ci: pin idempotent package publish template

[Jess Sullivan (Jesssullivan)]

Pins the shared js-bazel-package workflow to the TIN-713 idempotent publish template.

This keeps existing package publishes from failing when npmjs or GitHub Packages already has the same version.
Proof run: tinyland-inc/tinyland-stores/actions/runs/25092503866.

[greptile-apps]

Greptile Summary

This PR updates the pinned SHA reference for the shared js-bazel-package reusable workflow in .github/workflows/publish.yml to point to the idempotent publish template introduced in TIN-713. The new SHA (f23f67b00ed39f439aa3a18a21d343460f10a8c0) replaces the previous one (82308d060a1a6051058659ac2d4f2edb5d6be9fe), preventing publish failures when the same package version already exists in npmjs or GitHub Packages.

Confidence Score: 5/5

Safe to merge — single SHA bump on a pinned reusable workflow with no logic changes.

The change is a one-line SHA update that keeps the workflow pinned to an immutable commit, following GitHub Actions security best practices. No permissions, secrets handling, logic, or other configuration is modified. The proof run cited in the PR description confirms the new SHA behaves as intended.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Single-line SHA bump on the pinned reusable workflow reference; no logic or config changes.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant PY as publish.yml
    participant CT as ci-templates<br/>(js-bazel-package.yml<br/>@ f23f67b)
    participant NPM as npmjs / GitHub Packages

    GH->>PY: release published / workflow_dispatch
    PY->>CT: call reusable workflow (pinned SHA)
    CT->>CT: build, typecheck, test
    CT->>NPM: publish (idempotent – skip if version exists)
    NPM-->>CT: 200 OK or "already exists" (no error)
    CT-->>PY: success

Loading

_{Reviews (1): Last reviewed commit: "ci: pin idempotent package publish templ..." | Re-trigger Greptile}