chore(release): publish full releases instead of drafts #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - 'v[0-9]+.[0-9]+.[0-9]+*' # semver, optional pre-release suffix (v1.2.3-rc1) | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| # Re-qualify from scratch on the tagged commit — the release does not assume | |
| # main was green. Same reusable flow the push/PR `test` workflow runs. | |
| qualify: | |
| uses: ./.github/workflows/qualify.yaml | |
| permissions: | |
| contents: read | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: qualify | |
| permissions: | |
| contents: write # create the GitHub release | |
| id-token: write # keyless signing for build provenance | |
| attestations: write # actions/attest-build-provenance | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 # full history for changelog | |
| persist-credentials: false | |
| - name: Read versions | |
| id: v | |
| run: | | |
| { | |
| echo "go=$(cat .go-version)" | |
| echo "goreleaser=$(yq -r '.build_tools.goreleaser' .settings.yaml)" | |
| echo "syft=$(yq -r '.security_tools.syft' .settings.yaml)" | |
| } >> "$GITHUB_OUTPUT" | |
| - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 | |
| with: | |
| go-version: "${{ steps.v.outputs.go }}" | |
| check-latest: true | |
| cache-dependency-path: go.sum | |
| # syft powers goreleaser's SBOM attachment (sboms: block). | |
| - name: Install syft | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \ | |
| | sh -s -- -b /usr/local/bin "${{ steps.v.outputs.syft }}" | |
| - name: Release | |
| id: goreleaser | |
| uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3 | |
| with: | |
| version: "${{ steps.v.outputs.goreleaser }}" | |
| args: release --clean --timeout 10m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Guarded Homebrew tap publish. skip_upload:auto in .goreleaser.yaml | |
| # skips prereleases and, when this key is absent, the cask upload too — | |
| # so the tap stays dormant until thingzio/homebrew-devradarctl exists | |
| # and this secret is set. | |
| HOMEBREW_DEPLOY_KEY: ${{ secrets.HOMEBREW_DEPLOY_KEY }} | |
| # SLSA build provenance over the released binaries. Keyless (Sigstore via | |
| # id-token), verifiable with `gh attestation verify <file> --repo <repo>`. | |
| - name: Attest build provenance | |
| uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 | |
| with: | |
| subject-path: | | |
| dist/*.tar.gz | |
| dist/*_checksums.txt |