name: Publish NPM packages

permissions:
  id-token: write # Required for OIDC
  contents: read # Recommended security best practice

on:
  workflow_dispatch:

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: pnpm/action-setup@v2
        with:
          version: 9.15.4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: "https://registry.npmjs.org"
          cache: pnpm
          cache-dependency-path: "**/pnpm-lock.yaml"

      # CRITICAL: npm 11.5.1+ required for trusted publishing
      - name: Install npm 11.6.4
        run: npm install -g npm@11.6.4

      - name: Install deps
        run: pnpm install

      - name: Build package
        run: pnpm run build

      - name: Publish package
        run: pnpm publish --access public
        # Note: provenance is automatically generated with trusted publishing