.github/workflows/cicd-release.yml

---
name: ♻️ Release

on:
  push:
    tags:
      - "*"

permissions: {}

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    permissions:
      actions: read
      attestations: write
      contents: write
      id-token: write
      packages: write
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install cosign
        id: install_cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Log in to GitHub Container Registry
        id: ghcr_login
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and Push
        id: build_and_push
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          push: true
          tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }}

      - name: Sign
        id: sign
        shell: bash
        run: |
          cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }}

      - name: Generate SBOM
        id: generate_sbom
        uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
        with:
          image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: cyclonedx-json
          output-file: "sbom.cyclonedx.json"

      - name: Attest
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        id: attest
        with:
          subject-name: ghcr.io/${{ github.repository }}
          subject-digest: ${{ steps.build_and_push.outputs.digest }}
          push-to-registry: true

      - name: Attest SBOM
        uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
        id: attest_sbom
        with:
          subject-name: ghcr.io/${{ github.repository }}
          subject-digest: ${{ steps.build_and_push.outputs.digest }}
          sbom-path: sbom.cyclonedx.json
          push-to-registry: true

      - name: cosign Verify
        id: cosign_verify
        shell: bash
        run: |
          cosign verify \
            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
            --certificate-identity=https://github.com/${{ github.workflow_ref }} \
            ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }}

      - name: GitHub Attestation Verify
        id: gh_attestation_verify
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify oci://ghcr.io/${{ github.repository }}:${{ github.ref_name }} --repo ${{ github.repository }}