From ee4ddf0b6c033387942ac908b6734bd62cbaddd8 Mon Sep 17 00:00:00 2001
From: Jean Burellier <jean.burellier@gmail.com>
Date: Tue, 16 Dec 2025 18:07:33 +0100
Subject: [PATCH] chore(ci): npm-publish via staged publish

---
 .github/workflows/npm-publish.yml | 95 +++++++++++++++++++++++++++++++
 .npmrc                            |  7 +++
 2 files changed, 102 insertions(+)
 create mode 100644 .github/workflows/npm-publish.yml
 create mode 100644 .npmrc

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
new file mode 100644
index 0000000..0ce254f
--- /dev/null
+++ b/.github/workflows/npm-publish.yml
@@ -0,0 +1,95 @@
+name: Publish package to npm
+
+on:
+  release:
+    types: [created]
+
+concurrency:
+  group: "${{ github.workflow }} ✨ ${{ github.ref }}"
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    name: Audit production dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "lts/*"
+
+      - name: Audit production dependencies
+        run: npm audit --omit=dev
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "lts/*"
+
+      - name: Install dependencies
+        run: npm install --ignore-scripts --include=dev
+
+      - name: Run lint
+        run: node --run lint
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "lts/*"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run tests
+        run: npm test
+
+  publish:
+    name: Publish to npm
+    needs: [audit, lint, test]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "lts/*"
+          registry-url: "https://registry.npmjs.org"
+
+      # npm stage publish requires npm >= 11.15.0
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: npm install --ignore-scripts
+
+      - name: Stage publish to npm
+        run: npm stage publish
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..33ddfa9
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,7 @@
+allow-file=none
+allow-remote=none
+allow-git=none
+allow-directory=none
+
+min-release-age=2
+save-exact=false
\ No newline at end of file