name: publish

on:
  pull_request:
    branches:
    - main
  push:
    branches:
    - main

permissions:
  contents: read # Needed to checkout the repository.

concurrency:
  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
  cancel-in-progress: true

jobs:
  artifacts:
    name: artifacts
    permissions:
      contents: write # Needed to upload artifacts.
      id-token: write # Needed for attestation.
      attestations: write # Needed for attestations.
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
      with:
        egress-policy: audit

    - name: checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false

    - name: 'install rust toolchain'
      run: |
        cargo version

    - name: 'assemble artifacts'
      run: ./hack/assemble.sh

    - name: 'upload artifacts'
      id: upload
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: artifacts
        path: target/assemble/*

    - name: 'attest artifacts'
      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
      with:
        subject-name: artifacts.zip
        subject-digest: "sha256:${{ steps.upload.outputs.artifact-digest }}"
      if: github.event_name != 'pull_request'