refactor(ci): merge release workflows into single file (#1137)

* refactor(ci): merge release workflows into single file

npm trusted publisher only allows one CI file to be configured.
Merged release-production.yml, release-beta.yml, and release-dry-run.yml
into a single release.yml with a workflow_dispatch type input
(dry-run, beta, production).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(ci): enable npm trusted publishing with provenance

- Add id-token: write permission for OIDC token exchange
- Enable provenance in @semantic-release/npm config
- Remove manual npm config set from devbox release script

Packages must be configured on npmjs.com to trust the
segmentio/analytics-react-native repo and release.yml workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(ci): upgrade to @semantic-release/npm v13 for OIDC trusted publishing

Upgrade from v11 to v13 which natively supports OIDC trusted
publishing. This eliminates the need for NPM_TOKEN entirely - npm
auth is handled via short-lived OIDC tokens from the GitHub runner.

Removed all NPM_TOKEN and YARN_NPM_AUTH_TOKEN references from the
release workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: abueide

.github/workflows/release-beta.yml

@@ -0,0 +1,81 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      type:
+        description: 'Release type'
+        required: true
+        type: choice
+        options:
+          - dry-run
+          - beta
+          - production
+
+concurrency:
+  group: release
+  cancel-in-progress: true
+
+jobs:
+  fast-checks:
+    name: Build + Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: devbox installer
+        uses: jetify-com/devbox-install-action@v0.14.0
+        with:
+          project-path: shells/devbox-fast.json
+          enable-cache: 'false'
+      - name: build
+        run: devbox run --config=shells/devbox-fast.json build
+
+  release:
+    name: Release (${{ inputs.type }})
+    needs: [fast-checks]
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.type != 'dry-run' && 'Publish' || '' }}
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ inputs.type != 'dry-run' && secrets.GH_TOKEN || github.token }}
+
+      - name: Point beta branch at current commit
+        if: inputs.type == 'beta'
+        run: |
+          git checkout -B beta HEAD
+          git push origin beta --force
+
+      - name: devbox installer
+        uses: jetify-com/devbox-install-action@v0.14.0
+        with:
+          project-path: shells/devbox-fast.json
+          enable-cache: 'false'
+
+      - name: Release (dry-run)
+        if: inputs.type == 'dry-run'
+        run: devbox run --config=shells/devbox-fast.json release-dry-run
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Release (beta)
+        if: inputs.type == 'beta'
+        run: devbox run --config=shells/devbox-fast.json release
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - name: Release (production)
+        if: inputs.type == 'production'
+        run: devbox run --config=shells/devbox-fast.json release
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - name: Update Apps
+        if: inputs.type == 'production'
+        run: devbox run --config=shells/devbox-fast.json update-apps

.github/workflows/release-dry-run.yml

@@ -37,7 +37,7 @@
     "@semantic-release/commit-analyzer": "^11.1.0",
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/github": "^9.2.3",
-    "@semantic-release/npm": "^11.0.1",
+    "@semantic-release/npm": "^13.1.5",
     "@semantic-release/release-notes-generator": "^12.1.0",
     "@types/jest": "^29.5.8",
     "@types/node": "^20.9.1",

.github/workflows/release-production.yml

@@ -10,7 +10,7 @@ module.exports = {
       { preset: 'conventionalcommits' },
     ],
     ['@semantic-release/changelog', { changelogFile }],
-    ['@semantic-release/npm', { npmPublish: true }],
+    ['@semantic-release/npm', { npmPublish: true, provenance: true }],
     ['@semantic-release/github', { successComment: false }],
     ['@semantic-release/git', { assets: [changelogFile, 'package.json'] }],
   ],

.github/workflows/release.yml

@@ -13,7 +13,6 @@
       "build": ["bash $SCRIPTS_DIR/build.sh"],
       "release": [
         "cd \"$PROJECT_ROOT\"",
-        "npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}",
         "yarn install --immutable",
         "yarn build",
         "yarn multi-semantic-release"