name: Create Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v1.5.13'
        required: true
        default: 'v0.1.0'
      source_ref:
        description: 'source ref to publish from. E.g.: main'
        required: true
        default: 'main'

env:
  IMAGE_NAME: ghcr.io/${{ github.repository }}

permissions:
  contents: read

jobs:
  check-docs-for-release:
    name: Check Docs for release
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.source_ref }}
      - name: check-docs
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
        run: |
          make docs.check
  release:
    name: Create Release
    runs-on: ubuntu-latest
    permissions:
      contents: write # to create a release and push new docs
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.source_ref }}

      - name: Create Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          tag_name: ${{ github.event.inputs.version }}
          target_commitish: ${{ github.event.inputs.source_ref }}
          generate_release_notes: true
          body: |
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl`
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Update Docs
        if: github.ref == 'refs/heads/main'
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make docs.publish DOCS_ALIAS=latest

  promote:
    name: Promote Container Image
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
        - tag_suffix: "" # distroless image
        - tag_suffix: "-ubi" # ubi image
        - tag_suffix: "-ubi-boringssl" # ubi image

    permissions:
      contents: write #to update the github release
      id-token: write #for keyless sign
      packages: write #to update packages with added SBOMs.

    env:
      SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}
      RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}

    steps:
      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Login to Docker
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Promote Container Image
        run: make docker.promote

      - name: Build release manifests
        env:
          RELEASE_VERSION: ${{ github.event.inputs.version }}
        run: |
          # temporarily patch the version so we generate manifests with the new version
          yq e -i ".version = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          yq e -i ".appVersion = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          make manifests

      - name: Sign promoted image
        id: sign
        uses: ./.github/actions/sign
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ env.RELEASE_TAG }}

      - name: Update Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          tag_name: ${{ github.event.inputs.version }}
          files: |
            provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
            sbom.${{ env.RELEASE_TAG }}.spdx.json
            bin/deploy/manifests/external-secrets.yaml
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"