release.yml

name: Release

on:
  push:
    tags:
      - "v*.*.*"

concurrency:
  group: release-${{ github.ref_name }}
  cancel-in-progress: false

jobs:
  github-release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      attestations: write
      id-token: write
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Validate release metadata
        run: |
          TAG_VERSION="${GITHUB_REF_NAME#v}"
          PACKAGE_VERSION="$(node -p "require('./package.json').version")"

          if [ "${PACKAGE_VERSION}" != "${TAG_VERSION}" ]; then
            echo "Tag ${GITHUB_REF_NAME} does not match package.json version v${PACKAGE_VERSION}"
            exit 1
          fi

          node scripts/changelog.mjs --version "${GITHUB_REF_NAME}" >/dev/null
      - uses: actions/setup-node@v6
        with:
          node-version: "22.12.0"
          cache: npm
      - run: npm ci
      - run: npm run check
      - name: Build release notes from changelog
        run: node scripts/changelog.mjs --version "${GITHUB_REF_NAME}" > release-notes.md
      - name: Pack npm artifact
        run: |
          mkdir -p release-artifacts
          npm pack --ignore-scripts --pack-destination release-artifacts --cache /tmp/devforge-release-cache
      - name: Attest release artifact provenance
        uses: actions/attest-build-provenance@v4
        with:
          subject-path: release-artifacts/*.tgz
      - name: Publish GitHub release
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          TITLE="DevForge CLI ${GITHUB_REF_NAME}"
          if gh release view "${GITHUB_REF_NAME}" >/dev/null 2>&1; then
            gh release edit "${GITHUB_REF_NAME}" --title "${TITLE}" --notes-file release-notes.md
            gh release upload "${GITHUB_REF_NAME}" release-artifacts/*.tgz --clobber
          else
            gh release create "${GITHUB_REF_NAME}" release-artifacts/*.tgz --title "${TITLE}" --notes-file release-notes.md
          fi