name: Semantic Release

on:
  workflow_call:
    secrets:
      GH_TOKEN:
        description: 'PAT with repo access, required to trigger workflows on tag push'
        required: false

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GH_TOKEN || github.token }}

      - name: Setup semantic-release
        uses: https://gitea.ldpt.fr/actions/semantic-release/setup-semrel@main
        with:
          node-version: "24"

      - name: Configure git remote with PAT
        if: ${{ secrets.GH_TOKEN != '' }}
        shell: bash
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
        run: |
          set -euo pipefail
          REMOTE_URL=$(git remote get-url origin)
          # Inject PAT so tag pushes come from the PAT user, not the Actions runner token
          NEW_URL=$(echo "$REMOTE_URL" | sed "s|https://|https://oauth2:${GH_TOKEN}@|")
          git remote set-url origin "$NEW_URL"

      - name: Run semantic-release
        env:
          GITEA_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
        run: semantic-release