refactor(ui-scripts): fold tagged-release into pr-snapshot workflow

Drops the standalone `tagged-release` workflow_dispatch choice and
reusable workflow. Instead, the existing `pr-snapshot` path accepts two
optional inputs — `custom_version` and `dist_tag` — that, when set,
override the auto-computed snapshot version and dist-tag.

Behavior is identical from the operator's perspective: pick
`pr-snapshot` in the GitHub UI, fill in `custom_version` (e.g.
`11.7.3-SECURITY.0`) and `dist_tag` (e.g. `security`), and the job
publishes that exact prerelease to npmjs under that tag.

The `publishCustomVersion` function is removed; the snapshot path now
takes an optional `customVersion` that, if set, replaces
`calculateNextSnapshotVersion()` and the operator-supplied `distTag`
replaces the default `pr-snapshot` / `snapshot` tag. Validation moves
to a single `validateCustomVersionInputs()` helper that runs before
anything else.

Net diff: -1 workflow file, ~50 fewer lines, same guard rails.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: balzss

.github/workflows/_pr-release-reusable.yml

@@ -1,6 +1,17 @@
 name: PR release to npm (Reusable)
 on:
   workflow_call:
+    inputs:
+      custom_version:
+        description: 'Optional: exact semver prerelease version to publish, overriding the auto-computed snapshot version.'
+        required: false
+        type: string
+        default: ''
+      dist_tag:
+        description: 'Optional: npm dist-tag override. Required when custom_version is set. Cannot be "latest".'
+        required: false
+        type: string
+        default: ''
 
 permissions:
   id-token: write
@@ -11,6 +22,20 @@ jobs:
     runs-on: ubuntu-latest
     name: Release to npm
     steps:
+      - name: Validate custom-version inputs
+        if: inputs.custom_version != ''
+        env:
+          CUSTOM_VERSION: ${{ inputs.custom_version }}
+          DIST_TAG: ${{ inputs.dist_tag }}
+        run: |
+          if [ -z "$DIST_TAG" ]; then
+            echo "::error::dist_tag is required when custom_version is set"
+            exit 1
+          fi
+          if [ "$DIST_TAG" = "latest" ]; then
+            echo "::error::dist_tag cannot be 'latest'"
+            exit 1
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -25,7 +50,15 @@ jobs:
       - name: Set up project
         run: pnpm run bootstrap
       - name: Release to NPM
-        run: pnpm run release --prRelease
+        env:
+          CUSTOM_VERSION: ${{ inputs.custom_version }}
+          DIST_TAG: ${{ inputs.dist_tag }}
+        run: |
+          if [ -n "$CUSTOM_VERSION" ]; then
+            pnpm run release --prRelease --customVersion="$CUSTOM_VERSION" --distTag="$DIST_TAG"
+          else
+            pnpm run release --prRelease
+          fi
       - name: Get commit message
         run: | # puts the first line of the last commit message to the commmit_message env var
           echo "commmit_message=$(git log --format=%B -n 1 ${{ github.event.after }} | head -n 1)" >> $GITHUB_ENV

.github/workflows/_tagged-release-reusable.yml

@@ -13,18 +13,17 @@ on:
         options:
           - manual
           - pr-snapshot
-          - tagged-release
         default: 'manual'
       custom_version:
-        description: 'Exact semver prerelease version to publish (only for "tagged-release"). Example: 11.7.3-SECURITY.0'
+        description: 'Optional: exact semver prerelease version to publish (pr-snapshot only). Overrides the auto-computed snapshot version. Example: 11.7.3-SECURITY.0'
         required: false
         type: string
         default: ''
       dist_tag:
-        description: 'npm dist-tag to publish under (only for "tagged-release"). Cannot be "latest".'
+        description: 'Optional: npm dist-tag override (pr-snapshot only). Required when custom_version is set. Cannot be "latest".'
         required: false
         type: string
-        default: 'security'
+        default: ''
 
 permissions:
   id-token: write    # Required for OIDC token generation
@@ -49,20 +48,12 @@ jobs:
       contents: write
     secrets: inherit
 
-  # PR snapshot release
+  # PR snapshot release. Optionally accepts custom_version + dist_tag to mirror
+  # a previously-published private security release onto the public registry
+  # under a non-latest dist-tag.
   pr-release:
     if: github.event_name == 'workflow_dispatch' && inputs.release_type == 'pr-snapshot'
     uses: ./.github/workflows/_pr-release-reusable.yml
-    permissions:
-      id-token: write
-      contents: write
-    secrets: inherit
-
-  # Tagged release at an operator-supplied prerelease version (e.g. to mirror
-  # a private security release onto the public registry under a non-latest tag).
-  tagged-release:
-    if: github.event_name == 'workflow_dispatch' && inputs.release_type == 'tagged-release'
-    uses: ./.github/workflows/_tagged-release-reusable.yml
     with:
       custom_version: ${{ inputs.custom_version }}
       dist_tag: ${{ inputs.dist_tag }}

