Release / npm / repo hardening #86

	name: Release

	on:
	push:
	branches: [main]
	pull_request:
	types: [opened, synchronize, reopened]

	# Enabled permissions on GITHUB_TOKEN
	permissions:
	# To be able to push to the repo
	contents: write
	# To update the pr description with canary info
	pull-requests: write
	# For pr-check to create a status
	statuses: write
	# Needed to create PR statuses/checks
	checks: write
	# To post comments on PRs
	issues: write
	# For trusted publishing
	id-token: write

	jobs:
	install:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	- uses: actions/setup-node@v5
	with:
	node-version: 22.x
	- run: npm install
	- run: npm run tsc

	validate-labels:
	runs-on: ubuntu-latest
	if:
	"!contains(github.event.head_commit.message, 'ci skip') &&
	!contains(github.event.head_commit.message, 'skip ci')"
	steps:
	- uses: actions/checkout@v5
	- run: git fetch --unshallow --tags
	- uses: actions/setup-node@v5
	with:
	node-version: 22.x
	- run: npm install
	- name: Verify Release
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run:
	npx auto pr-check
	--url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID

	release:
	runs-on: ubuntu-latest
	environment: production
	if:
	"!contains(github.event.head_commit.message, 'ci skip') &&
	!contains(github.event.head_commit.message, 'skip ci')"
	steps:
	- uses: actions/checkout@v5
	- run: git fetch --unshallow --tags
	- uses: actions/setup-node@v5
	with:
	node-version: 22.x
	- run: npm install
	- name: Create Release
	run: npm run build && npm run release
	env:
	# auto expects GH_TOKEN in the environment
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback