Add release bot (#10)

Author: bleggett

.github/workflows/release.yaml

@@ -0,0 +1,90 @@
+name: Release falco_plugin
+
+on:
+  # This workflow runs on every push to main to either open
+  # a PR or publish the release.
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read # Default token to read
+
+jobs:
+  release-plz-release:
+    if: ${{ github.repository_owner == 'edera-dev' }}
+    name: Release-plz release
+    runs-on: ubuntu-latest
+    environment: release  # Environment for trusted publishing
+    permissions:
+      contents: write # Needed to write release artifacts
+      id-token: write # Needed for trusted publishing
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # zizmor: ignore[stale-action-refs] -- pinned to stable branch
+
+      - name: generate cultivator token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: generate-token
+        with:
+          app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
+          private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
+
+      - name: Run release-plz
+        uses: release-plz/action@d529f731ae3e89610ada96eda34e5c6ba3b12214 # v0.5
+        with:
+          command: release
+        env:
+          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
+
+  release-plz-pr:
+    if: ${{ github.repository_owner == 'edera-dev' }}
+    name: Release-plz PR
+    runs-on: ubuntu-latest
+    environment: release  # Environment for trusted publishing
+    permissions:
+      contents: write      # Needed to write release artifacts
+      id-token: write      # Needed for trusted publishing
+      pull-requests: write # Needed to create pull requests
+    concurrency:
+      group: release-plz-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # zizmor: ignore[stale-action-refs] -- pinned to stable branch
+
+      - name: generate cultivator token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: generate-token
+        with:
+          app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
+          private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
+
+      - name: Run release-plz
+        uses: release-plz/action@d529f731ae3e89610ada96eda34e5c6ba3b12214 # v0.5
+        with:
+          command: release-pr
+        env:
+          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"

.release-plz.toml

@@ -0,0 +1,14 @@
+[workspace]
+pr_branch_prefix = "release/"
+pr_labels = ["release"]
+release_always = true
+git_release_enable = false
+git_tag_enable = false
+changelog_update = false
+
+[[package]]
+name = "falco_plugin"
+git_release_name = "v{{ version }}"
+git_tag_name = "v{{ version }}"
+git_tag_enable = true
+git_release_enable = true