Extract npm publish to reusable build.yaml workflow

This allows both main.yaml and publish-pr.yaml to use npm trusted
publishing through OIDC, as npm only allows one trusted publisher
workflow per package. By naming the reusable workflow build.yaml,
legacy maintenance branches can continue to publish without changes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dahlia

.github/workflows/build.yaml

@@ -0,0 +1,50 @@
+name: Publish to npm (reusable)
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'npm dist-tag to use (e.g., "latest", "dev", "pr-123")'
+        required: true
+        type: string
+      package_pattern:
+        description: 'Glob pattern for package tarballs to publish'
+        required: false
+        type: string
+        default: 'fedify-*.tgz'
+
+jobs:
+  npm-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+    - uses: actions/download-artifact@v4
+      with:
+        name: npm-packages
+    - run: ls -la
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: lts/*
+        registry-url: https://registry.npmjs.org
+    - run: sudo npm install -g npm@latest && npm --version
+    - name: Publish packages
+      run: |
+        set -ex
+        for pkg in ${{ inputs.package_pattern }}; do
+          if [[ "${{ inputs.tag }}" = "latest" ]]; then
+            npm publish --logs-dir=. --provenance --access public "$pkg" \
+              || grep "Cannot publish over previously published version" *.log
+          else
+            npm publish \
+              --logs-dir=. \
+              --provenance \
+              --access public \
+              --tag "${{ inputs.tag }}" \
+              "$pkg" \
+              || grep "Cannot publish over previously published version" *.log
+          fi
+          rm -f *.log
+        done

.github/workflows/main.yaml

@@ -298,7 +298,7 @@ jobs:
   publish-npm:
     if: github.event_name == 'push'
     needs: [publish]
-    uses: ./.github/workflows/npm-publish.yaml
+    uses: ./.github/workflows/build.yaml
     with:
       tag: ${{ github.ref_type == 'tag' && 'latest' || 'dev' }}
 

.github/workflows/publish-pr.yaml

@@ -90,6 +90,10 @@ jobs:
         pnpm install
         pnpm pack --recursive --filter='!./examples/**'
         rm fedify-cli-*.tgz
+    - uses: actions/upload-artifact@v4
+      with:
+        name: npm-packages
+        path: fedify-*.tgz
     - name: Publish to JSR
       run: |
         set -ex
@@ -106,18 +110,6 @@ jobs:
           sleep 30
           ((attempt++))
         done
-    - name: Publish to npm
-      run: |
-        set -ex
-        for pkg in fedify-*.tgz; do
-          npm publish \
-            --logs-dir=. \
-            --provenance \
-            --access public \
-            --tag "pr-${{ inputs.pr_number }}" \
-            "$pkg" \
-            || grep "Cannot publish over previously published version" *.log
-        done
     - name: Generate packages table
       id: packages-table
       run: |
@@ -137,9 +129,16 @@ jobs:
           echo 'EOFLINKS'
         } >> $GITHUB_OUTPUT
 
+  publish-npm:
+    if: inputs.publish_packages
+    needs: [publish-packages]
+    uses: ./.github/workflows/build.yaml
+    with:
+      tag: pr-${{ inputs.pr_number }}
+
   publish-docs:
     if: inputs.publish_docs
-    needs: [get-pr-info]
+    needs: [get-pr-info, publish-packages]
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -179,8 +178,8 @@ jobs:
         workingDirectory: ${{ github.workspace }}/docs/
 
   comment-on-pr:
-    needs: [get-pr-info, publish-packages, publish-docs]
-    if: always() && needs.get-pr-info.result == 'success' && (needs.publish-packages.result == 'success' || needs.publish-docs.result == 'success')
+    needs: [get-pr-info, publish-packages, publish-npm, publish-docs]
+    if: always() && needs.get-pr-info.result == 'success' && (needs.publish-npm.result == 'success' || needs.publish-docs.result == 'success')
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
@@ -199,7 +198,7 @@ jobs:
         message: |
           Pre-release has been published for this pull request:
 
-          ${{ needs.publish-packages.result == 'success' && format('## Packages
+          ${{ needs.publish-npm.result == 'success' && format('## Packages
 
           {0}