.github/workflows/release.yml

name: Cut Release

on:
  push:
    tags:
      - "v*"

concurrency: cut-release

permissions:
  contents: write # needed to write releases
  id-token: write # needed for keyless signing
  packages: write # needed for pushing the images to ghcr.io

jobs:
  release:
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0

      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"

      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: '1.20'
          check-latest: true

      - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341
      - uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1
      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
      - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # v0.2

      - name: Run GoReleaser
        id: run-goreleaser
        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
        with:
          version: latest
          args: release --clean --timeout 120m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KO_DOCKER_REPO: ghcr.io/sigstore/cosign-gatekeeper-provider

      - name: sign image
        run: |
          digest=$(crane digest ghcr.io/sigstore/cosign-gatekeeper-provider:${{ env.RELEASE_VERSION }})
          cosign sign --yes --force "ghcr.io/sigstore/cosign-gatekeeper-provider@${digest}"
        env:
          COSIGN_EXPERIMENTAL: true

      - name: Generate subject
        id: hash
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"

  provenance:
    needs:
      - release
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
    with:
      base64-subjects: "${{ needs.release.outputs.hashes }}"
      upload-assets: false # do not upload to a new release since goreleaser creates it

  release-provenance:
    needs:
      - provenance
    runs-on: ubuntu-latest
    permissions:
      actions: read # To read the workflow path.
      contents: write # To add assets to a release.
    steps:
      - name: Download the provenance
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: ${{needs.provenance.outputs.provenance-name}}

      - name: Release Provenance
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        id: release-provenance
        with:
          draft: true
          files: ${{needs.provenance.outputs.provenance-name}}