fix(ci): use nonreserved github packages token

[Jess Sullivan (Jesssullivan)]

Pins the package Publish workflow to the non-reserved token contract from ci-templates#24 and passes TINYLAND_GITHUB_PACKAGES_TOKEN where the workflow uses explicit secret mapping.

GitHub rejects custom Actions secret names beginning with GITHUB_, so the previous GITHUB_PACKAGES_TOKEN wiring could never be installed as an org secret.

Tracking: TIN-713

[greptile-apps]

Greptile Summary

Renames the secret passed to the reusable publish workflow from GITHUB_PACKAGES_TOKEN to TINYLAND_GITHUB_PACKAGES_TOKEN and bumps the pinned SHA of the reusable workflow to 82308d06, both needed to align with the non-reserved token contract introduced in ci-templates#24. The fix is correct: GitHub Actions silently blocks org secrets whose names begin with GITHUB_, so the old name could never be provisioned at the org level.

Confidence Score: 5/5

Safe to merge — minimal, targeted CI fix with no logic changes.

Both changes are mechanical and correct: the secret rename unblocks org-level provisioning (GitHub's reserved-prefix constraint), and the SHA bump pins to the corresponding ci-templates release. No logic, no new dependencies, and no security concerns introduced.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Secret renamed from GITHUB_PACKAGES_TOKEN to TINYLAND_GITHUB_PACKAGES_TOKEN and reusable workflow SHA bumped to match ci-templates#24; no issues found.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant PW as publish.yml
    participant RW as ci-templates/js-bazel-package.yml@82308d06

    GH->>PW: trigger (release / workflow_dispatch)
    PW->>RW: call reusable workflow
    note over PW,RW: secrets: NPM_TOKEN, TINYLAND_GITHUB_PACKAGES_TOKEN
    RW->>GH: publish to npm + GitHub Packages

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): use nonreserved github packages..." | Re-trigger Greptile}