github actions workflow to publish to npm and then trigger codepipeline to publish to maven/nuget (#1098)

## Problem
The current publishing process runs everything through CodePipeline with
hourly triggers, using classic npm tokens and mixed authentication
patterns.

Context: npm has changed granular tokens from unlimited expiration to
90-day max limit:
https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/#granular-npm-access-token-lifetime-limits

## Solution
### Implement a hybrid approach

GitHub Actions handles npm publishing:
- Uses OIDC authentication, eliminating token expiration issues
- Triggered only when commits are merged to main, removing the need for
hourly triggers
- Centralizes version management and git operations

CodePipeline continues to handle Maven and NuGet publishing:
- Triggered on-demand by GitHub Actions after npm publishing
- Maintains existing authentication patterns for these package types
- Ensures version consistency across all packages

### Benefits:
- Eliminates npm token rotation burden with OIDC authentication
- Reduces resource waste with on-demand execution instead of hourly runs
- Improves security with modern authentication patterns
- Synchronizes versions across all package managers

## Note
verison is bumped from `1.0.331` --> `1.0.335` as used a few versions
for testing


<!---
    REMINDER:
    - Read CONTRIBUTING.md first.
    - Add test coverage for your changes.
    - Link to related issues/commits.
    - Testing: how did you test your changes?
    - Screenshots if applicable
-->

## License

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: chungjac

.github/workflows/publish.yml

@@ -0,0 +1,94 @@
+name: Publish packages
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+
+permissions:
+  id-token: write # Required for OIDC authentication with npm
+  contents: write # Required to push version commits
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+          registry-url: 'https://registry.npmjs.org'
+          scope: '@aws-toolkits'
+
+      - name: Validate release commits
+        run: |
+          VERSION=$(cat version)
+          echo "validating for package version: $VERSION"
+          
+          # Now we check if there are any "interesting" commits to create a release version. These are any
+          # commits that are neither 1. from dependabot or 2. a release commit.
+          AUTHOR_DEPENDABOT="dependabot[bot]"
+          AUTHOR_AUTOMATION="aws-toolkit-automation"
+          
+          SHOULD_RELEASE=false
+          for author in $(git log --pretty=%an)
+          do
+              if [ "$author" = $AUTHOR_DEPENDABOT ]; then
+                  # Ignore dependabot commits, keep searching.
+                  continue
+              elif [ "$author" != $AUTHOR_AUTOMATION ]; then
+                  # Found a commit to release since last release.
+                  SHOULD_RELEASE=true
+                  echo "found at least one commit to release, author: $author"
+              fi
+              
+              # If the commit wasn't from dependabot, then we have enough information.
+              break
+          done
+          
+          if [ $SHOULD_RELEASE != true ]; then
+              echo "no commits detected that are not from '$AUTHOR_DEPENDABOT' or '$AUTHOR_AUTOMATION'. skipping release."
+              exit 1
+          fi
+
+      - name: Increment version and commit
+        run: |
+          git config --global user.name "aws-toolkit-automation"
+          git config --global user.email "<>"
+          
+          # increase the version
+          cat version | (IFS="." ; read a b c && echo $a.$b.$((c + 1)) > version)
+          VERSION=$(cat version)
+          echo "version is now: $VERSION"
+          
+          git add version
+          git commit -m "Release version $VERSION"
+          git push origin main
+
+      - name: Build npm package
+        run: |
+          VERSION=$(cat version)
+          cd telemetry/vscode
+          npm ci
+          npm version "$VERSION"
+          npm pack
+
+      - name: Publish to npm
+        run: |
+          cd telemetry/vscode
+          npm publish $(ls -1 *.tgz) --access public
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::305657142372:role/GitHubActionsCodePipelineRole
+          role-session-name: github-actions-codepipeline
+          aws-region: us-west-2
+
+      - name: Trigger CodePipeline for Maven/NuGet
+        run: |
+          aws codepipeline start-pipeline-execution --name PackagePipeline

version

@@ -1 +1 @@
-1.0.331
+1.0.335