From e82e64a0adc6a2b3e14d383d26f724b76439fb0a Mon Sep 17 00:00:00 2001
From: Mike Verbanic <verbanicm@google.com>
Date: Wed, 30 Oct 2024 08:59:07 -0400
Subject: [PATCH] fix: update relase workflows

---
 .github/workflows/publish.yml | 25 +++++++++++++++++++++++++
 .github/workflows/release.yml |  5 ++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 00000000..64566b62
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,25 @@
+name: 'Publish immutable action version'
+
+on:
+  workflow_dispatch:
+  release:
+    types:
+      - 'published'
+
+jobs:
+  publish:
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
+
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871' # ratchet:actions/checkout@v4
+
+      - name: 'Publish'
+        id: 'publish'
+        uses: 'actions/publish-immutable-action@4b1aa5c1cde5fedc80d52746c9546cb5560e5f53' # ratchet:actions/publish-immutable-action@v0.0.3
+        with:
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 51066eb9..9e1da224 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,4 +25,7 @@ jobs:
     if: |-
       ${{ startsWith(github.event.head_commit.message, 'Release: v') }}
     name: 'Release'
-    uses: 'google-github-actions/.github/.github/workflows/release.yml@v0'
+    uses: 'google-github-actions/.github/.github/workflows/release.yml@v1' # ratchet:exclude
+    # secrets must be explicitly passed to reusable workflows https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/reusing-workflows\#using-inputs-and-secrets-in-a-reusable-workflow
+    secrets:
+      ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'