name: Create Release for esoctl on: workflow_dispatch: inputs: version: description: 'version to release, e.g. v0.1.0-esoctl' required: true default: 'v0.1.0-esoctl' source_ref: description: 'source ref to publish from. E.g.: main' required: true default: 'main' # this is required for security check even though we immediately set it to # write in the release job. permissions: contents: read jobs: release: name: Create Release for esoctl runs-on: ubuntu-latest permissions: contents: write # for publishing the release steps: - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: ${{ github.event.inputs.source_ref }} - name: Setup Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Install Syft uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 - name: Import GPG key id: import_gpg uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} - name: Check if Tag Exists id: check_tag run: | if git rev-parse "${{ github.event.inputs.version }}" >/dev/null 2>&1; then echo "Tag exists." exit 1 fi - name: Create Tag if Not Exists if: success() run: | TAG="${{ github.event.inputs.version }}" git tag $TAG git push origin $TAG - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: version: '~> v2' args: release --clean workdir: cmd/esoctl env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GORELEASER_CURRENT_TAG: ${{ github.event.inputs.version }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}