name: npm release

on:
  push:
    tags:
      - 'v*'
      - '[0-9]*'

permissions:
  contents: read

jobs:
  verify:
    name: verify
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm
    timeout-minutes: 20

    steps:
      - name: Install release tools
        run: |
          set -euo pipefail
          apt-get update
          apt-get install -y git curl ca-certificates
          curl -fsSL https://bun.sh/install | bash -s -- bun-v1.3.13
          install -m 0755 /root/.bun/bin/bun /usr/local/bin/bun
          node --version
          npm --version
          bun --version

      - name: Clone tagged source
        run: |
          set -euo pipefail
          REPO_URL="${{ gitea.server_url }}/${{ gitea.repository }}.git"
          AUTH_HEADER="$(printf '%s' '${{ gitea.actor }}:${{ secrets.GITEA_TOKEN }}' | base64 -w0)"
          git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 --branch "${{ gitea.ref_name }}" "$REPO_URL" repo
          git -C repo rev-parse HEAD

      - name: Verify release tag matches package version
        working-directory: repo
        shell: bash
        run: |
          set -euo pipefail
          TAG_NAME="${{ gitea.ref_name }}"
          PACKAGE_VERSION="$(node -p "require('./package.json').version")"

          if [ "$TAG_NAME" = "v$PACKAGE_VERSION" ] || [ "$TAG_NAME" = "$PACKAGE_VERSION" ]; then
            echo "Release tag $TAG_NAME matches package version $PACKAGE_VERSION"
            exit 0
          fi

          echo "Tag $TAG_NAME does not match package.json version $PACKAGE_VERSION" >&2
          exit 1

      - name: Run verify pipeline
        working-directory: repo
        run: |
          set -euo pipefail
          bun install --frozen-lockfile
          bun run test
          bun run check
          bun run build

  release:
    name: publish to npm
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm
    timeout-minutes: 20
    needs:
      - verify

    steps:
      - name: Install release tools
        run: |
          set -euo pipefail
          apt-get update
          apt-get install -y git curl ca-certificates
          curl -fsSL https://bun.sh/install | bash -s -- bun-v1.3.13
          install -m 0755 /root/.bun/bin/bun /usr/local/bin/bun
          node --version
          npm --version
          bun --version

      - name: Clone tagged source
        run: |
          set -euo pipefail
          REPO_URL="${{ gitea.server_url }}/${{ gitea.repository }}.git"
          AUTH_HEADER="$(printf '%s' '${{ gitea.actor }}:${{ secrets.GITEA_TOKEN }}' | base64 -w0)"
          git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 --branch "${{ gitea.ref_name }}" "$REPO_URL" repo
          git -C repo rev-parse HEAD

      - name: Install dependencies
        working-directory: repo
        run: |
          set -euo pipefail
          bun install --frozen-lockfile

      - name: Build package
        working-directory: repo
        run: |
          set -euo pipefail
          bun run build

      - name: Publish package to npm
        working-directory: repo
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          set -euo pipefail
          npm publish