name: Release

on:
  workflow_call:
    inputs:
      gpg_private_key:
        description: "GPG private key to sign releases"
        required: false
        type: string
    secrets:
      RELEASE_TOKEN:
        required: true
      GPG_PRIVATE_KEY:
        required: false
      PASSPHRASE:
        required: false
  push:
    tags:
      - "v*"

permissions: write-all

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          lfs: true
          submodules: recursive

      - name: Set up Go
        uses: actions/setup-go@v4
        with:
          go-version: "1.21"
          cache: true

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v5
        if: inputs.gpg_private_key != ''
        with:
          gpg_private_key: ${{ inputs.gpg_private_key }}
          passphrase: ${{ secrets.PASSPHRASE }}

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          distribution: goreleaser
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}