harden-runner/.github/workflows/release.yml

name: Release new action version
on:
  workflow_dispatch:
    inputs:
      TAG_NAME:
        description: 'Tag name that the major tag will point to'
        required: true

env:
  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
defaults:
  run:
    shell: pwsh

permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  update_tag:
    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
    environment:
      name: releaseNewActionVersion
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
    - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
      with:
        egress-policy: audit
        allowed-endpoints:
          api.github.com:443
          github.com:443

    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
    - name: Update the rc tag
      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
      with:
        source-tag: ${{ env.TAG_NAME }}
        rc: true

    - name: Canary test
      uses: docker://ghcr.io/step-security/integration-test/int:latest
      env:
        PAT: ${{ secrets.PAT }}
        canary: true

    - name: Update the ${{ env.TAG_NAME }} tag
      uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
      with:
        source-tag: ${{ env.TAG_NAME }}