pnpm/.github/workflows/release.yml

name: Release

on:
  push:
    tags:
      - "v*.*.*"

jobs:
  release:
    permissions:
      id-token: write  # Required for OIDC
      contents: write  # for softprops/action-gh-release to create GitHub release
    # Runs on macOS so darwin artifacts are signed with native `codesign`.
    # Cross-signing on Linux with `ldid` produces ad-hoc signatures whose
    # page hashes don't match the post-postject Mach-O layout for Node.js 25's
    # chained fixups, leaving fixups unapplied and crashing the binary at
    # startup (EXC_BAD_ACCESS in __cxx_global_var_init).
    runs-on: macos-latest
    environment: release
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install pnpm
        uses: pnpm/action-setup@6e7bdbda5fe05107efc88b23b7ed00aa05f84ca0
        with:
          standalone: true
      - name: Setup Node
        run: pn runtime -g set node 25.6.1
        timeout-minutes: 2
      - name: pnpm install
        run: pn install
      - name: Publish Packages
        env:
          # setting the "npm_config_//registry.npmjs.org/:_authToken" env variable directly doesn't work.
          # probably "pnpm release" doesn't pass auth tokens to child processes
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          pn config set "//registry.npmjs.org/:_authToken" "${NPM_TOKEN}"
          pn release
      - name: Copy Artifacts
        run: pn copy-artifacts
      - name: Generate release description
        run: pn make-release-description
      - name: Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          draft: true
          files: dist/*
          body_path: RELEASE.md