name: Build and release

on:
  push:
    branches:
      - main
  pull_request:
    types:
      - opened
      - synchronize

env:
  environment: test
  release_channel: latest
  DO_NOT_TRACK: '1'
  NODE_VERSION: '23.x'
  NODE_REGISTRY: 'https://registry.npmjs.org'
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  DOCKER_REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  PNPM_VERSION: 10.6.0

permissions:
  contents: write
  packages: read
  pull-requests: write
  id-token: write
  actions: read
  security-events: write
jobs:
  build:
    uses: ./.github/workflows/job-build.yaml
    name: Build

  update-release-draft:
    needs: build
    if: github.ref == 'refs/heads/main'
    uses: ./.github/workflows/job-draft-release.yaml

  release:
    permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write
      pages: write
    name: Release
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    needs: update-release-draft
    environment: release
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v4
        with:
          node-version: '${{ env.NODE_VERSION }}'
          registry-url: '${{ env.NODE_REGISTRY }}'

      - uses: pnpm/action-setup@v4
        name: Install pnpm
        with:
          version: ${{ env.PNPM_VERSION }}
          run_install: false

      - name: Install dependencies
        run: pnpm install
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - uses: actions/download-artifact@v4
        with:
          name: lib
          path: ./

      - name: Publish to npm
        run: |
          git config user.name "Github Actions Bot"
          git config user.email "<>"
          node ./scripts/set-version.mjs $(git describe --tag --abbrev=0)
          pnpm publish -r --no-git-checks --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: Log in to the Container registry
        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
        with:
          registry: ${{ env.DOCKER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
        with:
          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      # - name: Generate artifact attestation
      #   uses: actions/attest-build-provenance@v2
      #   with:
      #     subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME}}
      #     subject-digest: ${{ steps.push.outputs.digest }}
      #     push-to-registry: true