feat(workflows): add smart detection for script names vs commands in provenance workflow

Update setup-script, publish-script, and access-script to accept both:
- Script names (e.g., "ci:validate", "publish:ci") - automatically prefixed with "pnpm run"
- Commands (e.g., "pnpm run build", "npm publish --access public") - run as-is

Detection logic:
- If value contains spaces or shell operators (&&, ||, ;, |) -> run as command
- Otherwise -> treat as script name and prefix with "pnpm run"
- Trim whitespace from all inputs for safety

Benefits:
- Backward compatible with existing usage
- Supports both simple script names and complex commands
- Prevents argument parsing issues with shell operators
- More flexible for different publishing scenarios

Changes:
- Add whitespace trimming using xargs
- Add space/operator detection with regex
- Update input descriptions to document both patterns
- Apply to all three script inputs consistently

Author: jdalton

.github/workflows/provenance.yml

@@ -7,7 +7,7 @@ on:
   workflow_call:
     inputs:
       access-script:
-        description: 'pnpm script to run for access control (e.g., "package-npm-access")'
+        description: 'Package access control script - either a pnpm script name (e.g., "package-npm-access") or a command'
         required: false
         type: string
         default: ''
@@ -47,7 +47,7 @@ on:
         type: string
         default: ''
       publish-script:
-        description: 'pnpm script to run for publishing (e.g., "package-npm-publish")'
+        description: 'Publishing script - either a pnpm script name (e.g., "publish:ci") or a command (e.g., "npm publish --access public")'
         required: false
         type: string
         default: ''
@@ -67,7 +67,7 @@ on:
         type: string
         default: ''
       setup-script:
-        description: 'Setup script before publishing (e.g., "pnpm run build")'
+        description: 'Setup script before publishing - either a pnpm script name (e.g., "ci:validate") or a command (e.g., "pnpm run build")'
         required: false
         type: string
         default: ''
@@ -132,7 +132,18 @@ jobs:
         if: inputs.setup-script != ''
         env:
           SETUP_SCRIPT: ${{ inputs.setup-script }}
-        run: $SETUP_SCRIPT
+        run: |
+          # Trim whitespace
+          SETUP_SCRIPT=$(echo "$SETUP_SCRIPT" | xargs)
+
+          # Detect if it contains spaces or shell operators (command) vs script name
+          if [[ "$SETUP_SCRIPT" =~ ( |&&|\|\||;|\|) ]]; then
+            # Contains space or shell operators - run as command
+            $SETUP_SCRIPT
+          else
+            # Script name only - run as pnpm script
+            pnpm run $SETUP_SCRIPT
+          fi
 
       - name: Publish with custom script
         if: inputs.publish-script != ''
@@ -143,6 +154,9 @@ jobs:
           FORCE_REGISTRY: ${{ inputs.force-registry }}
           SKIP_NPM_PACKAGES: ${{ inputs.skip-npm-packages }}
         run: |
+          # Trim whitespace
+          PUBLISH_SCRIPT=$(echo "$PUBLISH_SCRIPT" | xargs)
+
           FLAGS=""
           if [ "$FORCE_PUBLISH" = "true" ]; then
             FLAGS="$FLAGS --force-publish"
@@ -153,10 +167,18 @@ jobs:
           if [ "$SKIP_NPM_PACKAGES" = "true" ]; then
             FLAGS="$FLAGS --skip-npm-packages"
           fi
-          if [ -n "$FLAGS" ]; then
-            pnpm run $PUBLISH_SCRIPT -- $FLAGS
+
+          # Detect if it contains spaces or shell operators (command) vs script name
+          if [[ "$PUBLISH_SCRIPT" =~ ( |&&|\|\||;|\|) ]]; then
+            # Contains space or shell operators - run as command
+            $PUBLISH_SCRIPT
           else
-            pnpm run $PUBLISH_SCRIPT
+            # Script name only - run as pnpm script
+            if [ -n "$FLAGS" ]; then
+              pnpm run $PUBLISH_SCRIPT -- $FLAGS
+            else
+              pnpm run $PUBLISH_SCRIPT
+            fi
           fi
 
       - name: Publish package
@@ -170,7 +192,18 @@ jobs:
         if: inputs.access-script != ''
         env:
           ACCESS_SCRIPT: ${{ inputs.access-script }}
-        run: pnpm run $ACCESS_SCRIPT
+        run: |
+          # Trim whitespace
+          ACCESS_SCRIPT=$(echo "$ACCESS_SCRIPT" | xargs)
+
+          # Detect if it contains spaces or shell operators (command) vs script name
+          if [[ "$ACCESS_SCRIPT" =~ ( |&&|\|\||;|\|) ]]; then
+            # Contains space or shell operators - run as command
+            $ACCESS_SCRIPT
+          else
+            # Script name only - run as pnpm script
+            pnpm run $ACCESS_SCRIPT
+          fi
 
       - name: Set MFA automation
         if: inputs.access-script == '' && inputs.package-name != ''