[codex] refresh shared workflow pin

[Jesssullivan]

Summary

• refresh the mirror repo's shared JS/Bazel package workflow pin in CI
• refresh the same pin in the downstream publish rehearsal workflow

Why

tinyland-inc/scheduling-kit main is currently red because it still points at tinyland-inc/ci-templates/.github/workflows/js-bazel-package.yml@dde8c378815e47aa027c163278430c0d98ae007b, which is no longer resolvable. The canonical Jesssullivan/scheduling-kit repo is already green on main; this PR is only to stop the downstream mirror from lying about package-lane health.

Validation

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml"); YAML.load_file(".github/workflows/publish.yml")'
• git diff --check

[greptile-apps]

Greptile Summary

This PR updates the broken SHA pin for the shared js-bazel-package reusable workflow (dde8c37 → f2e12c1) in both ci.yml and publish.yml, restoring green CI on the mirror repo. Alongside the pin refresh, both files also quietly change package_check_command from pnpm check:package to pnpm exec publint, which is not mentioned in the PR description and warrants a clarification.

Confidence Score: 5/5

Safe to merge — the SHA pin fix is the primary goal and the command change is a P2 clarification question, not a blocker.

All findings are P2: the package_check_command change is undocumented but both workflows are updated consistently, and pnpm exec publint is a valid, widely-used invocation. No correctness, data-integrity, or security issues were found.

No files require special attention beyond the clarification on package_check_command.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Reusable workflow SHA updated from broken dde8c37 to f2e12c1; also silently changes package_check_command from pnpm check:package to pnpm exec publint without mention in the PR description.
.github/workflows/publish.yml	Same SHA pin and package_check_command changes as ci.yml; both changes are applied consistently between the two workflow files.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant CI as ci.yml / publish.yml
    participant TPL as tinyland-inc/ci-templates js-bazel-package.yml@f2e12c1

    GH->>CI: trigger (push / PR / workflow_dispatch)
    CI->>TPL: uses reusable workflow (new SHA pin)
    TPL->>TPL: prepare (pnpm exec svelte-kit sync)
    TPL->>TPL: lint & typecheck
    TPL->>TPL: unit + integration tests
    TPL->>TPL: build (pnpm build)
    TPL->>TPL: package_check (pnpm exec publint)
    TPL->>TPL: bazel build //:pkg
    TPL-->>CI: workflow result
    CI-->>GH: pass / fail

Loading

_{Reviews (1): Last reviewed commit: "align mirror package validation" | Re-trigger Greptile}

[greptile-apps]

Undocumented command change

The PR description only mentions updating the workflow SHA pin, but both files also change package_check_command from pnpm check:package to pnpm exec publint. pnpm check:package is a package.json script that could wrap publint with additional flags or run extra checks; pnpm exec publint runs the binary directly with no arguments. If check:package included extra options (e.g., --strict, a specific entrypoint, or additional validations), those would be silently dropped. Is this intentional, and is check:package now gone from package.json?

[greptile-apps]

Undocumented command change (same as ci.yml)

Same undocumented package_check_command change from pnpm check:package to pnpm exec publint appears here as well. If the intent is to drop the custom script in favour of running publint directly, that should be noted in the PR description, and the check:package script should be removed from package.json to avoid confusion.