harden-runner/.github/workflows/release.yml

name: Release new action version
on:
  workflow_dispatch:
    inputs:
      TAG_NAME:
        description: 'Tag name that the major tag will point to'
        required: true

env:
  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
defaults:
  run:
    shell: pwsh

permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  update_tag:
    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
    environment:
      name: releaseNewActionVersion
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
    - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
      with:
        egress-policy: audit
        allowed-endpoints:
          api.github.com:443
          github.com:443

    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
    - name: Update the rc tag
      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
      with:
        source-tag: ${{ env.TAG_NAME }}
        rc: true

    - name: Canary test
      uses: docker://ghcr.io/step-security/integration-test/int:latest
      env:
        PAT: ${{ secrets.PAT }}
        canary: true

    - name: Update the ${{ env.TAG_NAME }} tag
      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
      with:
        source-tag: ${{ env.TAG_NAME }}