stratus-red-team/.github/workflows/release.yml at main · DataDog/stratus-red-team · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: release

on:
  push:
    tags:
      - "v*"

defaults:
  run:
    working-directory: ./v2

permissions:
  contents: read
  # PR write access is granted by dd-octo-sts-action. The job-level write permission is blocked at organization level
  # See trust policy in .github/chainguard/self.release.create-pr.sts.yml
  pull-requests: read

jobs:
  goreleaser:
    timeout-minutes: 120
    runs-on:
      group: Large Runner Shared Public
      labels: ubuntu-16-core-latest
    permissions:
      id-token: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            goreleaser.com:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            storage.googleapis.com:443
            uploads.github.com:443
            github.com:443
            release-assets.githubusercontent.com:443
            sum.golang.org:443
            *.actions.githubusercontent.com:443
            go.dev:443
            dl.google.com:443
            golang.org:443
            webhooks.build.datadoghq.com:443
      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
        id: octo-sts
        with:
          scope: DataDog/stratus-red-team
          policy: self.release.create-pr
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Check if tag is on main branch
        run: |
          if ! git merge-base --is-ancestor ${{ github.sha }} origin/main; then
            echo "::error::Tag does not reference a commit on main branch"
            exit 1
          fi
      - name: Set up Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c
        with:
          go-version: 1.23
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          distribution: goreleaser
          version: "~> v2"
          args: release --clean --config ../.goreleaser.yaml --timeout 600m0s --verbose --parallelism 2
          workdir: ./v2
        env:
          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} # Write permission is granted by the trust policy