goreleaser/.github/workflows/release.yml

name: release

on:
  push:
    branches:
      - "main"
    tags:
      - "v*"

permissions:
  contents: write
  id-token: write
  packages: write

jobs:
  trigger-generate:
    runs-on: ubuntu-latest
    needs: [goreleaser]
    steps:
      - uses: benc-uk/workflow-dispatch@v1.2.3
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          repo: goreleaser/goreleaser
          ref: main
          token: ${{ secrets.GH_PAT }}
          workflow: generate.yml
  notify-goreleaser-cross:
    runs-on: ubuntu-latest
    needs: [trigger-generate]
    steps:
      - name: get version
        if: startsWith(github.ref, 'refs/tags/v')
        run: echo "RELEASE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
      - name: notify goreleaser-cross with new release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: benc-uk/workflow-dispatch@v1.2.3
        with:
          token: ${{ secrets.GH_PAT }}
          repo: goreleaser/goreleaser-cross
          workflow: goreleaser-bump
          inputs: '{ "tag" : "${{ env.RELEASE_TAG }}" }'
  goreleaser-check-pkgs:
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    needs: [goreleaser]
    if: github.ref == 'refs/heads/main'
    strategy:
      matrix:
        format: [deb, rpm, apk]
    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
        with:
          fetch-depth: 0
      - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v1
        with:
          version: 3.x
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v2
      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
        with:
          path: |
            ./dist/*.deb
            ./dist/*.rpm
            ./dist/*.apk
          key: ${{ github.ref }}
      - run: task goreleaser:test:${{ matrix.format }}
  goreleaser:
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
        with:
          fetch-depth: 0
      - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v1
        with:
          version: 3.x
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v2
      - uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3
      - name: setup-snapcraft
        # FIXME: the mkdirs are a hack for https://github.com/goreleaser/goreleaser/issues/1715
        run: |
          sudo apt-get update
          sudo apt-get -yq --no-install-suggests --no-install-recommends install snapcraft
          mkdir -p $HOME/.cache/snapcraft/download
          mkdir -p $HOME/.cache/snapcraft/stage-packages
      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4
        with:
          go-version: stable
      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
        with:
          path: |
            ./dist/*.deb
            ./dist/*.rpm
            ./dist/*.apk
          key: ${{ github.ref }}
      - uses: sigstore/cosign-installer@v3.4.0
      - uses: anchore/sbom-action/download-syft@v0.15.9
      - uses: crazy-max/ghaction-upx@v3
        with:
          install-only: true
      - uses: cachix/install-nix-action@v26
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
      - name: dockerhub-login
        if: startsWith(github.ref, 'refs/tags/v')
        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: ghcr-login
        if: startsWith(github.ref, 'refs/tags/v')
        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: snapcraft-login
        if: startsWith(github.ref, 'refs/tags/v')
        run: snapcraft login --with <(echo "${{ secrets.SNAPCRAFT_LOGIN }}")
      - name: goreleaser-release
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
          TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_CONSUMER_KEY }}
          TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_CONSUMER_SECRET }}
          TWITTER_ACCESS_TOKEN: ${{ secrets.TWITTER_ACCESS_TOKEN }}
          TWITTER_ACCESS_TOKEN_SECRET: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}
          MASTODON_CLIENT_ID: ${{ secrets.MASTODON_CLIENT_ID }}
          MASTODON_CLIENT_SECRET: ${{ secrets.MASTODON_CLIENT_SECRET }}
          MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }}
          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
          FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
          DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
          DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
        run: task goreleaser