fix: enforce OIDC-only beta publish path

Author: nicknisi

.github/workflows/release.yml

@@ -1,16 +1,10 @@
 name: Release
 
 on:
-  workflow_dispatch:
-    inputs:
-      tag_name:
-        description: Release tag name (e.g., v1.0.0-beta.1)
-        type: string
-        default: ''
   workflow_call:
     inputs:
       tag_name:
-        description: Release tag name (e.g., v1.0.0-beta.1)
+        description: Release tag name (e.g., v0.12.0-beta.1)
         type: string
         default: ''
 
@@ -32,9 +26,6 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
           cache: pnpm
 
-      - name: Remove token auth from npmrc (use OIDC instead)
-        run: sed -i '/_authToken/d' "$NPM_CONFIG_USERCONFIG"
-
       - name: Install
         run: pnpm install
 
@@ -46,13 +37,20 @@ jobs:
         env:
           TAG_NAME: ${{ inputs.tag_name }}
         run: |
-          if [[ "$TAG_NAME" == *"-"* ]]; then
+          VERSION="${TAG_NAME#v}"
+
+          if [[ -z "$VERSION" ]]; then
+            VERSION="$(node -p "require('./package.json').version")"
+          fi
+
+          if [[ "$VERSION" == *"-"* ]]; then
             echo "tag=beta" >> "$GITHUB_OUTPUT"
           else
             echo "tag=latest" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Publish
         run: |
+          sed -i '/_authToken/d' "$NPM_CONFIG_USERCONFIG"
           unset NODE_AUTH_TOKEN
           pnpm publish --tag ${{ steps.npm-tag.outputs.tag }} --access public --no-git-checks --provenance