pre-release.yaml

name: Prerelease

on:
  push:
    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+'

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - name: build binaries
        env:
          CROSS: 1
          VERSION: ${{ github.ref_name }}
        run: |
          make build

      - name: package
        run: |
          make package

      - name: retrieve GPG Credentials
        uses: rancher-eio/read-vault-secrets@main
        with:
          secrets: |
            secret/data/github/repo/${{ github.repository }}/key/credentials passphrase | GPG_PASSPHRASE ;
            secret/data/github/repo/${{ github.repository }}/key/credentials key | GPG_KEY

      - name: sign SHASUM
        env:
          GPG_KEY: ${{ env.GPG_KEY }}
          GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
        run: |
          echo "Importing gpg key"
          echo -n "$GPG_KEY" | base64 --decode | gpg --import --batch >/dev/null
          # Extract the key ID from the list of secret keys
          GPG_KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/ {print $5}')
          echo "Extracted GPG Key ID: $GPG_KEY_ID"
          # Automatically trust the key by creating a trust level entry for the key (ultimate trust)
          echo -e "$GPG_KEY_ID:6:" | gpg --import-ownertrust
          echo "signing SHASUM file"
          VERSION_NO_V=$(echo ${{ github.ref_name }} | sed "s/^[v|V]//")
          SHASUM_FILE=dist/artifacts/${{ github.ref_name }}/terraform-provider-rke_"$VERSION_NO_V"_SHA256SUMS
          echo "$GPG_PASSPHRASE" | gpg --detach-sig --pinentry-mode loopback --passphrase-fd 0 --default-key "$GPG_KEY_ID" --output "$SHASUM_FILE".sig --sign "$SHASUM_FILE"

      - name: GH release
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh release create ${{ github.ref_name }} --prerelease --verify-tag --generate-notes ./dist/artifacts/${{ github.ref_name }}/*