.github/workflows/release.yml

name: Release

on:
  push:
    branches:
      - main
      - alpha

permissions:
  contents: read
  id-token: write # to enable use of OIDC for npm provenance

jobs:
  test:
    uses: ./.github/workflows/test.yml
    permissions:
      contents: read
      pull-requests: read
    secrets:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  release:
    needs: test

    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:22
            github.com:443
            registry.npmjs.org:443
            *.sigstore.dev:443

      - name: Checkout project
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Use Node.js LTS
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
        with:
          node-version: "lts/*"
          cache: npm

      - name: Install packages
        run: npm ci

      - name: Audit npm signatures
        run: npm audit signatures

      - name: Run Semantic Release
        run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}