fix(bucket): apply object_lock_config via PATCH instead of POST #20
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| # Exclude Pulumi bridge tags (e.g. v2.22.3-pulumi.alpha) — those are | |
| # handled by pulumi-release.yml. | |
| - "!v*-pulumi*" | |
| permissions: | |
| contents: write | |
| id-token: write # Required for Cosign keyless signing via Sigstore | |
| jobs: | |
| # Gate: run full CI before releasing | |
| ci: | |
| name: CI Gate | |
| uses: ./.github/workflows/ci.yml | |
| release: | |
| name: Release | |
| needs: ci | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # goreleaser needs full history for changelog | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| # GoReleaser's before-hook runs `go test ./internal/...`, which invokes | |
| # terraform-plugin-testing's resource.UnitTest — it auto-downloads | |
| # Terraform from releases.hashicorp.com and verifies the openpgp | |
| # signature. HashiCorp's release key expired (2026-04), breaking the | |
| # auto-installer. Pre-install Terraform via the official action instead. | |
| - name: Install Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_wrapper: false | |
| - name: Import GPG key | |
| id: import_gpg | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: "~> v2" | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
| - name: Find checksums file | |
| id: checksums | |
| run: | | |
| CHECKSUM_FILE=$(ls dist/*_SHA256SUMS 2>/dev/null | head -1) | |
| if [ -z "$CHECKSUM_FILE" ]; then | |
| echo "::error::No SHA256SUMS file found in dist/" | |
| exit 1 | |
| fi | |
| echo "path=${CHECKSUM_FILE}" >> "$GITHUB_OUTPUT" | |
| echo "name=$(basename ${CHECKSUM_FILE})" >> "$GITHUB_OUTPUT" | |
| - name: Sign checksums with Cosign (keyless) | |
| run: | | |
| cosign sign-blob \ | |
| --yes \ | |
| --output-signature "${{ steps.checksums.outputs.path }}.cosign.sig" \ | |
| --output-certificate "${{ steps.checksums.outputs.path }}.cosign.pem" \ | |
| "${{ steps.checksums.outputs.path }}" | |
| - name: Upload Cosign signature to release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG: ${{ github.ref_name }} | |
| run: | | |
| gh release upload "${TAG}" \ | |
| "${{ steps.checksums.outputs.path }}.cosign.sig" \ | |
| "${{ steps.checksums.outputs.path }}.cosign.pem" | |
| - name: Verify Cosign signature | |
| run: | | |
| cosign verify-blob \ | |
| --signature "${{ steps.checksums.outputs.path }}.cosign.sig" \ | |
| --certificate "${{ steps.checksums.outputs.path }}.cosign.pem" \ | |
| --certificate-identity-regexp "https://github.com/numberly/terraform-provider-mica" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| "${{ steps.checksums.outputs.path }}" | |
| - name: Update release badge | |
| uses: schneegans/dynamic-badges-action@v1.7.0 | |
| with: | |
| auth: ${{ secrets.GIST_TOKEN }} | |
| gistID: 59bd98f69a5ecbb7e643402fde956fed | |
| filename: release.json | |
| label: release | |
| message: ${{ github.ref_name }} | |
| color: blue |