name: Create Release for esoctl on: workflow_dispatch: inputs: version: description: 'version to release, e.g. v0.1.0-esoctl' required: true default: 'v0.1.0-esoctl' source_ref: description: 'source ref to publish from. E.g.: main or release-x.y' required: true default: 'main' # this is required for security check even though we immediately set it to # write in the release job. permissions: contents: read jobs: release: name: Create Release for esoctl runs-on: ubuntu-latest permissions: contents: write # for publishing the release steps: - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 ref: ${{ github.event.inputs.source_ref }} - name: Setup Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Install Syft uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a # v0.19.0 - name: Import GPG key id: import_gpg uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} - name: Check if Tag Exists id: check_tag run: | if git rev-parse "${{ github.event.inputs.version }}" >/dev/null 2>&1; then echo "Tag exists." exit 1 fi - name: Create Tag if Not Exists if: success() run: | TAG="${{ github.event.inputs.version }}" git tag $TAG git push origin $TAG - name: Run GoReleaser uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 with: version: '~> v2' args: release --clean workdir: cmd/esoctl env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GORELEASER_CURRENT_TAG: ${{ github.event.inputs.version }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}