Skip to content

Release

Release #238

Workflow file for this run

name: Release
on:
schedule:
- cron: "0 0 * * 1" # every Monday at 00:00 UTC
workflow_dispatch:
permissions: {}
jobs:
release:
name: Release
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
contents: write
steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
auth.docker.io:443
dl.google.com:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
go.dev:443
goreleaser.com:443
index.docker.io:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
tuf-repo-cdn.sigstore.dev:443
uploads.github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Check if any changes since last release
id: check
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git fetch --tags
TAG=$(git tag --points-at HEAD)
if [ -z "$TAG" ]; then
echo "No tag points at HEAD, so we need a new tag and then a new release."
echo "need_release=yes" >> $GITHUB_OUTPUT
else
RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none")
if [ "$RELEASE" == "$TAG" ]; then
echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release."
echo "need_release=no" >> $GITHUB_OUTPUT
else
echo "Tag $TAG exists, but no release is associated. Need a new release."
echo "need_release=yes" >> $GITHUB_OUTPUT
echo "existing_tag=$TAG" >> $GITHUB_OUTPUT
fi
fi
- name: Bump version and push tag
id: create_tag
uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
if: steps.check.outputs.need_release == 'yes' && steps.check.outputs.existing_tag == ''
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: steps.check.outputs.need_release == 'yes'
with:
ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
if: steps.check.outputs.need_release == 'yes'
with:
go-version-file: "./go.mod"
check-latest: true
# Cosign is used by goreleaser to sign release artifacts.
- uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
if: steps.check.outputs.need_release == 'yes'
with:
# https://github.com/goreleaser/goreleaser/issues/6195
cosign-release: "v2.6.1"
- uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
if: steps.check.outputs.need_release == 'yes'
with:
version: latest
install-only: true
- name: Release
if: steps.check.outputs.need_release == 'yes'
run: make release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}