[Feat] separate workflow for publish to improve support for publishing w oidc

[dominikg]

github and npm introduced a new feature that allows you to publish from a specific workflow using oidc.
https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/

To enable it, you enter your repo and the name of a workflow file in your npmjs.com package settings, add id-token: write permission in that workflow and use npm publish with npm version >=11.5

You can also specify a deployment environment in npm and in the workflow to ensure that the publish workflow is only run after approval (via github environment constraints).

All of this is tied to the workflow and you only want to run it when actually publishing to npm. But today the action does both. Which would require all runs to be approved manually, including creating or updating a "version packages" PR.

Suggested solution:

Allow users to specify 2 different workflows:

1. changesets.yml
   creates and updates release PRs
2. publish.yml
   publish to registry, update release info etc.

The tricky part is how merging of a release PR would trigger the second workflow. I think it could be achieved with workflow_dispatch.

[dominikg]

related discussion on e18e discord: https://discord.com/channels/1227627367204257852/1400746226009243819

example setup that currently requires too many manual approves: https://github.com/svitejs/sfcsplit/blob/main/.github/workflows/release.yml (notice no NPM_TOKEN gets passed, the repo contains no secret).

https://github.com/svitejs/sfcsplit/deployments shows that 4 approvals were given but only one of them was for publishing the package. the others were for creating and updating the release PR

[ThisIsMissEm]

Is this saying that trusted publishing is supported in changesets / changesets/action, but if using github environment constraints, then it requires too many individual approvals?

[dominikg]

only if you enable this constraint in the environment. You should still use environment configuration in oidc settings on npm and add an environment to your release workflow in github and limit that environment to use your main branch (or whatever branch you publish from)

[ThisIsMissEm]

Okay, cool, thanks!