# Publishes @denserai/embed-chat to npm when a GitHub Release is published.
#
# Auth uses npm OIDC Trusted Publishing — there is NO NPM_TOKEN secret.
# One-time setup required on npmjs.com:
#   Package @denserai/embed-chat -> Settings -> Trusted Publisher -> add a
#   GitHub Actions publisher with:
#     Organization/owner: denser-org
#     Repository:         embed-chat
#     Workflow filename:  publish.yaml
# See https://docs.npmjs.com/trusted-publishers

name: Publish

on:
  workflow_dispatch:
  release:
    types: [published]

permissions:
  contents: read
  id-token: write # required for npm OIDC trusted publishing

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10

      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'pnpm'
          registry-url: 'https://registry.npmjs.org'
          scope: '@denserai'

      - name: Install dependencies
        run: |
          rm -rf node_modules
          pnpm install

      - name: Build
        run: pnpm build

      # OIDC trusted publishing requires npm >= 11.5.1 (newer than the npm
      # bundled with Node 22), so upgrade before publishing.
      - name: Ensure OIDC-capable npm
        run: npm install -g npm@latest

      - name: Publish 🚀
        run: npm publish --access public