name: Create Release for Render

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v0.1.0-render'
        required: true
        default: 'v0.1.0-render'
      source_ref:
        description: 'source ref to publish from. E.g.: main or release-x.y'
        required: true
        default: 'main'

jobs:
  release:
    name: Create Release for Render
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.source_ref }}

      - name: Setup Go
        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@v0.7.0

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: Check if Tag Exists
        id: check_tag
        run: |
          if git rev-parse "${{ github.event.inputs.version }}" >/dev/null 2>&1; then
            echo "Tag exists."
            exit 1
          fi

      - name: Create Tag if Not Exists
        if: success()
        run: |
          TAG="${{ github.event.inputs.version }}"
          git tag $TAG
          git push origin $TAG

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6.1.0
        with:
          version: '~> v2'
          args: release --clean
          workdir: cmd/render
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_CURRENT_TAG: ${{ github.event.inputs.version }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}