ci: fix release workflow - git push, split oidc from custom github app

.github/workflows/publish.yml

@@ -0,0 +1,45 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+concurrency:
+  group: publish
+  cancel-in-progress: false
+
+# configured as trusted publisher (OIDC)
+# https://docs.npmjs.com/trusted-publishers
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  NX_NON_NATIVE_HASHER: true
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+jobs:
+  publish:
+    name: Publish packages
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - name: Clone the repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Configure Git user
+        # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Publish packages to npm
+        run: npx nx release publish

.github/workflows/release.yml

@@ -11,42 +11,41 @@
 
 jobs:
   release:
-    name: Publish packages
+    name: Version and release
     runs-on: ubuntu-latest
     environment: release
     env:
       NX_NON_NATIVE_HASHER: true
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
       - name: Authenticate as "Code PushUp Bot" GitHub App
         uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Fetch GitHub App's user ID
         id: get-user-id
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - name: Configure Git user
         run: |
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
       - name: Clone the repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
-          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version-file: .node-version
           cache: npm
       - name: Install dependencies
         run: npm ci
-      - name: Version, release and publish packages
-        run: npx nx release --yes
+      - name: Version, release and generate changelog
+        run: npx nx release --skip-publish
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}

nx.json

@@ -332,7 +332,7 @@
       "push": true,
       "pushRemote": "origin",
       "tag": true,
-      "commitMessage": "release: {version} [skip ci]"
+      "commitMessage": "release: {version}"
     },
     "version": {
       "conventionalCommits": true,