sprout/.github/workflows/release.yml

name: release

on:
  workflow_dispatch:
    inputs:
      release-tag:
        description: 'Release Tag'
        required: true
        type: string

permissions:
  contents: read # Needed to checkout the repository.

concurrency:
  group: "${{ github.workflow }}-${{ github.event.inputs.release-tag }}"
  cancel-in-progress: true

jobs:
  release:
    name: release
    permissions:
      contents: write # Needed to upload release assets.
      id-token: write # Needed for attestation.
      attestations: write # Needed for attestations.
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
      with:
        egress-policy: audit

    - name: checkout
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false

    - name: 'install rust toolchain'
      run: |
        cargo version

    - name: 'assemble release artifacts'
      run: ./hack/assemble.sh

    - name: 'attest release artifacts'
      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
      with:
        subject-path: target/assemble/*

    - name: 'generate cultivator token'
      uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2
      id: generate-token
      with:
        app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
        private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
      if: ${{ github.event.inputs.release-tag != '' }}

    - name: 'upload release artifacts'
      run: ./hack/ci/upload-release-assets.sh
      env:
        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
        RELEASE_TAG: "${{ github.event.inputs.release-tag }}"
      if: ${{ github.event.inputs.release-tag != '' }}

    - name: 'mark release as published'
      run: gh release edit "${RELEASE_TAG}" --draft=false --verify-tag
      env:
        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
        RELEASE_TAG: "${{ github.event.inputs.release-tag }}"
      if: ${{ github.event.inputs.release-tag != '' }}