name: SLSA Release
on:
  release:
    types: [created]

permissions: read-all

jobs:
  build:
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.26.2'

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        id: run-goreleaser
        with:
          distribution: goreleaser
          version: latest
          args: release --clean
          config: .slsa-goreleaser.yaml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Generate hashes
        id: hash
        run: |
          cd dist
          echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"

  provenance:
    needs: [build]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true