name: Release

on:
  push:
    branches:
      - main
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true # other running workflows get cancelled on the same branch

permissions: {} # purposefully empty by default at workflow level, explicitly overridden for specific jobs below

jobs:
  get-version:
    uses: ./.github/workflows/get-version.yml
    with: {}
    secrets: {}
    permissions:
      contents: read
  lint:
    uses: ./.github/workflows/lint.yml
    with: {}
    secrets: {}
    permissions:
      contents: read
  build:
    uses: ./.github/workflows/build.yml
    needs:
      - get-version
      - lint
    with:
      PUBLISH: true
      IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }}
    secrets: {}
    permissions:
      contents: read
      packages: write # to be able to push images to ghcr.io