.github/workflows/release-please.yml

name: Run Release Please

on:
  push:
    branches:
      - v8

jobs:
  go-versions:
    uses: ./.github/workflows/go-versions.yml

  release-please:
    runs-on: ubuntu-latest
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
    steps:
      - uses: googleapis/release-please-action@v4
        id: release
        with:
          token: ${{secrets.GITHUB_TOKEN}}

  release-relay:
    permissions:
      id-token: write # Needed to obtain Docker tokens
      contents: write # Needed to upload release artifacts
    outputs:
      hashes: ${{ steps.publish.outputs.hashes }}
      images_and_digests: ${{ steps.publish.outputs.images_and_digests }}
    needs: [ release-please, go-versions ]
    if: ${{ needs.release-please.outputs.release_created == 'true' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
        name: 'Get Docker token'
        with:
          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
          ssm_parameter_pairs: '/global/services/docker/public/username = DOCKER_USERNAME, /global/services/docker/public/token = DOCKER_TOKEN'

      - name: Setup Go ${{ needs.go-versions.outputs.latest }}
        uses: actions/setup-go@v5
        with:
          go-version: ${{ needs.go-versions.outputs.latest }}

      - uses: ./.github/actions/unit-tests

      - uses: ./.github/actions/publish
        id: publish
        with:
          dry-run: 'false'
          token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ needs.release-please.outputs.tag_name }}

  release-relay-binary-provenance:
    needs: ['release-please', 'release-relay']
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.release-relay.outputs.hashes }}"
      upload-assets: true
      upload-tag-name: ${{ needs.release-please.outputs.tag_name }}
      provenance-name: ${{ format('ld-relay-{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}

  release-relay-image-provenance:
    needs: ['release-please', 'release-relay']
    permissions:
      actions: read
      id-token: write
      packages: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    strategy:
      matrix:
        images_and_digests: ${{fromJson(needs.release-relay.outputs.images_and_digests)}}
    with:
      image: ${{ matrix.images_and_digests.image }}
      digest: ${{ matrix.images_and_digests.digest }}
      registry-username: ${{ vars.DOCKER_USERNAME }}
    secrets:
      registry-password: ${{ secrets.DOCKER_TOKEN }}