Release #1

	name: Release

	on:
	release:
	types: [created]

	permissions:
	contents: read

	jobs:
	publish-image:
	if: ${{ startsWith(github.ref, 'refs/tags/v') }}
	name: Publish image
	runs-on: ubuntu-22.04

	permissions:
	id-token: write # This is the key for OIDC cosign!
	packages: write
	contents: read

	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- run: git fetch --force --tags

	- name: Set up Go
	uses: actions/setup-go@v4
	with:
	cache: false
	go-version-file: "go.mod"

	- name: Setup Cosgin
	uses: sigstore/cosign-installer@main
	with:
	cosign-release: "v2.2.0"

	- name: Setup Syft
	uses: anchore/sbom-action/[email protected]

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- id: get_version
	run: \|
	RELEASE_VERSION=$(echo $GITHUB_REF \| sed -nE 's!refs/tags/!!p')
	echo "release_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
	echo "previous_tag=$(git describe --abbrev=0 --tags $(git rev-list --tags --skip=1 --max-count=1))" >> "$GITHUB_OUTPUT"

	- name: Login to ghcr.io
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- uses: "goreleaser/goreleaser-action@v5"
	with:
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
	GORELEASER_CURRENT_TAG: ${{ steps.get_version.outputs.release_version }}
	GORELEASER_PREVIOUS_TAG: ${{ steps.get_version.outputs.previous_tag }}

Provide feedback