publish.yml

name: Publish to registry
on:
  push:
    branches:
      - "main"

permissions:
  contents: write # to be able to publish a GitHub release
  issues: write # to be able to comment on released issues
  id-token: write # to enable use of OIDC for npm provenance

jobs:
  pre-publish:
    uses: ./.github/workflows/publish-dry-run.yml
    secrets:
      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  publish:
    needs: pre-publish
    runs-on: ubuntu-latest
    environment: production
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: "yarn"

      - name: Install dependencies
        run: yarn --immutable

      - name: Build
        run: yarn build

      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
        run: yarn npm audit

      - name: Authenticate in npm
        run: |
          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
          echo "workspaces-update=false" >> .npmrc
          echo "provenance=true" >> .npmrc
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: Publish
        run: yarn semantic-release
        env:
          NPM_CONFIG_PROVENANCE: true
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}