name: Release

on:
  push:
    branches:
      - main

jobs:
  test:
    uses: ./.github/workflows/test.yml

  release:
    name: Release
    runs-on: ubuntu-latest
    needs: test
    environment: npm
    permissions:
      id-token: write # for CFA and npm provenance
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: Setup Node.js
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
        with:
          node-version: 20.x
          cache: 'yarn'
      - name: Install
        run: yarn install --frozen-lockfile
      - uses: continuousauth/action@4e8a2573eeb706f6d7300d6a9f3ca6322740b72d # v1.0.5
        with:
          project-id: ${{ secrets.CFA_PROJECT_ID }}
          secret: ${{ secrets.CFA_SECRET }}
          npm-token: ${{ secrets.NPM_TOKEN }}