logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
							name: Create Release for esoctl

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v0.1.0-esoctl'
        required: true
        default: 'v0.1.0-esoctl'
      source_ref:
        description: 'source ref to publish from. E.g.: main'
        required: true
        default: 'main'

# this is required for security check even though we immediately set it to
# write in the release job.
permissions:
  contents: read

jobs:
  release:
    name: Create Release for esoctl
    runs-on: ubuntu-latest
    permissions:
      contents: write # for publishing the release
    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Resolve and validate ref
        id: resolve_ref
        run: |
          set -e
          # Try to fetch the ref from remote
          if git fetch origin "${{ github.event.inputs.source_ref }}"; then
            # Remote ref exists, use it
            RESOLVED_SHA=$(git rev-parse "origin/${{ github.event.inputs.source_ref }}")
          elif git rev-parse --verify "${{ github.event.inputs.source_ref }}" >/dev/null 2>&1; then
            # Local ref exists (e.g., a tag)
            RESOLVED_SHA=$(git rev-parse "${{ github.event.inputs.source_ref }}")
          else
            echo "Error: ref '${{ github.event.inputs.source_ref }}' not found"
            exit 1
          fi
          echo "Resolved to SHA: $RESOLVED_SHA"
          echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT

      - name: Checkout validated ref
        run: git checkout ${{ steps.resolve_ref.outputs.sha }}

      - name: Setup Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        run: go mod download

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0.21.1

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: Check if Tag Exists
        id: check_tag
        env:
          VERSION: ${{ github.event.inputs.version }}
        run: |
          if git rev-parse "$VERSION" >/dev/null 2>&1; then
            echo "Tag exists."
            exit 1
          fi

      - name: Create Tag if Not Exists
        if: success()
        env:
          TAG: ${{ github.event.inputs.version }}
        run: |
          git tag $TAG
          git push origin $TAG

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          version: '~> v2'
          args: release --clean
          workdir: cmd/esoctl
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_CURRENT_TAG: ${{ github.event.inputs.version }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}