name: Release
on:
  push:
    tags: ['2[0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]'] # yyyy-mm-dd
permissions:
  contents: read
jobs:
  create:
    permissions:
      # Required to create the release
      # and upload the release assets.
      contents: write
      # Required for Sigstore signing.
      id-token: write
    runs-on: ubuntu-latest
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@v4.2.2
      - run: |
          gh release create "${GITHUB_REF_NAME}" \
            --generate-notes --latest --verify-tag \
            --repo "${GITHUB_REPOSITORY}"
          gh release download "${GITHUB_REF_NAME}" \
            --archive tar.gz \
            --repo "${GITHUB_REPOSITORY}"
          gh release download "${GITHUB_REF_NAME}" \
            --archive zip \
            --repo "${GITHUB_REPOSITORY}"
        shell: bash
      - uses: sigstore/gh-action-sigstore-python@v3.0.1
        with:
          # N.B. This is a whitespace-separated string!
          inputs: '*.tar.gz *.zip'
      - run: |
          gh release upload "${GITHUB_REF_NAME}" \
            *.tar.gz *.zip *.sigstore* \
            --repo "${GITHUB_REPOSITORY}"
        shell: bash
  create-bazel:
    needs: create
    uses: ./.github/workflows/release-bazel.yml
    with:
      tag_name: ${{ github.ref_name }}
    permissions:
      contents: write
      id-token: write
      attestations: write
    secrets:
      BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }}