release.yml

name: Release

on:
  push:
    tags: [ 'v*.*.*' ]

permissions:
  contents: write
  packages: write
  id-token: write
  attestations: write

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Get latest Go version
        id: gover
        run: echo goversion=$(awk -F':|-' '!/^#/ {print $2}' .github/dockerfile-for-dependabot/Dockerfile) >> "$GITHUB_OUTPUT"
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: "${{ steps.gover.outputs.goversion }}"
      - name: Extract release changelog
        run: |
          version=${GITHUB_REF#refs/tags/v*}
          mkdir -p tmp
          sed '/^# '$version'/,/^# /!d;//d;/^\s*$/d' CHANGELOG.md > tmp/release_changelog.md
      - name: Release
        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
        with:
          distribution: goreleaser
          version: v1.25.1
          args: release --clean --release-notes=tmp/release_changelog.md
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: "Sign .tar.gz"
        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
        with:
          subject-path: "dist/*.tar.gz"
      - name: "Sign .deb"
        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
        with:
          subject-path: "dist/*.deb"