ci: pin idempotent package publish template

[Jess Sullivan (Jesssullivan)]

Pins the shared js-bazel-package workflow to the TIN-713 idempotent publish template.

This keeps existing package publishes from failing when npmjs or GitHub Packages already has the same version.
Proof run: tinyland-inc/tinyland-stores/actions/runs/25092503866.

[greptile-apps]

Greptile Summary

This PR updates the pinned SHA of the shared js-bazel-package.yml reusable workflow in tinyland-inc/ci-templates from 82308d0 to f23f67b, targeting the TIN-713 idempotent publish template that gracefully handles already-published package versions on npmjs and GitHub Packages.

Confidence Score: 5/5

Safe to merge — single-line SHA bump to a SHA-pinned reusable workflow with no other changes.

The change is limited to updating a pinned SHA reference in a reusable workflow call. SHA-pinning is the correct security practice for third-party or shared Actions, and the PR description links a successful proof run validating the new template behavior.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	SHA bump of pinned reusable workflow reference from 82308d0 to f23f67b (idempotent publish template); no other changes

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Release / workflow_dispatch
    participant PW as publish.yml (this repo)
    participant CT as ci-templates js-bazel-package.yml@f23f67b
    participant NPM as npmjs
    participant GHP as GitHub Packages

    GH->>PW: trigger (release published or manual)
    PW->>CT: uses reusable workflow (pinned SHA)
    CT->>CT: build, typecheck, test, package check
    CT->>NPM: publish (idempotent – skip if version exists)
    CT->>GHP: publish (idempotent – skip if version exists)

Loading

_{Reviews (1): Last reviewed commit: "ci: pin idempotent package publish templ..." | Re-trigger Greptile}