name: publish-npm-package
description: Publish a PNPM package to JFrog Artifactory.

inputs:
  working-directory:
    description: Directory containing package.json
    required: false
    default: "."
  node-version:
    description: Node.js version
    required: false
    default: "24"
  pnpm-version:
    description: pnpm version
    required: false
    default: "10.33"
  jfrog-token:
    description: JFrog npm auth token
    required: true
  registry-url:
    description: npm registry URL
    required: false
    default: "https://schmalz.jfrog.io/artifactory/api/npm/default-npm/"

runs:
  using: composite
  steps:
    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
    # actions/setup-node v4.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v4.4.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
      with:
        node-version: ${{ inputs.node-version }}

    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
    # pnpm/action-setup v4.3.0 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v4.3.0
    - name: Install pnpm
      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
      env:
        # pnpm/action-setup bootstraps itself via npm before pnpm is available,
        # so it must reach the public npm registry.
        NPM_CONFIG_REGISTRY: https://registry.npmjs.org
      with:
        version: ${{ inputs.pnpm-version }}

    - name: Configure JFrog registry authentication
      shell: bash
      env:
        JFROG_TOKEN: ${{ inputs.jfrog-token }}
        REGISTRY_URL: ${{ inputs.registry-url }}
      run: |
        set -euo pipefail

        pnpm set registry "${REGISTRY_URL}"

        AUTHORITY="${REGISTRY_URL#https://}"
        AUTHORITY="${AUTHORITY#http://}"
        AUTHORITY="${AUTHORITY%/}"
        pnpm set "//${AUTHORITY}/:_authToken" "${JFROG_TOKEN}"

    - name: Publish
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: pnpm publish