name: publish

on:
  pull_request:
    branches:
    - main
  push:
    branches:
    - main

permissions:
  contents: read # Needed to checkout the repository.

concurrency:
  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
  cancel-in-progress: true

jobs:
  artifacts:
    name: artifacts
    permissions:
      contents: write # Needed to upload artifacts.
      id-token: write # Needed for attestation.
      attestations: write # Needed for attestations.
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
      with:
        egress-policy: audit

    - name: checkout
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false

    - name: 'install rust toolchain'
      run: |
        cargo version

    - name: 'assemble artifacts'
      run: ./hack/assemble.sh

    - name: 'upload artifacts'
      id: upload
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: artifacts
        path: target/assemble/*

    - name: 'attest artifacts'
      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
      with:
        subject-name: artifacts.zip
        subject-digest: "sha256:${{ steps.upload.outputs.artifact-digest }}"
      if: github.event_name != 'pull_request'