actions/.github/workflows/release.yml

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Release

on:
  push:
    tags:
      - 'v*'

permissions: {}

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
      - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          generate_release_notes: true

  provenance:
    needs: release
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      attestations: write
    steps:
      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
      - name: Create source archive
        env:
          TAG: ${{ github.ref_name }}
        run: |
          set -eu
          git archive --format=tar.gz --prefix="${TAG}/" HEAD > "${TAG}-source.tar.gz"
          sha256sum "${TAG}-source.tar.gz" > "${TAG}-source.tar.gz.sha256"
      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: '${{ github.ref_name }}-source.tar.gz'
      - name: Upload release assets
        env:
          GH_TOKEN: ${{ github.token }}
          TAG: ${{ github.ref_name }}
        run: |
          set -eu
          gh release upload "$TAG" "${TAG}-source.tar.gz" "${TAG}-source.tar.gz.sha256" --clobber

  sbom:
    needs: release
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
      - uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
        with:
          format: cyclonedx-json
          output-file: sbom.cdx.json
      - name: Upload SBOM to release
        env:
          GH_TOKEN: ${{ github.token }}
          TAG: ${{ github.ref_name }}
        run: |
          set -eu
          gh release upload "$TAG" sbom.cdx.json --clobber