plugin-inspector/.github/workflows/release.yml

name: Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      tag_name:
        description: "Release tag to publish (for example: v0.1.0)"
        required: true
        type: string

permissions:
  contents: write
  id-token: write

jobs:
  release:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Resolve release tag
        env:
          INPUT_TAG: ${{ inputs.tag_name }}
        run: |
          set -euo pipefail
          TAG="${INPUT_TAG:-${GITHUB_REF_NAME}}"
          if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z]+)*$ ]]; then
            echo "Invalid release tag: ${TAG}"
            exit 1
          fi
          VERSION="${TAG#v}"
          PACKAGE_VERSION="$(node -p 'JSON.parse(require("fs").readFileSync("package.json", "utf8")).version')"
          if [ "${VERSION}" != "${PACKAGE_VERSION}" ]; then
            echo "Tag ${TAG} does not match package.json version ${PACKAGE_VERSION}"
            exit 1
          fi
          echo "RELEASE_TAG=${TAG}" >> "$GITHUB_ENV"
          echo "RELEASE_VERSION=${VERSION}" >> "$GITHUB_ENV"          

      - name: Setup Node
        uses: actions/setup-node@v6
        with:
          node-version: 24
          registry-url: https://registry.npmjs.org

      - name: Verify package
        run: npm run release:local

      - name: Verify OIDC-capable npm
        run: |
          set -euo pipefail
          NPM_VERSION="$(npm --version)"
          NPM_VERSION="${NPM_VERSION}" node -e '
            const [major, minor, patch] = process.env.NPM_VERSION.split(".").map(Number);
            if (major < 11 || (major === 11 && (minor < 5 || (minor === 5 && patch < 1)))) {
              process.exit(1);
            }
          ' || {
            echo "npm ${NPM_VERSION} is too old for trusted publishing; npm 11.5.1 or newer is required."
            exit 1
          }          

      - name: Publish npm package
        run: npm publish --access public

      - name: Publish GitHub release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          NOTES_FILE="$(mktemp)"
          node scripts/release-notes.mjs "${RELEASE_VERSION}" > "${NOTES_FILE}"

          release_flags=(--title "plugin-inspector ${RELEASE_TAG}" --notes-file "${NOTES_FILE}" --verify-tag)
          if [[ "${RELEASE_TAG}" =~ (alpha|beta|rc) ]]; then
            release_flags+=(--prerelease)
          else
            release_flags+=(--latest)
          fi

          if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then
            gh release edit "${RELEASE_TAG}" "${release_flags[@]}" --draft=false
          else
            gh release create "${RELEASE_TAG}" "${release_flags[@]}"
          fi