name: Verifier releaser

on: 
  # For manual tests.
  workflow_dispatch:
  push:
    tags:
      - "*" # triggers only if push new tag version, like `0.8.4`.
  # Run daily as a dry-run/test.
  schedule:
    - cron: '0 1 * * *'

permissions: read-all

env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  ISSUE_REPOSITORY: slsa-framework/slsa-verifier

jobs:
  # Generate ldflags dynamically.
  args:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.ldflags.outputs.version }}
    steps:
      - id: checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
        with:
          fetch-depth: 0
      - id: ldflags
        run: |
          echo "::set-output name=version::$(git describe --tags --always --dirty | cut -c2-)"

  builder:
    permissions:
      actions: read # For the detection of GitHub Actions environment.
      id-token: write # For signing.
      contents: write # For asset uploads.
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
    with:
      go-version: 1.18
      config-file: .github/config-release.yml
      compile-builder: true
      evaluated-envs: "VERSION:${{needs.args.outputs.version}}"

  # In case this fails, e.g. build configuration changes, file an issue in slsa-verifier
  if-failed:
    runs-on: ubuntu-latest
    needs: [builder]
    if: always() && needs.builder.result == 'failure'
    steps:
      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
        with:
          repository: slsa-framework/example-package
      - run: |
          set -euo pipefail

          ./.github/workflows/scripts/e2e-report-failure.sh