kubevela/.github/workflows/release.yml

name: Release

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch: {}

permissions:
  contents: read

jobs:
  goreleaser:
    name: goreleaser
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      actions: read
      checks: write
      issues: read
      packages: write
      pull-requests: read
      repository-projects: read
      statuses: read
      id-token: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0

      - name: Get Git tags
        run: git fetch --force --tags

      - name: Set up Go
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: 1.23.8
          cache: true

      - name: Install Cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v2.5.0'

      - name: Install syft
        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          distribution: goreleaser
          version: 1.14.1
          args: release --rm-dist --timeout 60m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Generate hashes
        id: hash
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          set -euo pipefail
          HASHES=$(find dist -type f -exec sha256sum {} \; | base64 -w0)
          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"

  upload-plugin-homebrew:
    name: upload-sha256sums
    needs: goreleaser
    runs-on: ubuntu-22.04
    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
    permissions:
      contents: write
      actions: read
      checks: write
      issues: read
      packages: write
      pull-requests: read
      repository-projects: read
      statuses: read
    steps:
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Update kubectl plugin version in krew-index
        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
      - name: Update Homebrew formula
        uses: dawidd6/action-homebrew-bump-formula@d3667e5ae14df19579e4414897498e3e88f2f458 # v3.10.0
        with:
          token: ${{ secrets.HOMEBREW_TOKEN }}
          formula: kubevela
          tag: ${{ github.ref }}
          revision: ${{ github.sha }}
          force: false

  provenance-vela-bins:
    name: generate provenance for binaries
    needs: [goreleaser]
    if: startsWith(github.ref, 'refs/tags/')
    permissions:
      id-token: write
      contents: write
      actions: read
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # has to be sem var
    with:
      base64-subjects: '${{ needs.goreleaser.outputs.hashes }}'
      upload-assets: true