name: Publish

on:
  push:
    branches:
      - main

permissions: read-all

jobs:
  Linter:
    name: Lint
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      statuses: write
      contents: write
      packages: write
      issues: write
      pull-requests: write

    steps:
      - name: Run PR Lint
        # https://github.com/ivuorinen/actions
        uses: ivuorinen/actions/pr-lint@5cc7373a22402ee8985376bc713f00e09b5b2edb # v2025.11.23

  publish:
    name: Publish
    runs-on: ubuntu-latest
    needs:
      - Linter
    permissions:
      contents: write # to be able to publish a GitHub release
      issues: write # to be able to comment on released issues
      pull-requests: write # to be able to comment on released pull requests
      id-token: write # to enable use of OIDC for trusted publishing and npm provenance

    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0

      - name: Setup Node.js Environment
        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version-file: ".nvmrc"
          registry-url: "https://registry.npmjs.org"
          scope: "@ivuorinen"

      - name: Install dependencies
        run: yarn

      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
        run: yarn npm audit --environment production

      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: yarn semantic-release