name: publish

on:
  pull_request:
    branches:
    - main
  push:
    branches:
    - main

permissions:
  contents: read # Needed to checkout the repository.

concurrency:
  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
  cancel-in-progress: true

jobs:
  artifacts:
    name: artifacts
    permissions:
      contents: write # Needed to upload artifacts.
      id-token: write # Needed for attestation.
      attestations: write # Needed for attestations.
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
      with:
        egress-policy: audit

    - name: checkout
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      with:
        persist-credentials: false

    - name: 'install rust toolchain'
      run: |
        cargo version

    - name: 'assemble artifacts'
      run: ./hack/assemble.sh

    - name: 'upload artifacts'
      id: upload
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: artifacts
        path: target/assemble/*

    - name: 'attest artifacts'
      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
      with:
        subject-name: artifacts.zip
        subject-digest: "sha256:${{ steps.upload.outputs.artifact-digest }}"
      if: github.event_name != 'pull_request'