coreason-runtime 0.1.0

name: Release

on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: write
  id-token: write
  packages: write
  attestations: write

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
  cancel-in-progress: true

jobs:
  publish-container:
    name: Build & Publish Container Image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - name: Free up disk space
        run: |
          sudo rm -rf /usr/share/dotnet
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /opt/ghc
          sudo rm -rf "/usr/local/share/boost"
          sudo rm -rf "$AGENT_TOOLSDIRECTORY" || true

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: ghcr.io/coreason-ai/coreason-runtime
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha
            type=raw,value=latest

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: true
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Generate SBOM for Container
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
        with:
          image: ghcr.io/coreason-ai/coreason-runtime@${{ steps.build-and-push.outputs.digest }}
          format: spdx-json
          output-file: sbom-container.spdx.json
          upload-release-assets: false

      - name: Install Cosign
        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

      - name: Sign the image with Cosign
        run: cosign sign --yes ghcr.io/coreason-ai/coreason-runtime@${{ steps.build-and-push.outputs.digest }}

      - name: Generate SLSA Provenance for Container
        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
        with:
          subject-name: ghcr.io/coreason-ai/coreason-runtime
          subject-digest: ${{ steps.build-and-push.outputs.digest }}
          push-to-registry: true

      - name: Trigger GitOps Promotion
        env:
          GITOPS_PROMOTION_TOKEN: ${{ secrets.GITOPS_PROMOTION_TOKEN }}
          GHCR_PAT: ${{ secrets.GHCR_PAT }}
        if: env.GITOPS_PROMOTION_TOKEN != '' || env.GHCR_PAT != ''
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.GITOPS_PROMOTION_TOKEN || secrets.GHCR_PAT }}
          repository: CoReason-AI/coreason-infrastructure
          event-type: promote-image
          client-payload: '{"image": "coreason-runtime", "tag": "${{ github.ref_name }}"}'