CRAFT- 2018- trusted pub switch

[valoriecarli]

Npm trusted publishing (OIDC) allows only one workflow to be configured as a trusted publisher, however appkit has 3 publishing scenarios spanning 2 workflows:

• Traditional (under new workflow name: publish-release)
• Canary (under new workflow name: publish-release)
• Preview releases (preview-release-on-comment)

Using this blog as an example, we will implement a reusable workflow pattern where release.yml serves as the single entry point (trusted publisher) and routes to separate publishing workflows based on the event type.

outstanding:
verify if permissions are needed on the parent level and/or re-declared
create description for release.yml process

Note that this broke all publishing, but corrected with #3903

other references:
https://docs.npmjs.com/trusted-publishers

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6694d9b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
mc-app-kit-playground	Ready	Preview	Comment	Dec 4, 2025 9:38pm
merchant-center-application-kit-components-playground	Ready	Preview	Comment	Dec 4, 2025 9:38pm

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.10%. Comparing base (964f595) to head (6694d9b).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3900   +/-   ##
=======================================
  Coverage   75.10%   75.10%           
=======================================
  Files         259      259           
  Lines        6382     6382           
  Branches     1992     2026   +34     
=======================================
  Hits         4793     4793           
  Misses       1567     1567           
  Partials       22       22           

Components	Coverage Δ
Application Components	81.18% <ø> (ø)
Application Shell	74.53% <ø> (ø)
Application Shell Connectors	77.68% <ø> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 964f595...6694d9b. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ByronDWall]

I think this looks good. The only suggestion I have is that it is probably worth adding an explanatory comment at the top of the file outlining what is happening and why it's necessary.