fix(releases): more reliable releases

- Consolidate release workflows into one
- Continue to use a scheduled check for new changes
- Also allow manual triggering of release creation

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

.github/workflows/release.yaml

@@ -1,13 +1,13 @@
-name: Create Release
+name: Release
 
 on:
-  push:
-    tags:
-      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+  schedule:
+    - cron: '0 0 * * *' # daily at 00:00
+  workflow_dispatch:
 
 jobs:
-  cli:
-    name: Release the CLI
+  release:
+    name: Release
     runs-on: ubuntu-latest
 
     # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
@@ -22,69 +22,51 @@ jobs:
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - name: Check if any changes since last tag
+        id: check
+        run: |
+          git fetch --tags
+          if [ -z "$(git tag --points-at HEAD)" ]; then
+            echo "Nothing points at HEAD, so we need a new tag+release."
+            echo "need_release=yes" >> $GITHUB_OUTPUT
+          else
+            echo "A tag already points to head, no need for a new tag+release."
+            echo "need_release=no" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Bump version and push tag
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
+        if: steps.check.outputs.need_release == 'yes'
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        if: steps.check.outputs.need_release == 'yes'
         with:
           go-version-file: './go.mod'
           check-latest: true
 
+      # Cosign is used by goreleaser to sign release artifacts.
       - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        if: steps.check.outputs.need_release == 'yes'
 
       - uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+        if: steps.check.outputs.need_release == 'yes'
         with:
           version: latest
           install-only: true
 
       # Federate to create a token to authenticate with the homebrew-tap repository.
       - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
+        if: steps.check.outputs.need_release == 'yes'
         id: octo-sts
         with:
           scope: chainguard-dev/homebrew-tap
           identity: melange
 
       - name: Release
+        if: steps.check.outputs.need_release == 'yes'
         run: make release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
-
-  ko-build:
-    name: Release melange image
-    runs-on: ubuntu-latest
-    needs:
-      - cli
-
-    # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-
-    env:
-      KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
-      COSIGN_YES: "true"
-
-    steps:
-      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
-        with:
-          go-version-file: './go.mod'
-          check-latest: true
-
-      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
-
-      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
-
-      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
-
-      - name: Publish/Sign melange image
-        run: |
-          make sign-image