smtpdane/.github/workflows/release.yaml at main · PennockTech/smtpdane · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: smtpdane tool release
on:
  push:
    tags:
      - 'v*'

# Control the GITHUB_TOKEN permissions; GitHub's docs on which permission scopes control what are a little lacking.
# By having this block, all permissions not listed here are set to none.
#
# <https://goreleaser.com/ci/actions/> documents which scopes are needed for it.
# Permissions assigned at job level.
permissions: {}

# Since invoking this workflow is for a release tag, and those should be
# immutable when pushed, I would prefer it if attempts to be concurrent could
# be a poison on the tag.  But failing that, the correct behavior is to cancel the previous run.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  goreleaser:
    name: GoReleaser Build
    runs-on: ubuntu-latest

    permissions:
      # Uploading archives as release artifacts is bundled into the contents: permission key!  (goreleaser documents as content: but it's contents:).
      # packages: is for pushing docker images to github (ghcr.io)
      # actions: is for uploading artifacts
      # Repeating in short-form below, so that zizmor sees that yes, we have supplied reasons.
      contents: write  # archives upload
      packages: write  # OCI image push
      actions: write   # artifacts upload

    steps:

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # NB: the `fetch-depth: 0` setting is documented by goreleaser
          # as a requirement, for the changelog feature to work correctly.
          fetch-depth: 0
          # We don't need to work with the git remote after this, so:
          persist-credentials: false

      # If we had something suitable for a Docker image, here we would setup QEMU and BuildX

      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: 'stable'
          check-latest: true
          # We are producing a release artifact, so should accept the penalty
          # cost of uncached builds and avoid the risk of cache poisoning via
          # PRs.
          cache: false

      - name: Basic Go integrity checks
        run: |
          go vet ./...
          t="$(go list -m -retracted -f '{{if .Retracted}}::error file=go.mod::{{.Path}} is retracted{{end}}' all)"
          if [ ".$t" != "." ]; then printf '%s\n' "$t"; exit 1; fi

      - name: Version / Environment Reporting
        run: |
          ./build/show.versions

      - name: Run GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          distribution: goreleaser
          version: "~> v2"
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}