config-checker/.github/workflows/publish.yml

---
name: Publish

on:
  push:
    branches:
      - main

permissions: read-all

env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

jobs:
  Linter:
    name: Lint
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      statuses: write
      contents: read
      packages: read
      issues: write
      pull-requests: write

    steps:
      - name: Run PR Lint
        # https://github.com/ivuorinen/actions
        uses: ivuorinen/actions/pr-lint@e3b436adb3d9871b9cc27e19d13ba7f50cbac62e # 25.8.18

  publish:
    name: Publish
    runs-on: ubuntu-latest
    needs:
      - Linter
    permissions:
      contents: write # to be able to publish a GitHub release
      issues: write # to be able to comment on released issues
      pull-requests: write # to be able to comment on released pull requests
      id-token: write # to enable use of OIDC for npm provenance

    steps:
      - name: Checkout
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          fetch-depth: 0

      - name: Setup Node.js Environment
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          always-auth: true
          node-version-file: ".nvmrc"
          registry-url: "https://registry.npmjs.org"
          scope: "@ivuorinen"

      - name: Cache Node Modules
        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        id: cache
        with:
          path: node_modules
          key: node-modules-${{ hashFiles('**/yarn.lock') }}

      - name: Install Dependencies
        shell: bash
        if: steps.cache.outputs.cache-hit != 'true'
        run: yarn install

      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@v4
        env:
          GITHUB_TOKEN: ${{ secrets.PAT }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}