fix(ci): pass github packages publish token

[Jess Sullivan (Jesssullivan)]

Passes the optional GITHUB_PACKAGES_TOKEN through to the reusable Bazel package Publish workflow and updates the reusable workflow pin to the token-override capable revision.

This is the follow-up to the GitHub Packages scope fix: the mirror package names are now @tinyland-inc/*, but existing granular packages can still reject the repo GITHUB_TOKEN with permission_denied: write_package unless the package-admin token is passed.

Tracking: TIN-713

[greptile-apps]

Greptile Summary

This PR updates the reusable Bazel publish workflow SHA pin and adds a GITHUB_PACKAGES_TOKEN secret passthrough to resolve permission_denied: write_package errors for granular packages.

• The new secret name GITHUB_PACKAGES_TOKEN violates GitHub's naming rules — secrets cannot start with the GITHUB_ prefix and cannot be created in repository or organization settings, so ${{ secrets.GITHUB_PACKAGES_TOKEN }} will always be empty and the fix will silently have no effect. The secret (and its reference here) should be renamed to something like GH_PACKAGES_TOKEN.

Confidence Score: 4/5

Safe to merge structurally, but the core fix is a no-op due to the reserved secret name prefix — the permission issue it targets will remain unfixed.

One P1 finding: the secret name GITHUB_PACKAGES_TOKEN cannot be created in GitHub due to the reserved prefix restriction, meaning the token passthrough silently does nothing. The SHA pin bump and workflow structure are otherwise fine.

.github/workflows/publish.yml — the new secret name and corresponding org/repo secret need to be renamed.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Bumps reusable workflow SHA pin and adds GITHUB_PACKAGES_TOKEN secret passthrough, but the secret name violates GitHub's naming restriction (no GITHUB_ prefix allowed), making the token-override a silent no-op.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant CW as publish.yml (caller)
    participant RW as js-bazel-package.yml (reusable)
    participant GHCR as GitHub Packages (GHCR)
    participant NPM as npm Registry

    GH->>CW: Trigger (release / workflow_dispatch)
    CW->>RW: uses @ c1fbeee (SHA pin)
    Note over CW,RW: secrets: NPM_TOKEN, GITHUB_PACKAGES_TOKEN
    Note over CW,RW: GITHUB_PACKAGES_TOKEN always empty (GITHUB_ prefix is reserved)
    RW->>GHCR: Publish @tinyland-inc/tinyland-event-loader
    Note over RW,GHCR: Falls back to GITHUB_TOKEN, permission_denied
    RW->>NPM: Publish with NPM_TOKEN

Loading

_{Reviews (2): Last reviewed commit: "fix(ci): pass github packages publish to..." | Re-trigger Greptile}

[greptile-apps]

GITHUB_ prefix is reserved — secret can never be set

GitHub enforces that user-created secrets (repository, organization, or enterprise) must not start with the GITHUB_ prefix (docs). This means GITHUB_PACKAGES_TOKEN cannot be stored in GitHub secrets at all; ${{ secrets.GITHUB_PACKAGES_TOKEN }} will always resolve to an empty string, silently leaving the token-override empty and the permission_denied: write_package error unfixed.

Rename the secret to something that doesn't start with GITHUB_, e.g. GH_PACKAGES_TOKEN or PKG_PUBLISH_TOKEN, both here and in the repository/org secrets settings.

Suggested change

	GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }}
	GITHUB_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}