.github/workflows/release-please.yml

name: Run Release Please

on:
  push:
    branches:
      - main

jobs:
  release-package:
    runs-on: ubuntu-latest

    permissions:
      id-token: write # Needed if using OIDC to get release secrets.
      contents: write # Contents and pull-requests are for release-please to make releases.
      pull-requests: write
    outputs:
      release-created: ${{ steps.release.outputs.release_created }}
      upload-tag-name: ${{ steps.release.outputs.tag_name }}
      package-hashes: ${{ steps.ci.outputs.package-hashes }}

    steps:
      - uses: googleapis/release-please-action@v4
        id: release

      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # If you only need the current version keep this.

      #
      # This step runs and updates an existing PR
      #
      - uses: ./.github/actions/update-cabal
        if: ${{ steps.release.outputs.pr != '' }}
        with:
          branch: ${{ fromJSON(steps.release.outputs.pr).headBranchName }}

      #
      # These remaining steps are ONLY run if a release was actually created
      #
      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
        name: 'Get Hackage token'
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        with:
          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
          ssm_parameter_pairs: '/production/common/releasing/hackage/password = HACKAGE_TOKEN'

      - uses: ./.github/actions/setup-cache
        if: ${{ steps.release.outputs.releases_created == 'true' }}

      - uses: ./.github/actions/ci
        id: ci
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        with:
          token: ${{secrets.GITHUB_TOKEN}}

      - uses: ./.github/actions/build-docs
        if: ${{ steps.release.outputs.releases_created == 'true' }}

      - uses: ./.github/actions/publish
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        with:
          token: ${{ env.HACKAGE_TOKEN }}
          dry_run: 'false'

      - uses: ./.github/actions/publish-docs
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        with:
          # If publishing somewhere else, then get the token from SSM. If you need both github,
          # and another token, then add more tokens to the composite action.
          token: ${{secrets.GITHUB_TOKEN}}

  release-provenance:
    needs: [ 'release-package' ]
    if: ${{ needs.release-package.outputs.release-created == 'true' }}
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.release-package.outputs.package-hashes }}"
      upload-assets: true
      upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}