# On merge to main: conventional commits → semantic-release bumps package.json, publishes to npm, pushes tag + commit. # Tag push can run verify-release-tag.yml (tests + tag vs package.json; no publish). # Trusted publishing (OIDC): register this filename on npm → Package → Settings → Trusted Publisher → GitHub Actions. # Requires npm CLI ≥ 11.5.1 on the runner (see "Ensure npm for trusted publishing" below). name: Release version on: push: branches: [main] jobs: # Skip logic uses shell + grep (not expression matches()) for compatibility with older GitHub Actions. gate: name: Release gate runs-on: ubuntu-latest outputs: run_release: ${{ steps.check.outputs.run_release }} steps: - id: check run: | MSG=$(jq -r '.head_commit.message // empty' "$GITHUB_EVENT_PATH" 2>/dev/null || echo "") if [ -z "$MSG" ]; then echo "run_release=true" >> "$GITHUB_OUTPUT" exit 0 fi FIRST=$(printf '%s\n' "$MSG" | head -n1) if printf '%s\n' "$FIRST" | grep -qE '^chore\(release\): v?[0-9]+\.[0-9]+\.[0-9]+$'; then echo "run_release=false" >> "$GITHUB_OUTPUT" else echo "run_release=true" >> "$GITHUB_OUTPUT" fi release: name: Bump version and tag needs: gate if: needs.gate.outputs.run_release == 'true' runs-on: ubuntu-latest permissions: contents: write id-token: write steps: - uses: actions/checkout@v6 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - name: Setup Node.js uses: actions/setup-node@v6 with: # semantic-release@25 requires Node ^22.14.0 or >= 24.10.0 node-version: '22' cache: 'npm' registry-url: 'https://registry.npmjs.org' # https://docs.npmjs.com/trusted-publishers — OIDC publish needs npm ≥ 11.5.1 (Node’s bundled npm may be older). - name: Ensure npm for trusted publishing run: npm install -g npm@^11.5.1 - name: Install dependencies run: npm ci - name: Run tests run: node scripts/run-tests.js - name: Release run: npx semantic-release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}