slsa-verifier/.github/workflows/release.yml

name: Verifier releaser

on:
  # For manual tests.
  workflow_dispatch:
  push:
    tags:
      - "*" # triggers only if push new tag version, like `0.8.4`.
  # Run daily as a dry-run/test.
  schedule:
    - cron: "0 1 * * *"

permissions: read-all

env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  ISSUE_REPOSITORY: slsa-framework/slsa-verifier

jobs:
  # Generate ldflags dynamically.
  args:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.ldflags.outputs.version }}
    steps:
      - id: checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          fetch-depth: 0
      - id: ldflags
        run: |
          echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"

  builder:
    name: builder-${{matrix.os}}-${{matrix.arch}}
    needs: [args]
    strategy:
      matrix:
        os:
          - linux
          - windows
          - darwin
        arch:
          - amd64
          - arm64
    permissions:
      actions: read # For the detection of GitHub Actions environment.
      id-token: write # For signing.
      contents: write # For asset uploads.
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0
    with:
      go-version: 1.18
      config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml
      compile-builder: true
      evaluated-envs: "VERSION:${{needs.args.outputs.version}}"