name: Build package

on:
  push:
    branches:
      - main
    paths-ignore:
      - "**.md"
  pull_request:
    types: [opened, reopened, synchronize, ready_for_review, labeled, unlabeled]
    paths-ignore:
      - "**.md"

jobs:
  build-package:
    name: Build package
    if: ${{ !contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      attestations: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v7

      - name: Setup node
        uses: actions/setup-node@v6

        with:
          node-version: 24
          cache: "npm"
          registry-url: https://registry.npmjs.org/

      - name: Build package
        run: |
          npm ci
          npm run lint
          npm run build
          npm pack

      - name: Attest build provenance
        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
        uses: actions/attest-build-provenance@v4
        with:
          subject-path: "*.tgz"