name: Node.js Package
on:
  push:
  # Invoked by automerge.yml after a Dependabot PR is merged. GitHub
  # Actions doesn't fire on:push when the push is authored by GITHUB_TOKEN
  # (the automerge action's only available identity), so without this
  # dispatch trigger the release job never runs after auto-merges.
  workflow_dispatch:

# id-token: write must be granted here so the reusable npmpublish workflow
# can request an OIDC token for npm trusted publishing.
permissions:
  contents: write
  id-token: write

jobs:
  backend:
    uses: ./.github/workflows/backend-tests.yml
    secrets: inherit
  frontend:
    uses: ./.github/workflows/frontend-tests.yml
    secrets: inherit
  release:
    if: ${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}
    needs:
      - backend
      - frontend
    permissions:
      contents: write   # for the version bump push
      id-token: write   # for npm OIDC trusted publishing
    uses: ./.github/workflows/npmpublish.yml
    secrets: inherit