fix(ci): split wasm RC publish into a token-based workflow

[goldmedal]

Summary

npm Trusted Publishing has two constraints that conflict with our reusable-workflow setup:

1. Only one Trusted Publisher per package.
2. Validation matches the calling workflow's filename, not the reusable one that runs npm publish.

That means we have to choose which entrypoint owns the npm TP slot. We're keeping it for release-please.yml (stable releases) and switching rc-release.yml's wasm publish back to a classic NPM_TOKEN flow.

Changes

• New .github/workflows/publish-wren-core-wasm-rc.yml — same build pipeline as the OIDC variant but authenticates with NODE_AUTH_TOKEN from NPM_TOKEN. No environment:, no id-token: write.
• rc-release.yml — the publish-wren-core-wasm job now calls the new RC workflow and forwards NPM_TOKEN. Drops the id-token: write permission since it's no longer needed for that path.
• publish-wren-core-wasm.yml (OIDC) — unchanged. Still used by release-please.yml.
• Python publishes (publish-wren-core-py.yml, publish-wren.yml) — unchanged.

Required repo setup before merging

1. Add an NPM_TOKEN secret (Settings → Secrets and variables → Actions) that has publish access to @wrenai/wren-core-wasm. A granular token scoped to that one package is the safest choice.
2. Update the npm Trusted Publisher config for @wrenai/wren-core-wasm:
   • Workflow filename: rc-release.yml → release-please.yml
   • Everything else (org/repo/environment) stays the same.

After both are in place:

• RC dispatches via rc-release.yml publish with NPM_TOKEN.
• Stable releases triggered by release-please.yml continue to use OIDC Trusted Publishing.

Test plan

• Add NPM_TOKEN secret and update npm TP workflow filename.
• Re-dispatch RC Release with component=wren-core-wasm and confirm publish succeeds.
• Next stable release-please merge for wren-core-wasm should still publish via OIDC.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Established dedicated RC release workflow for wren-core-wasm npm package featuring integrated automation for WebAssembly compilation, comprehensive testing, and npm publication
  • Enhanced release process with improved authentication mechanisms and streamlined version management
  • RC releases now published with public access and proper tagging

[coderabbitai]

Walkthrough

A new reusable GitHub Actions workflow publishes the wren-core-wasm package to npm as an RC release with explicit NPM_TOKEN authentication. The rc-release workflow is updated to call this new dedicated workflow instead of the general publish workflow.

Changes

RC Publish Workflow & Integration

Layer / File(s)	Summary
Reusable Workflow Definition .github/workflows/publish-wren-core-wasm-rc.yml	New workflow_call workflow accepts version and tag_name inputs, optional npm_tag input (defaults to "rc"), and requires NPM_TOKEN secret with contents: read permissions.
Checkout & Rust Setup .github/workflows/publish-wren-core-wasm-rc.yml	Checks out the specified tag ref; installs Rust toolchain with wasm32-unknown-unknown target; caches Cargo artifacts keyed by core/wren-core-wasm manifest files.
Build Environment Setup .github/workflows/publish-wren-core-wasm-rc.yml	Installs pinned wasm-pack@0.14.0; configures Node.js 24 with npm registry authentication using NODE_AUTH_TOKEN.
Package Build & Test .github/workflows/publish-wren-core-wasm-rc.yml	Installs npm dependencies; sets package version without git tag; builds WebAssembly with wasm-pack --target web --release; runs npm run build:dist and npm test.
npm Publishing .github/workflows/publish-wren-core-wasm-rc.yml	Publishes to npm with --tag set to inputs.npm_tag and --access public using NODE_AUTH_TOKEN secret.
RC Release Workflow Wiring .github/workflows/rc-release.yml	publish-wren-core-wasm job switches from publish-wren-core-wasm.yml to publish-wren-core-wasm-rc.yml; passes secrets.NPM_TOKEN instead of OIDC permissions; retains version, tag_name, and npm_tag: rc inputs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Canner/WrenAI#2235: Both PRs modify wren-core-wasm publish workflows and npm authentication setup.
• Canner/WrenAI#2230: Directly related as it updates core/wren-core-wasm package metadata alongside the new publish workflow.
• Canner/WrenAI#2232: Both PRs modify rc-release and wren-core-wasm publish workflow invocation patterns.

Suggested labels

ci, wasm, core

Suggested reviewers

• PaulChen79
• onlyjackfrost

Poem

🐰 A workflow hops into view,
With Rust and WebAssembly too,
Token-based paths, npm tags bright,
RC releases published just right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: splitting the wasm RC publish workflow from an OIDC-based approach to a token-based approach to resolve npm Trusted Publishing constraints.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/wasm-rc-token-publish

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-wren-core-wasm-rc.yml:
- Around line 71-74: Replace the npm install invocation in the CI step named
"Install npm dependencies" (the step with working-directory: core/wren-core-wasm
and run: npm install) with a lockfile-strict install by using npm ci so the RC
publish uses the exact lockfile and avoids dependency drift.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: cfcc49a1-a737-4741-91b0-a18895e7b14a

📥 Commits

Reviewing files that changed from the base of the PR and between fd1c571 and ac1388d.

📒 Files selected for processing (2)

• .github/workflows/publish-wren-core-wasm-rc.yml
• .github/workflows/rc-release.yml