name: "Release"

on:
  push:
    branches: [main]

permissions:
  id-token: "write" # OIDC
  contents: "read"

jobs:
  release:
    runs-on: "ubuntu-latest"
    permissions:
      contents: "write"
      issues: "write"
      pull-requests: "write"
      id-token: "write"
    steps:
      - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: "Setup Node.js"
        uses: "actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238" # v6.2.0
        with:
          node-version: "lts/*"
          cache: "npm"

      - name: "Install dependencies"
        run: "npm clean-install"

      - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
        run: "npm audit signatures"

      - name: "Release"
        run: "node --run release"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}