sprout/.github/workflows/release.yml

name: release

on:
  workflow_dispatch:
    inputs:
      release-tag:
        description: 'Release Tag'
        required: true
        type: string

permissions:
  contents: read # Needed to checkout the repository.

concurrency:
  group: "${{ github.workflow }}-${{ github.event.inputs.release-tag }}"
  cancel-in-progress: true

jobs:
  release:
    name: release
    permissions:
      contents: write # Needed to upload release assets.
      id-token: write # Needed for attestation.
      attestations: write # Needed for attestations.
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
      with:
        egress-policy: audit

    - name: checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false

    - name: 'install rust toolchain'
      run: |
        cargo version

    - name: 'assemble release artifacts'
      run: ./hack/assemble.sh

    - name: 'attest release artifacts'
      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
      with:
        subject-path: target/assemble/*

    - name: 'generate cultivator token'
      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0-beta.2
      id: generate-token
      with:
        app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
        private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
      if: ${{ github.event.inputs.release-tag != '' }}

    - name: 'upload release artifacts'
      run: ./hack/ci/upload-release-assets.sh
      env:
        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
        RELEASE_TAG: "${{ github.event.inputs.release-tag }}"
      if: ${{ github.event.inputs.release-tag != '' }}

    - name: 'mark release as published'
      run: gh release edit "${RELEASE_TAG}" --draft=false --verify-tag
      env:
        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
        RELEASE_TAG: "${{ github.event.inputs.release-tag }}"
      if: ${{ github.event.inputs.release-tag != '' }}