name: release

on:
  push:
    tags:
      - 'v*'            # e.g. v1.6.7

permissions:
  contents: read
  id-token: write       # <-- required for OIDC trusted publishing

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          registry-url: 'https://registry.npmjs.org'

      - run: npm ci
      - run: npm run -s build
      - run: npm test --silent

      # npm trusted publishing uses GitHub's OIDC identity, so no NPM_TOKEN is required
      - name: Publish
        run: npm publish --provenance --access public