ci: route telegram-ts publish + release through buildspace blocks

[Yan Xue (yanxue06)]

Keeps the existing spec-driven, self-updating release model and only swaps the final two steps to buildspace's shared blocks — so the publish path matches every other photon-hq package without changing how this package versions or triggers.

Unchanged: the spec-change trigger, compute:version (npm version mirrors the Telegram Bot API version), generate/build/typecheck/test, and the cron → auto-merge → publish-on-merge flow.

Swapped:

• npm publish --provenance → photon-hq/buildspace/.github/blocks/publish-npm@main (OIDC Trusted Publishing + provenance, NPM_TOKEN fallback, post-publish registry verification)
• git tag + gh release create → photon-hq/buildspace/.github/blocks/create-github-release@main

Also drops the job-level setup-node step — the publish-npm block sets up Node/npm internally.

Supersedes #1 (the full label-driven swap), which would have broken the self-update flow.

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores
  • Modernized release workflow with improved security practices, implementing Trusted Publishing (OIDC) for more reliable and secure application deployment.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b007dc99-92c1-4ce3-8ccd-1db56005b852

📥 Commits

Reviewing files that changed from the base of the PR and between 457af81 and d5c6005.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

📜 Recent review details

🧰 Additional context used

🪛 zizmor (1.25.2)

.github/workflows/release.yaml

[error] 70-70: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 82-82: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (1)

.github/workflows/release.yaml (1)

70-70: Pin photon-hq/buildspace action blocks to commit SHAs (no @main).

release.yaml uses:

• photon-hq/buildspace/.github/blocks/publish-npm@main (line 70)
• photon-hq/buildspace/.github/blocks/create-github-release@main (line 82)

Those run with elevated permissions (contents: write and id-token: write), so moving @main can silently change publish/release behavior (supply-chain/reproducibility risk). Pin both to immutable commit SHAs.

Suggested change

-        uses: photon-hq/buildspace/.github/blocks/publish-npm@main
+        uses: photon-hq/buildspace/.github/blocks/publish-npm@<buildspace-commit-sha>
...
-        uses: photon-hq/buildspace/.github/blocks/create-github-release@main
+        uses: photon-hq/buildspace/.github/blocks/create-github-release@<buildspace-commit-sha>

---

📝 Walkthrough

Walkthrough

The release workflow is updated to use reusable photon-hq/buildspace workflow blocks for npm and GitHub release publishing. Documentation now clarifies OIDC-based Trusted Publishing with optional NPM_TOKEN fallback, explicit Node/npm setup steps are removed, and inline publish/tag steps are replaced with dedicated reusable workflow calls.

Changes

Release Workflow Migration

Layer / File(s)	Summary
Release workflow migration to reusable blocks .github/workflows/release.yaml	Workflow documentation clarified to describe OIDC Trusted Publishing with NPM_TOKEN fallback; explicit Node and npm setup steps removed; inline npm publish and gh release create steps replaced with photon-hq/buildspace reusable workflow blocks for npm publishing and GitHub release creation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow once tangled, now clean and bright,
Reusable blocks dance in the CI light!
No setup to fuss, just blocks that align—
Release automation, now truly divine! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: routing telegram-ts publish and release steps through buildspace workflow blocks instead of inline commands.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/buildspace-release-blocks

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}