fix(ci): align publish workflow package scope

[Jess Sullivan (Jesssullivan)]

Summary

• move the legacy Publish workflow to the package-token capable ci-template revision
• publish GitHub Packages as @tinyland-inc/tinyland-security instead of @tummycrypt/tinyland-security
• inherit publish secrets consistently with the newer CI publish workflow

Validation

• git diff --check
• Ruby YAML parse for publish workflow
• actionlint .github/workflows/publish.yml

[greptile-apps]

Greptile Summary

This PR updates the publish workflow to use a newer ci-templates SHA, renames the GitHub Packages scope from @tummycrypt/tinyland-security to @tinyland-inc/tinyland-security, and replaces the explicit NPM_TOKEN secret mapping with secrets: inherit. The changes are intentional and well-scoped, but the package rename is a breaking change for any existing consumers of the old scope, and secrets: inherit broadens the secrets surface passed to the reusable workflow.

Confidence Score: 4/5

Safe to merge with awareness that downstream consumers of the old @tummycrypt scope will not receive further updates.

Only P2 findings: broader secrets surface via secrets: inherit (acceptable within same-org pinned workflow) and a breaking package rename for existing consumers. No P0 or P1 issues found.

.github/workflows/publish.yml — confirm ci-templates at new SHA does not forward secrets to third-party steps, and communicate the scope rename to downstream consumers.

Security Review

• secrets: inherit in .github/workflows/publish.yml (line 38) exposes all repository secrets to tinyland-inc/ci-templates rather than only NPM_TOKEN. The callee is a pinned, same-org workflow, which keeps risk low, but the surface area is wider than before.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Updated reusable workflow SHA, renamed package scope from @tummycrypt to Tinyland, Inc (@tinyland-inc), and switched from explicit NPM_TOKEN secret mapping to secrets: inherit — all intentional, with minor breadth concern on secrets and a breaking change for existing consumers of the old scope.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Event (release / workflow_dispatch)
    participant PW as publish.yml
    participant CT as ci-templates js-bazel-package.yml@0d88ad7
    participant GPR as GitHub Packages

    GH->>PW: Trigger (release published or manual)
    PW->>CT: uses reusable workflow with github_package_name=@tinyland-inc/tinyland-security
    Note over PW,CT: secrets: inherit (all repo secrets forwarded)
    CT->>CT: Build (pnpm build / bazel)
    CT->>CT: Test (pnpm test)
    CT->>CT: Package check
    CT->>GPR: Publish @tinyland-inc/tinyland-security (unless dry_run=true)

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): align publish workflow package ..." | Re-trigger Greptile}

[greptile-apps]

secrets: inherit passes all repository secrets

Switching from an explicit NPM_TOKEN: ${{ secrets.NPM_TOKEN }} mapping to secrets: inherit causes the reusable workflow to receive every secret in this repository's context (tokens, credentials, keys), not just NPM_TOKEN. If any future secret added to this repo is sensitive and the reusable workflow (or a step it delegates to) logs or forwards it unexpectedly, the blast radius is larger than before. This is acceptable when the callee is a fully-trusted, pinned workflow within the same org — just worth confirming that tinyland-inc/ci-templates at this SHA does not fan out secrets to third-party steps.

[greptile-apps]

Package scope rename is a breaking change for existing consumers

Renaming github_package_name from @tummycrypt/tinyland-security to @tinyland-inc/tinyland-security means the next publish will create a brand-new package entry in GitHub Packages under the @tinyland-inc scope. Any downstream project currently depending on @tummycrypt/tinyland-security will silently stop receiving updates unless its package.json is updated. Consider publishing a final deprecation notice or stub release under the old scope pointing users to the new name.