name: Semantic Release

on:
  push:
    branches:
      - main

permissions:
  contents: write
  issues: write

jobs:
  semantic-release:
    runs-on: ubuntu-latest
    environment: dev
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup SSH
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.GA_DEPLOY_KEY }}

      # use SSH url to ensure git commit using a deploy key bypasses the main
      # branch protection rule
      - name: Configure Git for SSH Push
        run: git remote set-url origin "git@github.com:${{ github.repository }}.git"

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "lts/*"

      - name: Install Dependencies
        run: npm clean-install

      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
        run: npm audit signatures

      - name: Run Semantic Release
        run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}