proxsave/.github/workflows/release.yml at main · tis24dev/proxsave · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Release

on:
  push:
    tags:
      - "v*"

jobs:
  release:
    # Esegui il job SOLO se il tag è creato direttamente (non da PR)
    # e comunque su un ref di tipo "tag"
    if: startsWith(github.ref, 'refs/tags/') && github.event.base_ref == ''

    runs-on: ubuntu-latest

    permissions:
      contents: write       # Per creare release GitHub
      id-token: write       # Necessario per OIDC / attestazioni
      attestations: write   # Necessario per actions/attest-build-provenance
      actions: read         # Necessario per leggere metadata del run

    steps:
      ########################################
      # CHECKOUT (fetch-depth 0 per changelog e GoReleaser)
      ########################################
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      ########################################
      # VALIDAZIONE TAG
      ########################################
      - name: Validate SemVer tag
        run: |
          TAG="${GITHUB_REF#refs/tags/}"
          echo "Current tag: $TAG"
          if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z\.-]+)?$ ]]; then
            echo "❌ Tag '$TAG' is not a valid SemVer (expected vMAJOR.MINOR.PATCH or vMAJOR.MINOR.PATCH-rc1/beta1)"
            exit 1
          fi
          echo "✔ Tag '$TAG' is valid SemVer"

      ########################################
      # SETUP GO
      ########################################
      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'

      - name: Show Go version
        run: go version

      ########################################
      # VERIFICA MODULI
      ########################################
      - name: Verify Go modules
        run: go mod verify

      ########################################
      # INSTALL SYFT (per SBOM CycloneDX via GoReleaser)
      ########################################
      - name: Install Syft (for SBOM generation)
        uses: anchore/sbom-action/download-syft@v0
        with:
          syft-version: v1.19.0

      ########################################
      # GORELEASER
      ########################################
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          version: latest
          workdir: ${{ github.workspace }}
          args: release --clean --config .github/.goreleaser.yml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      ########################################
      # ATTESTAZIONE PROVENIENZA BUILD
      ########################################
      - name: Attest Build Provenance
        uses: actions/attest-build-provenance@v4
        with:
          subject-path: build/proxsave_*