Bump prebuilts #1

	name: Publish to BCR

	on:
	push:
	tags:
	- "v..*"
	workflow_dispatch:
	inputs:
	release_tag:
	description: Release tag to publish to BCR, for example v0.0.1
	required: true
	type: string

	permissions:
	attestations: write
	contents: write
	id-token: write

	jobs:
	release_tag:
	runs-on: ubuntu-latest
	outputs:
	tag: ${{ steps.release_tag.outputs.tag }}
	steps:
	- name: Resolve release tag
	id: release_tag
	shell: bash
	run: \|
	set -euo pipefail

	if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
	tag="${{ inputs.release_tag }}"
	else
	tag="${GITHUB_REF_NAME}"
	fi

	if [[ ! "${tag}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([-.].*)?$ ]]; then
	echo "Expected a release tag like v0.0.1, got '${tag}'" >&2
	exit 1
	fi

	echo "tag=${tag}" >> "${GITHUB_OUTPUT}"

	release:
	needs: release_tag
	uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.2.2
	with:
	release_files: codesign.bzl-*.tar.gz
	prerelease: false
	tag_name: ${{ needs.release_tag.outputs.tag }}

	publish:
	needs:
	- release_tag
	- release
	uses: ./.github/workflows/publish.yml
	with:
	tag_name: ${{ needs.release_tag.outputs.tag }}
	secrets:
	publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

Provide feedback