makkes/release.yaml

## release.yaml
name: release
on:
  push:
    tags:
      - "*"
  workflow_dispatch:
    inputs:
      tag:
        description: "release tag"
        required: true

permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # To sign.
      contents: write # To upload release assets.
      actions: read # To read workflow path.
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.ref }}
          fetch-depth: 0
      - name: Install GoReleaser
        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          install-only: true
      - name: Install Task
        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
      - run: task build
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: artifacts
          path: dist/*
          if-no-files-found: error
          retention-days: 5
  sign-win:
    needs: [build]
    runs-on: windows-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    permissions:
      id-token: write
      contents: read
    environment: prod
    steps:
      - name: Download artifacts
        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Sign files with Trusted Signing
        uses: azure/trusted-signing-action@v0
        with:
          exclude-environment-credential: true
          exclude-workload-identity-credential: true
          exclude-managed-identity-credential: true
          exclude-shared-token-cache-credential: true
          exclude-visual-studio-credential: true
          exclude-visual-studio-code-credential: true
          exclude-azure-cli-credential: false
          exclude-azure-powershell-credential: true
          exclude-azure-developer-cli-credential: true
          exclude-interactive-browser-credential: true
          endpoint: https://neu.codesigning.azure.net/
          trusted-signing-account-name: my-code-signing
          certificate-profile-name: code-signing
          files-folder: ${{ github.workspace }}\artifacts
          files-folder-filter: exe
          file-digest: SHA256
          timestamp-rfc3161: http://timestamp.acs.microsoft.com
          timestamp-digest: SHA256
      - shell: bash
        run: |
          cd artifacts
          sha256sum binary-*
      - id: hash
        shell: bash
        run: |
          echo "hashes=$(cd artifacts && sha256sum binary-* | base64 -w0)" >> "$GITHUB_OUTPUT"
      - run: ls -R
      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: artifacts-signed
          path: "artifacts/*"
          if-no-files-found: error
          retention-days: 5
  provenance:
    needs: [sign-win]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.sign-win.outputs.hashes }}"
      upload-assets: true
      private-repository: true
  release:
    needs: [provenance]
    permissions:
      actions: read
      id-token: write
      contents: write
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Download artifacts
        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      - name: Upload assets
        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
        with:
          generateReleaseNotes: true
          artifacts: "artifacts-signed/binary-*"
          allowUpdates: true
	name: release
	on:
	push:
	tags:
	- "*"
	workflow_dispatch:
	inputs:
	tag:
	description: "release tag"
	required: true

	permissions: read-all

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	id-token: write # To sign.
	contents: write # To upload release assets.
	actions: read # To read workflow path.
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: ${{ github.ref }}
	fetch-depth: 0
	- name: Install GoReleaser
	uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
	with:
	install-only: true
	- name: Install Task
	uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
	- run: task build
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Upload artifacts
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: artifacts
	path: dist/*
	if-no-files-found: error
	retention-days: 5
	sign-win:
	needs: [build]
	runs-on: windows-latest
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	permissions:
	id-token: write
	contents: read
	environment: prod
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
	- name: Azure login
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Sign files with Trusted Signing
	uses: azure/trusted-signing-action@v0
	with:
	exclude-environment-credential: true
	exclude-workload-identity-credential: true
	exclude-managed-identity-credential: true
	exclude-shared-token-cache-credential: true
	exclude-visual-studio-credential: true
	exclude-visual-studio-code-credential: true
	exclude-azure-cli-credential: false
	exclude-azure-powershell-credential: true
	exclude-azure-developer-cli-credential: true
	exclude-interactive-browser-credential: true
	endpoint: https://neu.codesigning.azure.net/
	trusted-signing-account-name: my-code-signing
	certificate-profile-name: code-signing
	files-folder: ${{ github.workspace }}\artifacts
	files-folder-filter: exe
	file-digest: SHA256
	timestamp-rfc3161: http://timestamp.acs.microsoft.com
	timestamp-digest: SHA256
	- shell: bash
	run: \|
	cd artifacts
	sha256sum binary-*
	- id: hash
	shell: bash
	run: \|
	echo "hashes=$(cd artifacts && sha256sum binary-* \| base64 -w0)" >> "$GITHUB_OUTPUT"
	- run: ls -R
	- name: Upload artifacts
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: artifacts-signed
	path: "artifacts/*"
	if-no-files-found: error
	retention-days: 5
	provenance:
	needs: [sign-win]
	permissions:
	actions: read
	id-token: write
	contents: write
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
	with:
	base64-subjects: "${{ needs.sign-win.outputs.hashes }}"
	upload-assets: true
	private-repository: true
	release:
	needs: [provenance]
	permissions:
	actions: read
	id-token: write
	contents: write
	runs-on: ubuntu-latest
	if: startsWith(github.ref, 'refs/tags/')
	steps:
	- name: Download artifacts
	uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
	- name: Upload assets
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	generateReleaseNotes: true
	artifacts: "artifacts-signed/binary-*"
	allowUpdates: true