Restore core/framework coverage gate with validation tests (#7) #5

	name: release

	on:
	push:
	tags:
	- 'v..*'

	permissions:
	contents: write
	id-token: write
	attestations: write

	jobs:
	release:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- uses: goreleaser/goreleaser-action@v6
	with:
	version: v2.13.3
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Verify release checksums
	run: ./scripts/verify_release_artifacts.sh dist
	- uses: anchore/sbom-action@v0
	with:
	artifact-name: sbom.spdx.json
	output-file: sbom.spdx.json
	- name: Install grype
	uses: anchore/scan-action/download-grype@v4
	- name: Vulnerability scan (dist)
	run: grype dir:dist --fail-on high \|\| grype dir:dist --fail-on critical
	- uses: sigstore/cosign-installer@v3
	- name: Sign checksums
	run: \|
	cosign sign-blob --yes --output-signature dist/checksums.txt.sig --output-certificate dist/checksums.txt.pem dist/checksums.txt
	- name: Verify signed checksums
	run: ./scripts/verify_release_artifacts.sh dist
	- name: Upload checksum signature assets to release
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	gh release upload "${{ github.ref_name }}" \
	dist/checksums.txt.sig \
	dist/checksums.txt.pem \
	--repo "${{ github.repository }}" \
	--clobber
	- name: Generate build provenance
	uses: actions/attest-build-provenance@v2
	with:
	subject-path: \|
	dist/*
	- uses: actions/upload-artifact@v4
	with:
	name: release-security-artifacts
	path: \|
	dist/checksums.txt
	dist/checksums.txt.sig
	dist/checksums.txt.pem
	sbom.spdx.json

Provide feedback