name: release on: workflow_dispatch: inputs: release-tag: description: 'Release Tag' required: true type: string permissions: contents: read # Needed to checkout the repository. concurrency: group: "${{ github.workflow }}-${{ github.event.inputs.release-tag }}" cancel-in-progress: true jobs: release: name: release permissions: contents: write # Needed to upload release assets. id-token: write # Needed for attestation. attestations: write # Needed for attestations. runs-on: ubuntu-latest steps: - name: harden runner uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - name: checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: 'install rust toolchain' run: | cargo version - name: 'assemble release artifacts' run: ./hack/assemble.sh - name: 'attest release artifacts' uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0 with: subject-path: target/assemble/* - name: 'generate cultivator token' uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}" private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}" if: ${{ github.event.inputs.release-tag != '' }} - name: 'upload release artifacts' run: ./hack/ci/upload-release-assets.sh env: GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" RELEASE_TAG: "${{ github.event.inputs.release-tag }}" if: ${{ github.event.inputs.release-tag != '' }} - name: 'mark release as published' run: gh release edit "${RELEASE_TAG}" --draft=false --verify-tag env: GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" RELEASE_TAG: "${{ github.event.inputs.release-tag }}" if: ${{ github.event.inputs.release-tag != '' }}