fix(ci): enable package publish on tags

[Jess Sullivan (Jesssullivan)]

Summary

• pin CI to ci-templates 53f0326 with tag publish support
• run publish on v* tag pushes and allow manual publish=true workflow dispatch backfills
• grant package/id-token permissions needed by the reusable publish workflow

Refs TIN-713.

Validation

• ruby YAML parse for .github/workflows/ci.yml
• git diff --check
• actionlint .github/workflows/ci.yml

[greptile-apps]

Greptile Summary

This PR wires up package publishing by adding a v* tag trigger, a manual publish dispatch input, upgraded packages: write / id-token: write permissions, and bumping the reusable workflow SHA to one with tag-publish support.

• The dry_run expression evaluates to true on every push event — including v* tag pushes — so publishing on tags depends entirely on whether the reusable workflow treats publish_on_tag: true as an override to a caller-supplied dry_run: true. That contract is not visible here; if dry_run wins, all tag pushes silently dry-run instead of publishing.

Confidence Score: 3/5

The PR's core goal — publishing on tag pushes — may not work because dry_run is true for all push events and the reusable workflow's resolution of dry_run vs publish_on_tag is opaque to this caller.

One P1 finding: the dry_run expression does not set false for tag pushes, leaving the actual publishing behaviour dependent on an undocumented precedence rule inside the reusable workflow. If the reusable workflow does not override dry_run: true when publish_on_tag: true and a tag event is detected, every tag push silently dry-runs instead of publishing.

.github/workflows/ci.yml — specifically lines 38-39 (dry_run / publish_on_tag interaction)

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds v* tag trigger, publish workflow_dispatch input, packages/id-token write permissions, and publish_on_tag; dry_run expression does not account for tag push events, risking silent dry-run on tag triggers

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Event] --> B{Event type?}
    B -->|push to main| C[dry_run = true\nskip publish]
    B -->|push to v* tag| D{publish_on_tag\nin reusable wf?}
    B -->|pull_request| E[dry_run = true\nskip publish]
    B -->|workflow_dispatch| F{inputs.publish\n== true?}
    F -->|yes| G[dry_run = false\npublish package]
    F -->|no| H[dry_run = true\nskip publish]
    D -->|overrides dry_run| I[publish package ✅]
    D -->|dry_run wins| J[dry_run = true\nsilent dry-run ⚠️]

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): enable package publish on tags" | Re-trigger Greptile}

[greptile-apps]

dry_run is always true on tag pushes

The expression !(github.event_name == 'workflow_dispatch' && inputs.publish == true) evaluates to true on every push event (including v* tag pushes), so the reusable workflow receives both dry_run: true and publish_on_tag: true simultaneously on a tag trigger. Whether a publish actually occurs depends entirely on whether the reusable workflow at 53f0326 lets publish_on_tag override a caller-supplied dry_run: true — that contract isn't visible here. If dry_run takes precedence, tags will silently produce a dry run instead of a real publish, negating the purpose of this PR.

To make the intent explicit and remove the ambiguity, include the tag-push case in the dry_run expression:

Suggested change

	npm_access: public
	github_package_name: "@tummycrypt/tinyland-security"
	dry_run: ${{ !(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) && !(github.event_name == 'workflow_dispatch' && inputs.publish == true) }}
	publish_on_tag: true