fix: unify all npm publish workflows into a single top-level publish-npm.yml

## Problem

npm Trusted Publishing matches the `workflow_ref` OIDC claim, which
is always the top-level workflow filename. npm allows only ONE trusted
publisher per package. The prior migration (#57099) used
`workflow_call` to route all publishes through `publish-npm.yml`,
but `workflow_ref` resolves to the *caller* (e.g. `nightly.yml`),
not the reusable child — so the Trusted Publisher entry for
`publish-npm.yml` never matches.

## Solution

Merge all three publish entry points into `publish-npm.yml` itself,
triggered by all three event types:

  - `push.tags: v0.*` → release mode (was publish-release.yml)
  - `schedule + workflow_dispatch` → nightly mode (was nightly.yml)
  - `push.branches: main, *-stable` → bumped-packages mode
    (was publish-bumped-packages.yml)

A `determine_mode` job inspects the trigger and sets the mode.
Downstream jobs use conditional `if:` expressions to run only
the relevant build/publish steps.

Since `publish-npm.yml` is now always the top-level workflow,
`workflow_ref` always resolves to `publish-npm.yml` ✅.

## Key design points

- **No JS changes** — the publish scripts are unchanged. The build
  and publish still happen in the same job, on the same runner, with
  the same container. No artifact handoff or pack-only mode needed.

- **Reusable workflow_call children are fine** — prebuild-ios-*.yml,
  generate-changelog.yml, etc. remain as `workflow_call` children.
  Only the file that calls `npm publish` must be the top-level
  workflow; child workflows don't affect the OIDC claim.

- **Old workflow files kept as stubs** — publish-release.yml,
  nightly.yml, and publish-bumped-packages.yml are replaced with
  minimal deprecation notices so that external links/dashboards
  don't 404.

- **`always()` + explicit result checks** — publish_react_native
  depends on build_android (nightly-only) and prebuild_* jobs.
  In release mode, build_android is skipped. The `always()`
  prevents cascading skips, while explicit result checks ensure
  we don't publish after a failed build.

## npm Trusted Publisher config (manual step)

For each of the 24 packages, configure on npmjs.com:
  Organization: react
  Repository:   react-native
  Workflow:     publish-npm.yml
  Environment:  npm-publish

Author: robhogan

.github/workflows/nightly.yml

@@ -1,90 +1,19 @@
-name: Nightly
+# Nightly builds are now handled by publish-npm.yml, which triggers on
+# the same cron schedule and supports workflow_dispatch. This file is
+# kept only so that links to "nightly.yml" in docs and dashboards
+# don't break — it does nothing on its own.
+name: Nightly (deprecated → publish-npm.yml)
 
 on:
+  # No triggers — this workflow never runs.
+  # Nightly builds are handled by publish-npm.yml.
   workflow_dispatch:
-  # nightly build @ 2:15 AM UTC
-  schedule:
-    - cron: "15 2 * * *"
-
-permissions:
-  contents: read
 
