Add release workflows mirroring cookie-guard setup

Miguel Medinilla · Miguel Medinilla · commit 7074f652023e · 2025-10-14T12:38:13.000+02:00
diff --git a/.github/actions/validate-semver/action.yml b/.github/actions/validate-semver/action.yml
@@ -0,0 +1,22 @@
+description: Validates a canonical semantic version (e.g., v1.2.3) with required leading 'v' using the semver.org regex.
+
+inputs:
+  version:
+    description: Canonical semantic version (e.g., v1.2.3 or v1.2.3-rc.1)
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Validate semantic version
+      shell: python
+      env:
+        VERSION: ${{ inputs.version }}
+      run: |
+        import os, re, sys
+        version = os.environ.get("VERSION", "").strip()
+        pattern = r'^v(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'
+        if not version or not re.fullmatch(pattern, version):
+          print(f"Error: '{version}' is not a valid canonical SemVer (must start with 'v', e.g., v1.2.3).", file=sys.stderr)
+          sys.exit(1)
+        print(f"Valid canonical SemVer: {version}")
diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
@@ -17,20 +17,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: go.mod
 
       - name: Run GoReleaser (snapshot)
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           distribution: goreleaser
-          version: latest
-          args: release --snapshot --clean --skip-publish
+          version: "~> v2"
+          args: release --snapshot --clean --skip=publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,81 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release, e.g.: v0.1.0"
+        required: true
+        type: string
+
+concurrency:
+  group: release-${{ github.event.inputs.version }}
+  cancel-in-progress: false
+
+jobs:
+  validate-version:
+    name: Validate semantic version
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: .github/actions/validate-semver
+      - name: Validate semantic version
+        uses: ./.github/actions/validate-semver
+        with:
+          version: ${{ github.event.inputs.version }}
+
+  tests:
+    uses: ./.github/workflows/tests.yml
+
+  release:
+    name: Release
+    needs: [validate-version, tests]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+      - name: Set git identity
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor }}@users.noreply.github.com"
+      - name: Create local tag
+        run: |
+          V="${{ github.event.inputs.version }}"
+          if git rev-parse -q --verify "refs/tags/$V" >/dev/null; then
+            git tag -d "$V"
+          fi
+          git tag -a "$V" -m "$V"
+      - name: Build artifacts only
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: "~> v2"
+          args: release --skip=publish --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push tag
+        run: |
+          V="${{ github.event.inputs.version }}"
+          if git ls-remote --tags origin | grep -qx ".*refs/tags/$V"; then
+            echo "Tag $V already exists on origin. Aborting." >&2
+            exit 1
+          fi
+          git push origin "$V"
+      - name: Publish release
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -0,0 +1,20 @@
+name: Tests
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  go-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+      - name: Run go test
+        run: go test ./...
