name: Publish

env:
  VAULT_ADDR: https://vault.svc.plus

on:
  workflow_dispatch:
  release:
    types:
      - published

jobs:
  publish:
    name: Publish to npm
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

      - name: Load Vault secrets
        id: vault
        uses: hashicorp/vault-action@v2
        with:
          url: ${{ env.VAULT_ADDR }}
          method: jwt
          role: github-actions-openclaw-multi-session-plugins
          jwtGithubAudience: vault
          secrets: |
            kv/data/github-actions/openclaw-multi-session-plugins NPM_TOKEN | NPM_TOKEN

      - name: Setup Node
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: 22
          registry-url: https://registry.npmjs.org/

      - name: Setup pnpm
        run: |
          corepack enable
          corepack prepare pnpm@10.28.2 --activate

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Test
        run: pnpm test

      - name: Typecheck
        run: pnpm typecheck

      - name: Verify npm publish access
        shell: bash
        run: |
          set -euo pipefail
          name="$(node -p "require('./package.json').name")"
          version="$(node -p "require('./package.json').version")"
          user="$(npm whoami 2>/dev/null || true)"
          if [ -z "${user}" ]; then
            echo "::error::NPM_TOKEN is not valid for npm publish. Create an npm automation token for an account that can publish ${name}, then save it as the repository secret NPM_TOKEN."
            exit 1
          fi
          if npm view "${name}" name >/dev/null 2>&1; then
            echo "::notice::Publishing ${name}@${version} as npm user ${user}; package already exists."
          else
            echo "::notice::Publishing ${name}@${version} as npm user ${user}; npm will create this public package on first publish."
          fi
        env:
          NODE_AUTH_TOKEN: ${{ steps.vault.outputs.NPM_TOKEN }}

      - name: Check published version
        id: published
        shell: bash
        run: |
          set -euo pipefail
          name="$(node -p "require('./package.json').name")"
          version="$(node -p "require('./package.json').version")"
          if npm view "${name}@${version}" version >/dev/null 2>&1; then
            echo "exists=true" >> "$GITHUB_OUTPUT"
            echo "${name}@${version} is already published; skipping npm publish."
          else
            echo "exists=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Publish
        if: steps.published.outputs.exists != 'true'
        run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ steps.vault.outputs.NPM_TOKEN }}