Add workflow to publish go modules (#33335)

For #6994.

.github/workflows/publish-go-module.yml

@@ -0,0 +1,40 @@
+# Workflow to publish Fleet's go module github.com/fleetdm/fleet/v4 on every release.
+# It follows the instructions defined in https://go.dev/doc/modules/publishing.
+#
+# The workflow will be triggered when tagging v4.XX.YY
+# (which is performed on every release).
+name: Publish go module
+
+on:
+  push:
+    tags:
+      - "v4.*"
+
+defaults:
+  run:
+    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  publish-go-module-list:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Publish go module
+        run: |
+          GOPROXY=proxy.golang.org go list -m github.com/fleetdm/fleet/v4@${{ github.ref_name }}

tools/release/publish_release.sh

@@ -501,6 +501,10 @@ tag() {
         git tag $next_tag
         git push origin $next_tag
 
+        # The v4.XX.YY tag is used for publishing Fleet's Go module (https://go.dev/doc/modules/publishing).
+        git tag $next_ver
+        git push origin $next_ver
+
         # This lets us wait for github actions to trigger
         # we are specifically waiting for goreleaser to start
         # off the `tag` branch ie: fleet-v4.47.2 to watch until it completes