add release workflows

Author: osterman

.github/workflows/release-branch.yml

@@ -0,0 +1,159 @@
+---
+name: release-branch
+on:
+  push:
+    branches:
+      - main
+      - release/**
+    paths-ignore:
+      - '.github/**'
+      - 'docs/**'
+      - 'examples/**'
+      - 'test/**'
+      - 'README.*'
+
+permissions:
+  contents: write
+  id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  ci-codeowners:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: mszostok/[email protected]
+        # Pull request from a fork
+        name: "Validate CODEOWNERS"
+        with:
+          checks: "syntax,duppatterns"
+          owner_checker_allow_unowned_patterns: "false"
+
+      - uses: mszostok/[email protected]
+        # Main branch / Pull request from the same repo
+        name: "Validate CODEOWNERS"
+        with:
+          # For now, remove "files" check to allow CODEOWNERS to specify non-existent
+          # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
+          #   checks: "files,syntax,owners,duppatterns"
+          checks: "syntax,duppatterns"
+          owner_checker_allow_unowned_patterns: "false"
+
+  ci-readme:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Generate readme
+        shell: bash
+        run: |
+          if [ ! -f README.yaml ]; then
+            echo "Project does not have a README.yaml. Skipping..."
+            exit 0
+          fi
+
+          # A Makefile is required for build-harness and rebuilding the README.md from the README.yaml and rebuilding the README.md from the README.yaml and rebuilding the README.md from the README.yaml and rebuilding the README.md from the README.yaml
+          if [ ! -f Makefile ]; then
+            echo "Project does not have a Makefile";
+            exit 1
+          fi
+
+          make init
+          make readme/build
+
+      - name: Check readme
+        id: readme_diff
+        shell: bash
+        run: git diff --exit-code
+        continue-on-error: true
+
+      - name: Auto-update README.md for bot pull requests
+        id: auto_commit
+        if: |
+          steps.readme_diff.outcome == 'failure' && 
+          startsWith(github.ref, 'renovate/')
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+          git commit -a -m "Auto-update README.md"
+          git push
+
+      - name: Status check
+        shell: bash
+        run: |
+          git diff --exit-code && success="true" || success="false"
+          if [ "$success" = "false" ]; then
+            echo "README.md is outdated. Please run the following commands locally and push the file:"
+            echo "  make init"
+            echo "  make readme"
+            exit 1
+          fi
+
+  release-controller:
+    runs-on: ubuntu-latest
+    needs: [ci-readme, ci-codeowners]
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Fetch pull request for the given ref
+        id: get-pull-request
+        uses: 8BitJonny/[email protected]
+        with:
+          sha: ${{ github.sha }}
+
+      - name: Check duplicate
+        id: check-duplicate
+        run: |
+          latest_hash=$(git rev-parse ${{ github.ref_name }})
+          tags=$(git tag --contains "$latest_hash")
+          if [[ -n $tags ]]; then
+            echo "duplicate=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "duplicate=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Do release
+        if: steps.check-duplicate.outputs.duplicate == 'false'
+        id: release
+        uses: cloudposse/github-action-auto-release@v1
+        with:
+          prerelease: ${{ contains(steps.get-pull-request.outputs.pr_labels, 'prerelease') }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify release  # Workaround for https://github.com/release-drafter/release-drafter/issues/1313
+        if: steps.check-duplicate.outputs.duplicate == 'false'
+        shell: bash
+        run: |
+          echo 'Checking release id not empty: "${{ steps.release.outputs.id }}"'
+          ! test -z "${{ steps.release.outputs.id }}"
+
+  major-release-tagger:
+    runs-on: ubuntu-latest
+    needs: [release-controller]
+    steps:
+      - uses: cloudposse/github-action-major-release-tagger@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  release-branch-manager:
+    runs-on: ubuntu-latest
+    needs: [release-controller]
+    steps:
+      - uses: cloudposse/github-action-release-branch-manager@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-published.yml

@@ -0,0 +1,12 @@
+name: Release
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cloudposse/github-action-major-release-tagger@v1