openssl/.github/workflows/make-release.yml

# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

name: "Make release"

on:
  push:
    tags:
      - "openssl-*"

permissions: {}

jobs:
  release:
    runs-on: "releaser"
    steps:
    - name: "Checkout"
      uses: "actions/checkout@v6"
      with:
        fetch-depth: 1
        ref: ${{ github.ref_name }}
        github-server-url: "https://github.openssl.org/"
        repository: "openssl/openssl"
        token: ${{ secrets.GHE_TOKEN }}
        path: ${{ github.ref_name }}
        persist-credentials: false
    - name: "Prepare assets"
      env:
        SIGNING_KEY_UID: ${{ vars.signing_key_uid }}
      run: |
        cd "$GITHUB_REF_NAME"
        ./util/mktar.sh
        mkdir -p assets && mv "$GITHUB_REF_NAME.tar.gz" assets/ && cd assets
        openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1"
        openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256"
        gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz"
    - name: "Create release"
      env:
        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
      run: |
        VERSION=$(echo "$GITHUB_REF_NAME" | cut -d "-" -f 2-)
        PRE_RELEASE=$([[ "$GITHUB_REF_NAME" =~ alpha|beta ]] && echo "-p" || echo "")
        NOTES=$(curl -s "https://api.openssl.org/release-metadata/news/?version=$VERSION&capture_title=False")
        gh release create "$GITHUB_REF_NAME" $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes "$NOTES" -R "$GITHUB_REPOSITORY" "$GITHUB_REF_NAME/assets/"*