name: Publish to npm

on:
  push:
    tags:
      - "[0-9]+.[0-9]+.[0-9]+"

permissions:
  contents: read
  id-token: write

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 24
          registry-url: "https://registry.npmjs.org"

      - name: Verify tag matches package.json version
        run: node -e "const {version}=require('./package.json'); const tag=process.env.GITHUB_REF_NAME; if(version!==tag){console.error(`Tag ${tag} does not match package.json version ${version}`); process.exit(1);}"

      - name: Install dependencies
        run: npm install --no-fund --no-audit

      - name: Publish
        run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}