 jobs:
-  set_release_type:
+  redirect:
     runs-on: ubuntu-latest
-    if: github.repository == 'react/react-native'
-    outputs:
-      RELEASE_TYPE: ${{ steps.set_release_type.outputs.RELEASE_TYPE }}
-    env:
-      EVENT_NAME: ${{ github.event_name }}
-      REF: ${{ github.ref }}
     steps:
-      - id: set_release_type
-        run: |
-          echo "Setting release type to nightly"
-          echo "RELEASE_TYPE=nightly" >> $GITHUB_OUTPUT
-
-  prebuild_apple_dependencies:
-    if: github.repository == 'react/react-native'
-    uses: ./.github/workflows/prebuild-ios-dependencies.yml
-    secrets: inherit
-
-  prebuild_react_native_core:
-    uses: ./.github/workflows/prebuild-ios-core.yml
-    with:
-      use-hermes-prebuilt: true
-      version-type: nightly
-    secrets: inherit
-    needs: [prebuild_apple_dependencies]
-
-  build_android:
-    runs-on: ubuntu-latest
-    if: github.repository == 'react/react-native'
-    needs: [set_release_type]
-    container:
-      image: reactnativecommunity/react-native-android:latest
-      env:
-        TERM: "dumb"
-        # Set the encoding to resolve a known character encoding issue with decompressing tar.gz files in containers
-        # via Gradle: https://github.com/gradle/gradle/issues/23391#issuecomment-1878979127
-        LC_ALL: C.UTF8
-        GRADLE_OPTS: "-Dorg.gradle.daemon=false"
-        ORG_GRADLE_PROJECT_SIGNING_PWD: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }}
-        ORG_GRADLE_PROJECT_SIGNING_KEY: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }}
-        ORG_GRADLE_PROJECT_SONATYPE_USERNAME: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_USERNAME }}
-        ORG_GRADLE_PROJECT_SONATYPE_PASSWORD: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_PASSWORD }}
-        REACT_NATIVE_DOWNLOADS_DIR: /opt/react-native-downloads
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Build Android
-        uses: ./.github/actions/build-android
-        with:
-          release-type: ${{ needs.set_release_type.outputs.RELEASE_TYPE }}
-          gradle-cache-encryption-key: ${{ secrets.GRADLE_CACHE_ENCRYPTION_KEY }}
-
-  # Delegate the actual npm publish to the shared reusable workflow so
-  # every `npm publish` in this repo originates from one workflow file —
-  # required because npm Trusted Publishing only accepts one
-  # (org, repo, workflow_filename) per package.
-  build_npm_package:
-    needs:
-      [
-        set_release_type,
-        build_android,
-        prebuild_apple_dependencies,
-        prebuild_react_native_core,
-      ]
-    # The top-level `permissions: contents: read` is the ceiling for
-    # GITHUB_TOKEN in every job here, including reusable-workflow calls.
-    # Re-grant `id-token: write` at the job level so publish-npm.yml's
-    # `publish-react-native` job can mint the OIDC token that npm
-    # Trusted Publishing exchanges for a publish token.
-    permissions:
-      contents: read
-      id-token: write
-    uses: ./.github/workflows/publish-npm.yml
-    secrets: inherit
-    with:
-      mode: react-native
-      release-type: ${{ needs.set_release_type.outputs.RELEASE_TYPE }}
+      - run: |
+          echo "⚠️ This workflow is deprecated."
+          echo "Nightly builds are now published by publish-npm.yml."
+          echo "See: https://github.com/react/react-native/actions/workflows/publish-npm.yml"

.github/workflows/publish-bumped-packages.yml

@@ -1,19 +1,19 @@
-name: Publish Bumped Packages
+# Bumped-package publishing is now handled by publish-npm.yml, which
+# triggers on pushes to main and *-stable branches. This file is kept
+# only so that links to "publish-bumped-packages.yml" in docs and
+# dashboards don't break — it does nothing on its own.
+name: Publish Bumped Packages (deprecated → publish-npm.yml)
 
 on:
-  push:
-    branches:
-      - "main"
-      - "*-stable"
+  # No triggers — this workflow never runs.
+  # Branch pushes are handled by publish-npm.yml.
+  workflow_dispatch:
 
 jobs:
-  # Delegate to the shared reusable workflow so every `npm publish` in
-  # this repo originates from one workflow file — required because npm
-  # Trusted Publishing only accepts one (org, repo, workflow_filename)
-  # per package.
-  publish_bumped_packages:
-    if: github.repository == 'react/react-native'
-    uses: ./.github/workflows/publish-npm.yml
-    secrets: inherit
-    with:
-      mode: monorepo-packages
+  redirect:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo "⚠️ This workflow is deprecated."
+          echo "Bumped packages are now published by publish-npm.yml."
+          echo "See: https://github.com/react/react-native/actions/workflows/publish-npm.yml"