name: Create Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v1.5.13'
        required: true
        default: 'v0.1.0'
      source_ref:
        description: 'source ref to publish from. E.g.: main'
        required: true
        default: 'main'

env:
  IMAGE_NAME: ghcr.io/${{ github.repository }}

permissions:
  contents: read

jobs:
  check-docs-for-release:
    name: Check Docs for release
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.source_ref }}
      - name: check-docs
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
        run: |
          make docs.check
  release:
    name: Create Release
    runs-on: ubuntu-latest
    permissions:
      contents: write # to create a release and push new docs
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.source_ref }}

      - name: Create Release
        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
          tag_name: ${{ github.event.inputs.version }}
          target_commitish: ${{ github.event.inputs.source_ref }}
          generate_release_notes: true
          body: |
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl`
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Update Docs
        if: github.ref == 'refs/heads/main'
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make docs.publish DOCS_ALIAS=latest

  promote:
    name: Promote Container Image
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
        - tag_suffix: "" # distroless image
        - tag_suffix: "-ubi" # ubi image
        - tag_suffix: "-ubi-boringssl" # ubi image

    permissions:
      contents: write #to update the github release
      id-token: write #for keyless sign
      packages: write #to update packages with added SBOMs.

    env:
      SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}
      RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}

    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Login to Docker
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Promote Container Image
        run: make docker.promote

      - name: Build release manifests
        env:
          RELEASE_VERSION: ${{ github.event.inputs.version }}
        run: |
          # temporarily patch the version so we generate manifests with the new version
          yq e -i ".version = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          yq e -i ".appVersion = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          make manifests

      - name: Sign promoted image
        id: sign
        uses: ./.github/actions/sign
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ env.RELEASE_TAG }}

      - name: Update Release
        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
          tag_name: ${{ github.event.inputs.version }}
          files: |
            provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
            sbom.${{ env.RELEASE_TAG }}.spdx.json
            bin/deploy/manifests/external-secrets.yaml
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"