.github/workflows/release_to_npm.yml

@@ -92,20 +92,15 @@ async function publish({
 }) {
   const isRegularRelease = isReleaseCommit(version)
 
+  validateCustomVersionInputs({ customVersion, distTag })
+
   checkNpmAuth()
 
   try {
     checkWorkingDirectory()
     const packages = pkgUtils.getPackages().filter((pkg) => !pkg.private)
 
-    if (customVersion) {
-      await publishCustomVersion({
-        packageName,
-        customVersion,
-        distTag,
-        packages
-      })
-    } else if (isRegularRelease) {
+    if (isRegularRelease) {
       // If on legacy branch, and it is a release, its tag should say vx_maintenance
       const tag = isMaintenance
         ? `v${version.split('.')[0]}_maintenance`
@@ -117,14 +112,15 @@ async function publish({
         packages
       })
     } else {
-      const tag = prRelease ? 'pr-snapshot' : 'snapshot'
+      const tag = distTag || (prRelease ? 'pr-snapshot' : 'snapshot')
       info(`📦  Version: ${version}, Tag: ${tag}`)
       await publishSnapshotVersion({
         version,
         packageName,
         packages,
         tag,
-        prRelease
+        prRelease,
+        customVersion
       })
     }
   } finally {
@@ -133,63 +129,53 @@ async function publish({
 }
 
 /**
- * Publishes each package to pnpm.
- */
-async function publishRegularVersion(arg) {
-  const { version, packages, tag } = arg
-  for await (const pkg of publishPackages(packages, version, tag)) {
-    info(`📦  Version ${version} of ${pkg.name} was successfully published!`)
-  }
-}
-
-/**
- * Bumps all packages to an exact, operator-supplied prerelease version
- * (e.g. 11.7.3-SECURITY.0) and publishes them under a non-`latest` dist-tag.
- * Used to mirror a previously-published private security release onto the
- * public registry so open-source consumers can install the same version
- * without needing access to the private registry.
+ * Validates the optional --customVersion / --distTag pair used to mirror a
+ * private security release onto the public registry under a non-latest tag.
+ * Throws if the inputs are inconsistent or unsafe.
  */
-async function publishCustomVersion(arg) {
-  const { packageName, customVersion, distTag, packages } = arg
+function validateCustomVersionInputs({ customVersion, distTag }) {
+  if (!customVersion && !distTag) return
 
-  if (!semver.valid(customVersion)) {
-    throw new Error(
-      `--customVersion must be a valid semver, got: "${customVersion}"`
-    )
-  }
-  if (!semver.prerelease(customVersion)) {
-    throw new Error(
-      `--customVersion must be a prerelease (e.g. 11.7.3-SECURITY.0); got "${customVersion}". Refusing to take over a stable version slot.`
-    )
-  }
-  if (!distTag) {
-    throw new Error('--distTag is required when --customVersion is set.')
+  if (customVersion) {
+    if (!semver.valid(customVersion)) {
+      throw new Error(
+        `--customVersion must be a valid semver, got: "${customVersion}"`
+      )
+    }
+    if (!semver.prerelease(customVersion)) {
+      throw new Error(
+        `--customVersion must be a prerelease (e.g. 11.7.3-SECURITY.0); got "${customVersion}". Refusing to take over a stable version slot.`
+      )
+    }
+    if (!distTag) {
+      throw new Error('--distTag is required when --customVersion is set.')
+    }
   }
+
   if (distTag === 'latest') {
-    throw new Error(
-      '--distTag cannot be "latest" for a custom-version publish.'
-    )
+    throw new Error('--distTag cannot be "latest".')
   }
+}
 
-  info(`📦  Custom version: ${customVersion}, Tag: ${distTag}`)
-
-  await bumpPackages(packageName, customVersion)
-
-  for await (const pkg of publishPackages(packages, customVersion, distTag)) {
-    info(
-      `📦  Version ${customVersion} of ${pkg.name} was successfully published!`
-    )
+/**
+ * Publishes each package to pnpm.
+ */
+async function publishRegularVersion(arg) {
+  const { version, packages, tag } = arg
+  for await (const pkg of publishPackages(packages, version, tag)) {
+    info(`📦  Version ${version} of ${pkg.name} was successfully published!`)
   }
 }
 
 /**
- * Calculates the new snapshot version based on the latest tag
- * and the current commit, then publishes each package to npm
- * with the new snapshot version.
+ * Bumps packages to a snapshot/prerelease version (either operator-supplied
+ * via --customVersion, or auto-computed from the commit history) and
+ * publishes them under the given dist-tag.
  */
 async function publishSnapshotVersion(arg) {
-  const { version, packageName, packages, tag, prRelease } = arg
-  const snapshotVersion = calculateNextSnapshotVersion(version, prRelease)
+  const { version, packageName, packages, tag, prRelease, customVersion } = arg
+  const snapshotVersion =
+    customVersion || calculateNextSnapshotVersion(version, prRelease)
 
   info(`applying new snapshot version (${snapshotVersion}) to each package`)