[ci] Trusted Publishing 릴리즈 워크플로우 수정

[EATSTEAK]

Summary

#258에서 적용한 Trusted Publishing 릴리즈 워크플로우의 문제점을 수정합니다.

Changes

Python 릴리즈 워크플로우 분리 (python-release.yml, release.yml)

• python-release.yml의 release job을 publish로 rename하고, workflow_call로 호출된 경우 publish를 건너뛰도록 if: github.event_name != 'workflow_call' 조건 추가
• release.yml에 별도의 release-python-publish job 추가: 메인 릴리즈 워크플로우에서 직접 PyPI에 배포 (artifact attestation 생성 + pypa/gh-action-pypi-publish 사용)
• 불필요한 권한 관련 주석 정리

React Native Trusted Publishing 지원 (react-native-release.yml)

• contents: read 권한 추가
• Node.js 버전 22 → 24로 업그레이드
• setup-node에서 불필요한 scope 옵션 제거
• npm install -g npm@latest 스텝 추가하여 최신 npm의 Trusted Publishing(OIDC provenance) 지원 활용

Changed Files

파일	변경
.github/workflows/python-release.yml	publish job 분리, workflow_call 시 배포 스킵
.github/workflows/react-native-release.yml	Node 24, 최신 npm, scope 제거, contents 권한 추가
.github/workflows/release.yml	release-python-publish job 추가

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.11%. Comparing base (8e688f0) to head (8d27d92).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #266   +/-   ##
=======================================
  Coverage   48.11%   48.11%           
=======================================
  Files          57       57           
  Lines        5102     5102           
=======================================
  Hits         2455     2455           
  Misses       2647     2647           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Fixes issues introduced with Trusted Publishing rollout (#258) by separating Python build vs publish responsibilities and aligning React Native release workflow for OIDC/provenance-based publishing.

Changes:

• Split Python publishing so the reusable Python workflow can be called without publishing, and move PyPI publish into the main release.yml.
• Add a dedicated release-python-publish job to generate attestations and publish artifacts to PyPI from the main release workflow.
• Update React Native release workflow to support Trusted Publishing better (Node upgrade, latest npm install, permissions tweak, remove unused setup-node options).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/release.yml	Adds a new Python publish job in the main release pipeline (artifact download → attest → PyPI publish).
.github/workflows/python-release.yml	Renames release job to publish and skips publishing when invoked via workflow_call.
.github/workflows/react-native-release.yml	Updates Node/npm setup and permissions to better support npm provenance publishing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

release-python-publish sets job-level permissions but omits actions. When job-level permissions are present, missing scopes are reduced and this can prevent actions/download-artifact from reading artifacts. Add actions: read (or drop the job-level permissions override) so the publish job can reliably download artifacts.

Suggested change

	attestations: write
	attestations: write
	actions: read

[Copilot]

This publish job grants contents: write, but the steps shown (download artifacts, generate attestations, publish to PyPI) don't appear to require write access to the repository contents. Reducing this to contents: read would follow least-privilege and lower the blast radius if the token is ever misused.

Suggested change

	contents: write
	contents: read

[Copilot]

The publish job defines job-level permissions but omits actions. If these permissions override the workflow defaults, actions/download-artifact may not be able to read the uploaded wheel artifacts. Add actions: read to the job permissions (or remove the job-level override) to prevent publish failures.

[Copilot]

Installing npm@latest during a release workflow makes the publish environment non-reproducible and can introduce sudden breakages when npm releases a new major/minor. Consider pinning to a known-good minimum version that supports Trusted Publishing (e.g., a specific major) or documenting the required npm version so releases remain stable.

Suggested change

	- name: Update npm to latest
	if: steps.check_version.outputs.should_release == 'true'
	run: npm install -g npm@latest
	- name: Update npm to v10
	if: steps.check_version.outputs.should_release == 'true'
	run: npm install -g npm@10