name: release

on:
  push:
    tags:
      - "v*"

# Remove default permissions of GITHUB_TOKEN for security
# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
permissions: {}

jobs:
  release:
    if: github.repository == 'nuxt/nuxt' && startsWith(github.event.head_commit.message, 'v3.')
    permissions:
      id-token: write
    runs-on: ubuntu-latest
    timeout-minutes: 20
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0
      - run: corepack enable
      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
        with:
          node-version: 20
          registry-url: "https://registry.npmjs.org/"
          cache: "pnpm"

      - name: Install dependencies
        run: pnpm install

      - name: Build (stub)
        run: pnpm dev:prepare

      - name: Release
        run: ./scripts/release.sh
        env:
          NODE_AUTH_TOKEN: ${{secrets.RELEASE_NODE_AUTH_TOKEN}}
          NPM_CONFIG_PROVENANCE: true