feat(findings): include 'event_triggers' in finding metadata (#233) #26

	name: goreleaser

	on:
	push:
	# run only against tags
	tags:
	- "v0.[0-9]+.[0-9]+"
	- "v1.[0-9]+.[0-9]+"

	env:
	GO_VERSION: 1.23
	GO_RELEASER_VERSION: v2.4.7

	permissions: {}

	jobs:
	goreleaser:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
	with:
	fetch-depth: 0
	- name: Setup Go
	uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
	with:
	go-version: ${{ env.GO_VERSION }}
	cache: false
	- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
	- name: Login to GitHub Container Registry to allow cosign signature push
	run: echo "$DOCKER_PASSWORD" \| docker login ghcr.io --username "$DOCKER_USERNAME" --password-stdin
	env:
	DOCKER_USERNAME: ${{ github.actor }}
	DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	- name: Run GoReleaser
	uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
	with:
	distribution: goreleaser
	version: ${{ env.GO_RELEASER_VERSION }} # Not pinnable by hash, nor does it verify its signature
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback