terraform-provider-proxmox/.github/workflows/publish.yml

# This GitHub action can publish assets for release when a tag is created.
# Currently its setup to run on any tag that matches the pattern "v*" (ie. v0.1.0).
#
# This uses an action (crazy-max/ghaction-import-gpg) that assumes you set your
# private key in the `GPG_PRIVATE_KEY` secret and passphrase in the `PASSPHRASE`
# secret. If you would rather own your own GPG handling, please fork this action
# or use an alternative one for key handling.
#
name: Publish Release

on:
  push:
    tags:
      - "v*"

permissions:
  id-token: write
  contents: read
  attestations: write

jobs:
  goreleaser:
    runs-on: ubuntu-24.04
    steps:
      - name: Generate Short Lived OAuth App Token
        uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
        id: app-token
        with:
          app-id: "${{ secrets.BOT_APP_ID }}"
          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
          owner: "${{ github.repository_owner }}"
          repositories: "${{ github.event.repository.name }}"

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
        with:
          gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}"
          passphrase: "${{ secrets.PASSPHRASE }}"

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
        with:
          version: '~> v2'
          args: release --clean
        env:
          GPG_FINGERPRINT: "${{ steps.import_gpg.outputs.fingerprint }}"
          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"

      - name: Attest
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: ./dist/*.zip
        env:
          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"