ci: migrate npm publish to GAR via direct WIF (AI-916)

[braines-blw]

Migrates .github/workflows/release.yml (branch blue-water-autonomy) from GitHub Packages (npm.pkg.github.com + secrets.GITHUB_TOKEN) to Google Artifact Registry via direct Workload Identity Federation (no service account). Required so bob's credential broker can pull this package for power-module's e2e (AI-918) — GitHub App tokens are categorically rejected by npm.pkg.github.com.

Two blocking open problems — resolved (decisions confirmed with owner, not unilateral)

Open Problem 2 (WIF ref allowlist) → tag trigger gated to bwa-v*. AI-920's live attribute_condition (verified from the Done ticket / merged infra PR Ocean-Industries-Concept-Lab#227) pins this repo (publisher repository_id 1239120577) to refs/heads/main or refs/tags/*. Origin has no main, so a blue-water-autonomy branch push would fail the OIDC exchange. Trigger changed to tag push gated to the bwa-v* glob — a BWA-distinct prefix matching html-eslint / AI-917 (tags: ['bwa-v*']), chosen so a publish is not triggered by upstream v* tags or by bob run-artifact tags such as agentic/meta/agentic/AI-916/r0XXXX. bwa-v* ⊂ refs/tags/*, so the already-applied WIF condition allows it — no infra change / no AI-920 follow-up needed. The tag name is only the trigger gate; the published version still comes from package.json. workflow_dispatch is retained but only authenticates when dispatched against a tag ref (documented in a workflow comment).

Open Problem 1 (version lineage) → publish 2.0.0-bwa.<run>. This branch's packages/openbridge-webcomponents/package.json is 2.0.0-next.29; the unchanged stamping yields 2.0.0-bwa.${GITHUB_RUN_NUMBER}. No package.json base change. The 0.0.17 lineage is the dead origin-absent local main (out of scope). Cross-repo coordination: power-module's consumer constraint must move ^0.0.17-bwa.X → 2.0.0-bwa.X as part of AI-918 (still Todo); this PR does not touch power-module.

Changes

• Trigger: tag push gated to bwa-v* + workflow_dispatch; removed branch push.
• permissions: packages: write → id-token: write.
• Removed setup-node registry-url/scope and NODE_AUTH_TOKEN: secrets.GITHUB_TOKEN.
• Added google-github-actions/auth@v2 (WIF provider github-oidc-bwa-npm, no service_account) + setup-gcloud@v2.
• Publish step writes the GAR .npmrc via an echo brace-block (not a heredoc — heredoc indentation broke the AI-920 smoke) and runs npm publish --tag latest.
• Package-identity / version-stamping step is byte-identical to the prior file. Modern tooling (checkout@v6, setup-node@v6, node 24, npm ci, cache: npm) preserved. No SA key files anywhere.

Testing

In-worktree: valid YAML; all static acceptance assertions pass; tag glob is bwa-v* (not bare *); no service_account: YAML key (only an explanatory comment); stamping block unchanged vs fork point.

Post-merge verification (out-of-band — needs the live repo + GCP, not executable in CI of this PR):

• Push a bwa-v* tag (e.g. bwa-v2.0.0) → confirm the workflow authenticates via WIF and publishes. (No bwa-v* tags exist on origin yet; the existing agentic/.../r05009 artifact tag correctly does not match.)
• gcloud artifacts versions list --repository=bwa-npm --location=us-central1 --project=blue-water-autonomy-operations --package=openbridge-webcomponents shows the new 2.0.0-bwa.<run>.
• AI-918 updates power-module's constraint and its e2e resolves/installs from GAR.

Linear: AI-916

🤖 Generated with Claude Code