.github/workflows/release.yml

---
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Release
on:
  push:
    tags:
      - '*'

permissions: read-all

jobs:
  release_job:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    name: GoReleaser
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - name: Checkout Source
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0

      - name: Install Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: '>= 1.21'
          cache: true

      - name: Import GPG Signing Key
        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
        id: import_gpg
        with:
          gpg_private_key: ${{ secrets.GPG_KEY_B64 }}
          passphrase: ${{ secrets.GPG_PWD }}

      - name: GoReleaser Action
        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
        with:
          distribution: goreleaser-pro
          version: latest
          args: release --clean