feat: publish to npm or github packages

[shavonn]

No description provided.

[Copilot]

Pull request overview

Adds optional npm registry publishing support to the Release Champion GitHub Action, enabling releases to be published either to npmjs.org or GitHub Packages as part of the existing two-phase release flow.

Changes:

• Introduces new action inputs for publish-npm, npm-token, and npm-registry.
• Updates Phase 1 to optionally bump package.json version when npm publishing is enabled.
• Updates Phase 2 to optionally run npm publish, and documents the new behavior and required permissions.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
scripts/finalize-release.sh	Adds optional npm publishing in Phase 2 using registry/token inputs.
scripts/create-release-pr.sh	Adds optional package.json version bumping in Phase 1 when npm publishing is enabled.
README.md	Documents new inputs, examples for npm + GitHub Packages publishing, and permissions.
action.yml	Defines new inputs and wires them into the composite action environment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The generated auth line in .npmrc is likely malformed for the default registry (and GitHub Packages). registry_host becomes //registry.npmjs.org and the script writes //registry.npmjs.org:_authToken=..., but npm expects //registry.npmjs.org/:_authToken=... (note the trailing /). Consider normalizing the registry URL/host and ensuring the auth line includes //<host>/:_authToken=... so publishing actually authenticates.

Suggested change

	registry_host=$(echo "$registry" | sed 's|https:||')
	echo "${registry_host}:_authToken=${INPUT_NPM_TOKEN}" > .npmrc
	registry_host="${registry#http://}"
	registry_host="${registry_host#https://}"
	registry_host="${registry_host%%/*}"
	echo "//${registry_host}/:_authToken=${INPUT_NPM_TOKEN}" > .npmrc

[Copilot]

This writes credentials to a workspace .npmrc and then deletes it, but (1) rm -f .npmrc won’t run if npm publish fails (leaving the token behind for subsequent steps), and (2) using a fixed .npmrc path can clobber a repo’s existing .npmrc (common in npm projects). Use a temp userconfig (e.g., via NPM_CONFIG_USERCONFIG / npm --userconfig) and a trap to guarantee cleanup, without overwriting/removing any pre-existing .npmrc.

Suggested change

	echo "${registry_host}:_authToken=${INPUT_NPM_TOKEN}" > .npmrc
	echo "registry=${registry}" >> .npmrc
	npm publish
	rm -f .npmrc
	# Use a temporary npm userconfig to avoid clobbering any existing .npmrc
	local npm_userconfig
	npm_userconfig="$(mktemp)"
	cleanup_npm_userconfig() {
	if [[ -n "${npm_userconfig:-}" && -f "$npm_userconfig" ]]; then
	rm -f "$npm_userconfig"
	fi
	}
	trap cleanup_npm_userconfig EXIT
	{
	echo "${registry_host}:_authToken=${INPUT_NPM_TOKEN}"
	echo "registry=${registry}"
	} > "$npm_userconfig"
	NPM_CONFIG_USERCONFIG="$npm_userconfig" npm publish

[Copilot]

The package-lock.json staging condition is checking the staged diff before the file is staged, so it will never be added even if npm version modified it. This can leave package-lock.json updated in the working tree but not committed/pushed on the release branch. Check for an unstaged change (or just git add package-lock.json when the file exists) before committing.

Suggested change

	if [[ -f package-lock.json ]] && ! git diff --staged --quiet package-lock.json 2>/dev/null; then
	if [[ -f package-lock.json ]]; then