helm-external-secrets/.github/workflows/release.yml

name: Create Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v1.5.13'
        required: true
        default: 'v0.1.0'
      source_ref:
        description: 'source ref to publish from. E.g.: main'
        required: true
        default: 'main'

env:
  IMAGE_NAME: ghcr.io/${{ github.repository }}

permissions:
  contents: read

jobs:
  release:
    name: Create Release
    runs-on: ubuntu-latest
    permissions:
      contents: write # to create a release and push new docs
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Resolve and validate ref
        id: resolve_ref
        env:
          SOURCE_REF: ${{ github.event.inputs.source_ref }}
        run: |
          set -e
          # Try to fetch the ref from remote
          if git fetch origin "$SOURCE_REF"; then
            # Remote ref exists, use it
            RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
          elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
            # Local ref exists (e.g., a tag)
            RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
          else
            echo "Error: ref '$SOURCE_REF' not found"
            exit 1
          fi
          echo "Resolved to SHA: $RESOLVED_SHA"
          echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT

      - name: Checkout validated ref
        env:
          RESOLVED_SHA: ${{ steps.resolve_ref.outputs.sha }}
        run: git checkout "$RESOLVED_SHA"

      - name: Create Release
        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          tag_name: ${{ github.event.inputs.version }}
          target_commitish: ${{ github.event.inputs.source_ref }}
          generate_release_notes: true
          body: |
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi`
            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl`
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Configure Git
        env:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_REPO: ${{ github.repository }}
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
          git remote set-url origin "https://x-access-token:${TOKEN}@github.com/${GH_REPO}.git"

      - name: Update Docs
        if: github.ref == 'refs/heads/main'
        env:
          DOCS_VERSION: ${{ github.event.inputs.version }}
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make docs.publish DOCS_ALIAS=latest

  promote:
    name: Promote Container Image
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
        - tag_suffix: "" # distroless image
        - tag_suffix: "-ubi" # ubi image
        - tag_suffix: "-ubi-boringssl" # ubi image

    permissions:
      contents: write #to update the github release
      id-token: write #for keyless sign
      packages: write #to update packages with added SBOMs.

    env:
      SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}
      RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}

    steps:
      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        id: setup-go
        with:
          go-version-file: "go.mod"
          cache: false

      - name: Download Go modules
        run: go mod download

      - name: Login to Docker
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Promote Container Image
        run: make docker.promote

      - name: Build release manifests
        env:
          RELEASE_VERSION: ${{ github.event.inputs.version }}
        run: |
          # temporarily patch the version so we generate manifests with the new version
          yq e -i ".version = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          yq e -i ".appVersion = \"$RELEASE_VERSION\"" ./deploy/charts/external-secrets/Chart.yaml
          make manifests

      - name: Sign promoted image
        id: sign
        uses: ./.github/actions/sign
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ env.RELEASE_TAG }}

      - name: Update Release
        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          tag_name: ${{ github.event.inputs.version }}
          files: |
            provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
            sbom.${{ env.RELEASE_TAG }}.spdx.json
            bin/deploy/manifests/external-secrets.yaml
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"