From bb0654be9ea3ccceb7a34a162e7fd6d7f2dbfe6e Mon Sep 17 00:00:00 2001
From: Stefano Guerrini <stefano@zenrows.com>
Date: Tue, 21 Apr 2026 13:41:27 +0200
Subject: [PATCH] chore: add release workflow to publish on GitHub Release

Publishes the package to npm when a GitHub Release is published
(or via manual workflow_dispatch). Uses npm publish with provenance
so the npmjs listing shows a verified build origin.

Guards against version drift: if the release tag (e.g. v2.0.2) does
not match package.json version, the job fails before publishing.
---
 .github/workflows/release.yml | 38 +++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..b1627f2
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,38 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - name: Verify tag matches package.json version
+        if: github.event_name == 'release'
+        run: |
+          TAG="${GITHUB_REF_NAME#v}"
+          PKG=$(node -p "require('./package.json').version")
+          if [ "$TAG" != "$PKG" ]; then
+            echo "tag $GITHUB_REF_NAME ($TAG) does not match package.json version $PKG"
+            exit 1
+          fi
+      - run: pnpm check
+      - run: pnpm test -- --run
+      - run: pnpm build
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}