Github workflow for publishing to package repos

Author: tashian

.github/workflows/publish-packages.yml

@@ -0,0 +1,106 @@
+name: Publish to packages.smallstep.com
+
+# Independently publish packages to Red Hat (RPM) and Debian (DEB) repositories
+# without running a full release. Useful for:
+# - Re-importing packages after a failed/partial release
+# - Rebuilding packages from an existing tag
+#
+# Usage (CLI):
+#   gh workflow run publish-packages.yml -f tag=v0.28.0 -f mode=import-only
+#   gh workflow run publish-packages.yml -f tag=v0.28.0 -f mode=rebuild
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: |
+          Git tag to publish (e.g., v0.28.0).
+          Pre-release tags (-rc) are blocked.
+        required: true
+        type: string
+      mode:
+        description: |
+          import-only: Import existing packages from GCS (~30s)
+          rebuild: Build packages, upload to GCS, then import (~5-10min)
+        required: true
+        type: choice
+        options:
+          - import-only
+          - rebuild
+        default: import-only
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Validate tag (block pre-releases)
+        run: |
+          if [[ "${{ inputs.tag }}" == *"-rc"* ]]; then
+            echo "::error::Pre-release tags (-rc) cannot be published to production repos"
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.tag }}
+          fetch-depth: 0
+
+      - name: Extract version
+        id: version
+        run: echo "version=${TAG#v}" >> $GITHUB_OUTPUT
+        env:
+          TAG: ${{ inputs.tag }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GOOGLE_CLOUD_GITHUB_SERVICE_ACCOUNT }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          project_id: ${{ secrets.GOOGLE_CLOUD_PACKAGES_PROJECT_ID }}
+
+      # === REBUILD MODE ONLY ===
+      - name: Set up Go
+        if: inputs.mode == 'rebuild'
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Write GPG key
+        if: inputs.mode == 'rebuild'
+        run: echo "${{ secrets.GPG_PRIVATE_KEY }}" > "$GPG_PRIVATE_KEY_FILE"
+        env:
+          GPG_PRIVATE_KEY_FILE: "0x889B19391F774443-Certify.key"
+
+      - name: Run GoReleaser (build packages only)
+        if: inputs.mode == 'rebuild'
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser-pro
+          version: "~> v2"
+          args: release --clean --skip=announce,publish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
+          GPG_PRIVATE_KEY_FILE: "0x889B19391F774443-Certify.key"
+
+      - name: Upload packages to GCS
+        if: inputs.mode == 'rebuild'
+        run: |
+          for pkg in dist/*.deb dist/*.rpm; do
+            ./scripts/package-upload.sh "$pkg" step-cli ${{ steps.version.outputs.version }}
+          done
+
+      # === BOTH MODES ===
+      - name: Import packages to Artifact Registry
+        run: ./scripts/package-repo-import.sh step-cli ${{ steps.version.outputs.version }}
+        env:
+          IS_PRERELEASE: 'false'