ci: improve GitHub actions workflows

* execute integration tests
* publish artifacts from GH workflow
* sign docker images
* sign binaries

Author: PSanetra

.github/workflows/main.yaml

@@ -0,0 +1,75 @@
+name: Release
+on:
+  workflow_run:
+    workflows: ["Tests"]
+    branches: ["master", "main"]
+    types:
+      - completed
+permissions:
+  contents: write
+jobs:
+  version:
+    name: Gather version information
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    outputs:
+      latest_version: ${{ steps.latest_version.outputs.version }}
+      next_version: ${{ steps.next_version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Latest version
+        id: latest_version
+        uses: PSanetra/git-semver-actions/latest@master
+      - name: Next version
+        id: next_version
+        uses: PSanetra/git-semver-actions/next@master
+  draft_release:
+    name: Release
+    needs: version
+    if: ${{ needs.version.outputs.latest_version != needs.version.outputs.next_version }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Generate Changelog
+        id: generate_changelog
+        uses: PSanetra/git-semver-actions/markdown-log@master
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ needs.version.outputs.next_version }}
+          release_name: Release ${{ needs.version.outputs.next_version }}
+          body: |
+            ${{ steps.generate_changelog.outputs.changelog }}
+          draft: false # Tag must be published before gitreleaser is executed
+          prerelease: false
+  build_and_publish_artifacts:
+    name: Build and publish artifacts
+    needs: [version, draft_release]
+    if: ${{ needs.version.outputs.latest_version != needs.version.outputs.next_version }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: sigstore/cosign-installer@v3
+      - name: Login cosign to Docker Hub
+        run: |
+          echo '${{ secrets.DOCKER_PASSWORD }}' | cosign login ${{ vars.DOCKER_REGISTRY }} --username '${{ vars.DOCKER_USERNAME }}' --password-stdin
+      - uses: anchore/sbom-action/[email protected]
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -0,0 +1,29 @@
+name: Tests
+on:
+  push:
+    branches: ["master", "main"]
+  pull_request:
+    branches: ["master", "main"]
+jobs:
+  unit_tests:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '^1.24.1'
+      - run: go test ./...
+  integration_tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Run Tests
+        run: cd integration_tests && mvn verify

.github/workflows/tests.yaml

@@ -1,10 +1,5 @@
+version: 2
 project_name: git-semver
-before:
-  hooks:
-    # You may remove this if you don't use go modules.
-    - go mod tidy
-    # you may remove this if you don't need go generate
-    - go generate ./...
 builds:
   - main: ./cli/main.go
     goos:
@@ -19,17 +14,8 @@ builds:
     ignore:
       - goos: windows
         goarch: arm64
-checksum:
-  name_template: 'checksums.txt'
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
-changelog:
-  skip: true
-release:
-  github:
-    owner: PSanetra
-    name: git-semver
-  mode: keep-existing
 dockers:
   - image_templates:
       - "psanetra/git-semver:latest"
@@ -41,7 +27,32 @@ dockers:
       - "--label=org.opencontainers.image.title={{ .ProjectName }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
       - "--label=org.opencontainers.image.version={{ .Version }}"
-
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    args:
+      - "sign"
+      - "${artifact}"
+      - "--yes"
+checksum:
+  name_template: 'checksums.txt'
+signs:
+  - cmd: cosign
+    certificate: "${artifact}.pem"
+    artifacts: checksum
+    args:
+      - "sign-blob"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+changelog:
+  disable: true
+release:
+  github:
+    owner: PSanetra
+    name: git-semver
+  mode: keep-existing
 # modelines, feel free to remove those if you don't want/use them:
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 # vim: set ts=2 sw=2 tw=0 fo=cnqoj