# For every push to the primary branch with .release-plan.json modified,
# runs release-plan.

name: Publish Stable

on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
    paths:
      - ".release-plan.json"

concurrency:
  group: publish-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  publish:
    name: "NPM Publish"
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
      attestations: write

    steps:
      - uses: actions/checkout@v6
      - uses: pnpm/action-setup@v4
      - uses: actions/setup-node@v6
        with:
          node-version: 22
          registry-url: "https://registry.npmjs.org"
          cache: pnpm
      - run: npm install -g npm@latest # ensure that the globally installed npm is new enough to support OIDC
      - run: pnpm install --frozen-lockfile
      - name: Publish to NPM
        run: NPM_CONFIG_PROVENANCE=true node ./dist/cli.js publish
        env:
          GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}