name: Release New Version

on:
  push:
    tags: '[0-9]+.[0-9]?[0-9]?[0-9]?.?[0-9]+'

jobs:
  release:
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-latest
    steps:
      - name: Collect artifacts
        run: |
          wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz
          wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.zip

      - name: Generate hashes
        shell: bash
        id: hash
        run: echo "hashes=$(sha256sum ${GITHUB_REF_NAME} | base64 -w0)" >> "$GITHUB_OUTPUT"

  provenance:
    needs:
      - release
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
    with:
      base64-subjects: "${{ needs.release.outputs.hashes }}"
      draft-release: true
      upload-assets: true