Setup OIDC publishing

[RobinMalfait]

This PR merges the release-insiders.yml and release.yml such that we can setup OIDC publishing to npmjs.com.

[coderabbitai]

Walkthrough

The pull request consolidates GitHub Actions release workflows by removing the dedicated insiders release workflow and integrating its functionality into the main release workflow. The release workflow now accepts a required channel input parameter (insiders or release) and handles both release types within a single pipeline. Across all affected workflows, pnpm version management is standardized to use a global environment variable (PNPM_VERSION: 10) instead of hardcoded version strings. The release workflow adds concurrency controls, updates the release metadata resolution logic to compute channel-specific variables, and conditionally executes versioning and build steps based on the selected release kind.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Setup OIDC publishing' is too vague and does not clearly convey the main change, which is merging two release workflows.	Consider a more descriptive title such as 'Merge release-insiders and release workflows for OIDC publishing' to clearly indicate the primary structural change.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description accurately relates to the changeset by explaining the primary objective of merging workflows to enable OIDC publishing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

350-360: Consider if Play updates should trigger for insiders releases.

This step now runs unconditionally for both insiders and release channels. If frequent Play updates from insiders releases are undesirable, consider adding a condition:

if: env.RELEASE_KIND == 'release'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 350 - 360, The "Trigger Tailwind
Play update" workflow step currently runs for all release kinds; restrict it to
only run for production releases by adding a conditional that checks the
RELEASE_KIND environment variable (e.g., ensure the step with name "Trigger
Tailwind Play update" or the job invoking actions/github-script@v8 is guarded
with if: env.RELEASE_KIND == 'release') so insiders releases won't trigger the
Play update.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 350-360: The "Trigger Tailwind Play update" workflow step
currently runs for all release kinds; restrict it to only run for production
releases by adding a conditional that checks the RELEASE_KIND environment
variable (e.g., ensure the step with name "Trigger Tailwind Play update" or the
job invoking actions/github-script@v8 is guarded with if: env.RELEASE_KIND ==
'release') so insiders releases won't trigger the Play update.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a83fbf7e-4c15-4a5f-954a-40c9d8358e83

📥 Commits

Reviewing files that changed from the base of the PR and between 998a6be and 1231fee.

📒 Files selected for processing (3)

• .github/workflows/prepare-release.yml
• .github/workflows/release-insiders.yml
• .github/workflows/release.yml

💤 Files with no reviewable changes (1)

• .github/workflows/release-insiders.yml