name: CD

on:
  push:
    tags:
      - 'v*.*.*'
  workflow_dispatch:

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: 10
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
          registry-url: https://registry.npmjs.org
      - name: Use npm 11 for trusted publishing
        run: npm i -g npm@^11.5.1
      - run: pnpm install --frozen-lockfile
      - run: pnpm run check
      - run: pnpm run test:coverage
      - run: pnpm run build
      - name: Publish to npm
        run: npm publish --access public --provenance