
        echo "${{ env.GORELEASER_CHECKSUM_x86_64 }}  ${{ env.FILENAME }}" | sha256sum --check
        tar -xvzf "${{ env.FILENAME }}" goreleaser
        sudo install -m 755 goreleaser /usr/local/bin/goreleaser

        rm -f "${{ env.FILENAME }}" goreleaser

    - name: Run GoReleaser
      env:
        GITHUB_TOKEN: ${{ github.token }}
        GORELEASER_CURRENT_TAG: ${{ steps.release-tag.outputs.CURRENT_TAG }}
        REGISTRY: ${{ env.REGISTRY }}
        REPO: ${{ github.repository }}
      run: |-
        goreleaser --clean

        if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
          echo "Missing required file: dist/metadata.json"
          exit 1
        fi

        if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
          echo "Missing required file: dist/artifacts.json"
          exit 1
        fi

        echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
        echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"