name: automated tagged release with slsa 3 compliance

on:
  push:
    tags:
      - 'v*'

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}

    steps:
      - name: checkout
        uses: actions/checkout@v3
        with:
          ref: main

      - name: get branch name
        id: get-branch-name
        uses: tj-actions/branch-names@v7

      - name: install devbox
        uses: jetpack-io/devbox-install-action@v0.7.0

      - name: install dependencies
        run: devbox run poetry install

      - name: run releaser.py
        run: devbox run python releaser.py
        env:
          SURPLUS_BUILD_BRANCH: ${{ steps.get-branch-name.outputs.base_ref_branch }}

      - name: build project
        id: build
        run: devbox run poetry build

      - name: duplicate non-versioned wheel
        run: cp dist/surplus-*.whl dist/surplus-latest-py3-none-any.whl

      - name: generate provenance subjects
        id: hash
        run: |
          cd dist
          HASHES=$(sha256sum * | base64 -w0)
          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"

      - uses: actions/upload-artifact@v3
        with:
          name: wheels
          path: dist/

      - name: release
        uses: softprops/action-gh-release@v0.1.15
        if: startsWith(github.ref, 'refs/tags/')
        with:
          files: |
            dist/*.whl

  provenance:
    needs: [build]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true