# Release Please — automated changelog + version bumps on merge to main.
#
# How it works:
#   1. On every push to main, release-please scans conventional commits since
#      the last release tag for each tracked package.
#   2. It opens (or updates) a single rolling "release PR" containing:
#        - version bumps in each affected package.json
#        - new CHANGELOG.md entries grouped by section (Features / Bug Fixes
#          / Performance / Refactoring / Documentation / Reverts)
#        - updated .release-please-manifest.json
#   3. Merging that PR triggers tag creation (`template-vN.N.N`, `auth-vN.N.N`,
#      etc.) and GitHub release notes.
#
# Hybrid versioning (ADR-021): root template versions independently from the
# 5 feature packages. Tags use the per-package component prefix so they don't
# collide (e.g. `template-v0.2.0` vs `auth-v0.1.1`).
#
# Tracked packages, manifest baseline, and changelog sections live in
# `release-please-config.json` + `.release-please-manifest.json`.

name: Release Please

on:
  push:
    branches: [main]

permissions:
  contents: write
  pull-requests: write

# A second push to main while a release PR is open shouldn't fight with the
# first invocation — release-please-action already updates the rolling PR
# idempotently, but concurrency keeps the audit trail clean.
concurrency:
  group: release-please
  cancel-in-progress: false

jobs:
  release-please:
    runs-on: ubuntu-latest
    steps:
      - uses: googleapis/release-please-action@v4
        id: release
        with:
          config-file: release-please-config.json
          manifest-file: .release-please-manifest.json
          token: ${{ secrets.GITHUB_TOKEN }}

      # The steps below run only when release-please actually cut a release.
      # pnpm dlx avoids adding @cyclonedx/cyclonedx-npm to the lockfile (CI-only
      # tool per ADR-022); SHA-pinned action follows ADR-023 §1 Renovate pattern.
      - uses: actions/checkout@v4
        if: ${{ steps.release.outputs.releases_created == 'true' }}

      - uses: pnpm/action-setup@v4
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        with:
          version: 9

      - uses: actions/setup-node@v4
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        with:
          node-version: 22
          cache: pnpm

      - name: Install dependencies
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        run: pnpm install --frozen-lockfile

      - name: Generate CycloneDX SBOM
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        run: >
          pnpm dlx @cyclonedx/cyclonedx-npm
          --output-file sbom-${{ steps.release.outputs.tag_name }}.cdx.json
          --output-format json
          --ignore-npm-errors

      - name: Attach SBOM to GitHub release
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        with:
          tag_name: ${{ steps.release.outputs.tag_name }}
          files: sbom-${{ steps.release.outputs.tag_name }}.cdx.json