chore: automated releases

Signed-off-by: Sam Gammon <sam@elide.ventures>

Author: sgammon

.github/workflows/release.yml

@@ -0,0 +1,109 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+  packages: read
+
+jobs:
+  release:
+    name: "Release"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: "Setup: Checkout"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: "Setup: Node"
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: 24
+
+      - name: "Setup: Bun"
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        with:
+          bun-version: latest
+
+      - name: "Setup: Cosign"
+        uses: sigstore/cosign-installer@f713795cb21599bc4e5c4b58cbad1da852d7eeb9 # v3.9.1
+
+      - name: "Setup: Install Dependencies"
+        run: bun install --frozen-lockfile
+
+      - name: "Build: Bundle"
+        run: bun run build
+
+      - name: "Build: Package Artifact"
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          mkdir -p artifacts
+          tar -czf "artifacts/setup-elide-${TAG}.tar.gz" \
+            action.yml \
+            dist/index.js \
+            dist/index.js.map \
+            package.json \
+            LICENSE
+          sha256sum "artifacts/setup-elide-${TAG}.tar.gz" > "artifacts/setup-elide-${TAG}.tar.gz.sha256"
+          echo "ARTIFACT=artifacts/setup-elide-${TAG}.tar.gz" >> "$GITHUB_ENV"
+          echo "ARTIFACT_SHA=artifacts/setup-elide-${TAG}.tar.gz.sha256" >> "$GITHUB_ENV"
+
+      - name: "SBOM: Generate"
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          path: .
+          format: spdx-json
+          output-file: artifacts/sbom.spdx.json
+
+      - name: "Sign: Cosign"
+        run: |
+          cosign sign-blob \
+            --yes \
+            --bundle "artifacts/setup-elide-${GITHUB_REF_NAME}.tar.gz.cosign-bundle" \
+            "$ARTIFACT"
+
+      - name: "Attest: Build Provenance"
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: ${{ env.ARTIFACT }}
+
+      - name: "Attest: SBOM"
+        uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
+        with:
+          subject-path: ${{ env.ARTIFACT }}
+          sbom-path: artifacts/sbom.spdx.json
+
+      - name: "Release: Create"
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        with:
+          generate_release_notes: true
+          make_latest: true
+          fail_on_unmatched_files: true
+          files: |
+            ${{ env.ARTIFACT }}
+            ${{ env.ARTIFACT_SHA }}
+            artifacts/sbom.spdx.json
+            artifacts/setup-elide-${{ github.ref_name }}.tar.gz.cosign-bundle
+
+      - name: "Release: Update Major Tag"
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          # Extract major version: v4.1.0 -> v4
+          MAJOR="${TAG%%.*}"
+          if [[ "$MAJOR" =~ ^v[0-9]+$ ]]; then
+            git tag -f "$MAJOR" "$TAG"
+            git push -f origin "$MAJOR"
+            echo "Updated major tag $MAJOR -> $TAG"
+          fi