name: release on: workflow_dispatch: inputs: release-tag: description: 'Release Tag' required: true type: string permissions: contents: read # Needed to checkout the repository. concurrency: group: "${{ github.workflow }}-${{ github.event.inputs.release-tag }}" cancel-in-progress: true jobs: release: name: release permissions: contents: write # Needed to upload release assets. id-token: write # Needed for attestation. attestations: write # Needed for attestations. runs-on: ubuntu-latest steps: - name: harden runner uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: 'install rust toolchain' run: | cargo version - name: 'assemble release artifacts' run: ./hack/assemble.sh - name: 'attest release artifacts' uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-path: target/assemble/* - name: 'generate cultivator token' uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}" private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}" if: ${{ github.event.inputs.release-tag != '' }} - name: 'upload release artifacts' run: ./hack/ci/upload-release-assets.sh env: GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" RELEASE_TAG: "${{ github.event.inputs.release-tag }}" if: ${{ github.event.inputs.release-tag != '' }} - name: 'mark release as published' run: gh release edit "${RELEASE_TAG}" --draft=false --verify-tag env: GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" RELEASE_TAG: "${{ github.event.inputs.release-tag }}" if: ${{ github.event.inputs.release-tag != '' }}