name: Publish

on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  contents: write
  id-token: write

jobs:
  publish:
    runs-on: ubuntu-latest
    if: startsWith(github.event.head_commit.message, 'release:')
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: latest

      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: 'pnpm'
          registry-url: 'https://registry.npmjs.org'

      - run: pnpm install
      - run: pnpm build

      # Upgrade npm for provenance support (GitHub runners ship with old npm)
      - run: npm install -g npm@latest

      - name: Publish to npm
        run: pnpm publish --access public --provenance --no-git-checks
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      # Create GitHub release with changelog notes
      - name: Create GitHub release
        run: pnpm just-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}