helm-external-secrets/.github/workflows/release.yml

name: Create Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'version to release, e.g. v1.5.13'
        required: true
        default: 'v0.1.0'

env:
  GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
  GO_VERSION: '1.17'

jobs:
  release:
    name: Create Release
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Create Release
        uses: softprops/action-gh-release@v1
        with:
          tag_name: ${{ github.event.inputs.version }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Build Changelog
        id: build_changelog
        uses: mikepenz/release-changelog-builder-action@v2
        with:
          configuration: "changelog.json"
          toTag: ${{ github.event.inputs.version }}
          commitMode: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: create changelog file
        env:
          VERSION: ${{ github.event.inputs.version }}
          CHANGELOG: ${{ steps.build_changelog.outputs.changelog }}
        run: |
          echo "Image: \`ghcr.io/${GITHUB_REPOSITORY}:${VERSION}\`" >> .changelog
          echo "${CHANGELOG}" >> .changelog

      - name: Update Release
        uses: softprops/action-gh-release@v1
        with:
          tag_name: ${{ github.event.inputs.version }}
          body_path: .changelog
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Update Docs
        run: make docs.publish DOCS_VERSION=${{ github.event.inputs.version }} DOCS_ALIAS=latest
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

  promote:
    name: Promote Container Image
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Find the Go Cache
        id: go
        run: |
          echo "::set-output name=build-cache::$(go env GOCACHE)"
          echo "::set-output name=mod-cache::$(go env GOMODCACHE)"

      - name: Cache the Go Build Cache
        uses: actions/cache@v3
        with:
          path: ${{ steps.go.outputs.build-cache }}
          key: ${{ runner.os }}-build-publish-artifacts-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-build-publish-artifacts-

      - name: Cache Go Dependencies
        uses: actions/cache@v3
        with:
          path: ${{ steps.go.outputs.mod-cache }}
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-

      - name: Login to Docker
        uses: docker/login-action@v1
        if: env.GHCR_USERNAME != ''
        with:
          registry: ghcr.io
          username: ${{ secrets.GHCR_USERNAME }}
          password: ${{ secrets.GHCR_TOKEN }}

      - name: Promote Container Image
        if: env.GHCR_USERNAME != ''
        run: make docker.promote
        env:
          RELEASE_TAG: ${{ github.event.inputs.version }}
          SOURCE_TAG: main

      - name: Set up crane
        if: env.GHCR_USERNAME != ''
        run: go install github.com/google/go-containerregistry/cmd/crane@v0.8.0

      - name: Install cosign
        if: env.GHCR_USERNAME != ''
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.6.0'

      - name: Sign Container Image
        if: env.GHCR_USERNAME != ''
        run: make docker.sign
        env:
          RELEASE_TAG: ${{ github.event.inputs.version }}
          SOURCE_TAG: main
          COSIGN_EXPERIMENTAL: 1