name: Release

on:
  push:
    branches:
      - main

jobs:
  test:
    uses: ./.github/workflows/test.yml

  release:
    name: Release
    runs-on: ubuntu-latest
    needs: test
    environment: npm-trusted-publisher
    permissions:
      id-token: write # for publishing releases
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Setup Node.js
        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version-file: '.nvmrc'
          cache: 'yarn'
      - name: Install
        run: yarn install --immutable
      - name: Get GitHub App Token
        id: secret-service
        uses: electron/secret-service-action@3476425e8b30555aac15b1b7096938e254b0e155 # v1.0.0
      - name: Run Semantic Release
        uses: electron/semantic-trusted-release@5eceb399ac8de8863205cf6e34109bce473ba566 # v1.0.1
        with:
          github-token: ${{ fromJSON(steps.secret-service.outputs.secrets).GITHUB_TOKEN }}