feat: add more checks and image publish

Signed-off-by: James Petersen <jpetersenames@gmail.com>

Author: found-it

.github/workflows/release-artifacts.yml

@@ -0,0 +1,105 @@
+name: Release Binaries and Images
+run-name: 'Release run by ${{ github.actor }}'
+
+on:
+  # Release unstable from HEAD on every merge
+  push:
+    branches:
+      - main
+
+  # Run manually to release unstable from HEAD
+  workflow_dispatch:
+    inputs:
+      protect_ref:
+        description: 'Edera Protect commit/branch/tag'
+        default: ''
+
+  # Nightly build from HEAD
+  schedule:
+  - cron: "0 9 * * *"
+
+  # Official stable versioned release
+  release:
+    types:
+    - published
+
+permissions:
+  contents: read
+
+env:
+  GCP_REGION: us-central1
+  GCP_PROJECT: edera-protect
+  GCP_WORKLOAD_IDENTITY_PROVIDER: 'projects/914729349132/locations/global/workloadIdentityPools/prod-github-jr1s/providers/prod-github'
+  GCP_SERVICE_ACCOUNT: 'edera-dev-preflight-sa@edera-protect.iam.gserviceaccount.com'
+
+jobs:
+  # Implementing a gate like this isn't great since the workflow will still
+  # run on release events. Github Actions does not have a way to filter on
+  # tags for a release event yet so we are stuck with this. The other option
+  # was to use the push event and filter on tags but since we're using push
+  # events to publish unstable tags on main, it is cleaner to use release
+  # events to trigger a true release of stable artifacts.
+  release-gate:
+    name: 'Check if this is the correct GitHub release event'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
+    - name: 'Check event'
+      id: check
+      run: |
+        echo "Since GitHub doesn't have a way to filter for specific tags in the release event we need to implement this dumb check"
+        run=true
+        if [[ '${{ github.event_name }}' == 'release' ]] && [[ '${{ github.ref_name }}' =~ 'protect-chart-*' ]]; then
+          run=false
+        fi
+        echo "Workflow should run: ${run}"
+        echo "should_run=${run}" >> ${GITHUB_OUTPUT}
+
+  oci:
+    name: 'Build and publish protect-${{ matrix.component }} images'
+    # Check if this is the proper release event.
+    # TODO: remove this when actions has a better answer
+    if: ${{ needs.release-gate.outputs.should_run == 'true' }}
+    needs: [release-gate]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+        - preflight
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+    - name: 'Harden runner'
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      with:
+        egress-policy: audit
+
+    - name: 'Checkout repository'
+      uses: actions/checkout@6b42224f41ee5dfe5395e27c8b2746f1f9955030 # v4.2.0
+      with:
+        submodules: recursive
+        persist-credentials: false
+
+    - name: 'Build and sign protect-${{ matrix.component }} image'
+      uses: edera-dev/actions/build-and-sign-image@v0.0.3
+      with:
+        component: '${{ matrix.component }}'
+        event: '${{ github.event_name }}'
+        repositories: |
+          ghcr.io/edera-dev/protect-${{ matrix.component }}
+          ${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT }}/staging/protect-${{ matrix.component }}
+        gcp_region: '${{ env.GCP_REGION }}'
+        gcp_workload_identity_provider: '${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}'
+        gcp_service_account: '${{ env.GCP_SERVICE_ACCOUNT }}'