ci: move release automation into account workflow

[fan-zhang-sv]

Summary

• Move release-please automation into the npm Trusted Publisher-approved release-account.yml workflow.
• Keep automated account/account-ui publishing on release-please outputs while adding a manual account publish fallback.
• Verify manual fallback release state against master package version or account-v<version> tag before publishing.

Test plan

• git diff --check origin/master...HEAD
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release-account.yml"); puts "yaml ok"'

Made with Cursor

[cb-heimdall]

✅ Heimdall Review Status

Requirement	Status	More Info
Reviews	✅ 1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[github-actions]

The @base-org/account-ui npm Trusted Publisher configuration (if one exists) would have been tied to the old workflow filename release-please.yml. Moving this publish job to release-account.yml will break OIDC-based publishing for account-ui unless the Trusted Publisher entry on npm has already been updated to reference the new filename.

Please verify that either:

1. @base-org/account-ui's npm Trusted Publisher is updated to release-account.yml, or
2. @base-org/account-ui doesn't use Trusted Publishing (relies on an NPM_TOKEN secret instead)

If (1), this is fine. If neither, automated account-ui publishes will fail with a 403 on the next release.

[fan-zhang-sv]

account-ui is low prio for now, will work on it separately

[github-actions]

Review Summary

PR consolidates release-please automation and the existing manual publish workflow into a single release-account.yml file. The change is well-structured — release-please runs on push to master, automated publishes fire when releases are created, and the manual fallback has solid validation logic (semver regex, tag ancestry check, package.json version cross-reference).

Findings

Severity	Issue
High	publish-account-ui moved from release-please.yml to release-account.yml. If @base-org/account-ui has an npm Trusted Publisher entry tied to the old filename, automated UI publishes will 403. Needs verification that the TP config has been updated or doesn't apply.

Previously addressed (no action needed)

Both items from the prior review round are resolved in the current diff:

• --provenance is now present on all three npm publish commands.
• ${{ env.PACKAGE_VERSION }} replaced with shell-expanded "$PACKAGE_VERSION" in the Set version step.

Notes

• The run-name dynamic labeling is a nice touch for distinguishing automated vs manual runs in the Actions UI.
• CONTRIBUTING.md documentation is thorough and accurately reflects the new workflow structure.