chore: consolidate release for trusted publishing (#3744)

* Consolidate release automation by replacing the old start-release workflows with a unified release.yml flow and update publish workflows to use OIDC/provenance-based npm publishing permissions instead of token-written .npmrc auth

* Refine release workflows by moving trigger/permission logic into release.yml, simplifying publish-npm.yml publish/auth steps, and removing now-redundant settings from create-cli-release.yml

* Adjust publish-npm.yml release gating logic to correctly handle stable vs prerelease publish behavior while keeping the trusted publishing flow intact

Author: michaelmalave

.github/workflows/create-cli-release.yml

@@ -1,13 +1,6 @@
 name: Create CLI Release
 
 on:
-  workflow_dispatch:
-    inputs:
-      isStableCandidate:
-        type: boolean
-        description: Is this a stable/prod candidate?
-        required: true
-        default: false
   workflow_call:
     inputs:
       isStableCandidate:
@@ -16,6 +9,10 @@ on:
         required: true
         default: false
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   get-version-channel:
     runs-on: ubuntu-latest

.github/workflows/publish-npm.yml

@@ -1,20 +1,6 @@
 name: Publish NPM
 
 on:
-  workflow_dispatch:
-    inputs:
-      isStableRelease:
-        type: boolean
-        description: Is this a stable/prod release?
-        required: true
-        default: false
-      channel:
-        type: choice
-        description: If this is a prerelease, is it alpha or beta?
-        options:
-          - alpha
-          - beta
-        required: false
   workflow_call:
     inputs:
       isStableRelease:
@@ -27,6 +13,10 @@ on:
         description: Release channel for prereleases
         required: false
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish-npm:
     # pub-hk-ubuntu-22.04- due to IP allow list issues with public repos: https://salesforce.quip.com/bu6UA0KImOxJ
@@ -38,9 +28,8 @@ jobs:
         with:
           node-version: 22.x
           cache: npm
+          registry-url: 'https://registry.npmjs.org'
       - run: npm ci
-      - name: set NPM auth
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_KEY }}" > ~/.npmrc
       - name: Publish to NPM
         run: |
           PACKAGE_VERSION=$(node -e "console.log(require('./package.json').version)")

.github/workflows/start-prerelease.yml .github/workflows/release.yml.github/workflows/start-prerelease.yml renamed to .github/workflows/release.yml

@@ -1,13 +1,28 @@
-name: Watch and start pre release
+name: Release
 
 on:
+  release:
+    # This works for both releases and prereleases https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
+    types: [published]
   push:
     branches:
       - prerelease/*
+  workflow_dispatch:
+    inputs:
+      isStableCandidate:
+        type: boolean
+        description: Is this a stable/prod candidate?
+        required: true
+        default: false
+
+permissions:
+  contents: write
+  id-token: write
+  pull-requests: read
 
 jobs:
+  # --- Shared: extract version/channel from package.json ---
   get-version-channel:
-    # get the version number and release channel name from the package.json
     runs-on: ubuntu-latest
     outputs:
       channel: ${{ steps.getVersion.outputs.channel }}
@@ -19,21 +34,24 @@ jobs:
         with:
           path: './package.json'
 
+  # --- Prerelease only: validate branch + version constraints ---
   validate-prerelease:
-    # validate that the release is on a pre-release branch, that it is a beta or alpha release, and check if it is already on github
-    needs: [ get-version-channel ]
+    if: github.event_name == 'push'
+    needs: [get-version-channel]
     runs-on: ubuntu-latest
     env:
-        CHANNEL: ${{ needs.get-version-channel.outputs.channel }}
-        VERSION: ${{ needs.get-version-channel.outputs.version }}
-        CURRENT_BRANCH_NAME: ${{ github.ref_name }}
+      CHANNEL: ${{ needs.get-version-channel.outputs.channel }}
+      VERSION: ${{ needs.get-version-channel.outputs.version }}
+      CURRENT_BRANCH_NAME: ${{ github.ref_name }}
     steps:
       - uses: actions/checkout@v6
       - run: npm ci
       - run: ./scripts/release/validate-prerelease
 
+  # --- Prerelease only: publish git tag ---
   publish-github-tag:
-    needs: [ get-version-channel, validate-prerelease ]
+    if: github.event_name == 'push'
+    needs: [get-version-channel, validate-prerelease]
     # pub-hk-ubuntu-22.04- due to IP allow list issues with public repos: https://salesforce.quip.com/bu6UA0KImOxJ
     runs-on: pub-hk-ubuntu-22.04-small
     env:
@@ -53,22 +71,30 @@ jobs:
           git tag "${{ env.TAG_NAME }}" -m "${{ env.TAG_NAME }}"
           git push origin "${{ env.TAG_NAME }}"
 
-  create-prerelease:
-    needs: [ get-version-channel, validate-prerelease ]
+  # --- Both paths: orchestrate the full release pipeline ---
+  create-release:
+    needs: [get-version-channel, validate-prerelease]
+    if: |
+      always() &&
+      (needs.validate-prerelease.result == 'success' || needs.validate-prerelease.result == 'skipped')
     uses: ./.github/workflows/create-cli-release.yml
     secrets: inherit
     with:
-      isStableCandidate: ${{ false }}
+      isStableCandidate: ${{ (github.event_name == 'release' && !contains(github.event.release.tag_name, '-')) || (github.event_name == 'workflow_dispatch' && inputs.isStableCandidate) }}
 
+  # --- Prerelease only: post-release smoke tests ---
   prerelease-smoke-tests:
-    needs: [ get-version-channel, create-prerelease ]
+    if: github.event_name == 'push'
+    needs: [get-version-channel, create-release]
     uses: ./.github/workflows/test-installed-cli.yml
     secrets: inherit
     with:
       version: ${{ needs.get-version-channel.outputs.version }}
 
+  # --- Prerelease only: direwolf integration tests ---
   prerelease-direwolf-tests:
-    needs: [ get-version-channel, create-prerelease ]
+    if: github.event_name == 'push'
+    needs: [get-version-channel, create-release]
     uses: ./.github/workflows/direwolf.yml
     secrets: inherit
     with: