name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  security-events: write
  id-token: write  # For SLSA provenance

jobs:
  validate:
    name: Validate Release
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24'
          cache: true
          
      - name: Run tests
        run: go test -race ./...
        
      - name: Run lints
        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          
      - name: Validate GoReleaser config
        uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: check

  release:
    name: GoReleaser
    runs-on: ubuntu-latest
    needs: validate
    
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24'
          cache: true
          
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GORELEASER_TOKEN }}
          
  provenance:
    name: Generate SLSA Provenance
    needs: release
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.release.outputs.hashes }}"
      upload-assets: true
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}