name: Publish

on:
  release:
    types: [created]

permissions:
  contents: read
  id-token: write

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: https://registry.npmjs.org/

      # Ensure npm CLI is new enough for Trusted Publishing flows
      - run: npm i -g npm@latest
      - run: npm -v

      - run: npm ci
      - run: npm run build

      # Public packages sometimes need this explicitly (safe even if already public)
      - run: npm publish --access public