refactor: consolidate npm publishing into single OIDC workflow

Create npm-publish.yml as the single entry-point workflow for npm
trusted publishing. This workflow handles both PR dev publishes and
release publishes, with provenance support.

- Add npm-publish.yml with publish-dev and publish-release jobs
- Add manual-deprecate-versions.yml for version deprecation
- Add manual-manage-versions.yml for dist-tag management
- Remove npm-publisher.yml (replaced by npm-publish.yml)
- Update on-pull-request.yml to remove publish jobs (moved to npm-publish)
- Update on-main-push.yml to remove release jobs (triggered by release event)
- Update on-merged-pull-request.yml to use OIDC directly

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: scolladon

.github/workflows/manual-deprecate-versions.yml

@@ -0,0 +1,38 @@
+---
+name: Deprecate versions
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-expression:
+        description: version number (semver format) or range to deprecate
+        required: true
+        type: string
+      rationale:
+        description: explain why this version is deprecated. No message content will un-deprecate the version
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  deprecate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v6
+
+      - name: Setup node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+
+      - run: npm install -g npm@latest
+
+      - name: Deprecate version
+        env:
+          VERSION_EXPR: ${{ github.event.inputs.version-expression }}
+          RATIONALE: ${{ github.event.inputs.rationale }}
+        run: npm deprecate "sf-git-merge-driver@${VERSION_EXPR}" "$RATIONALE"

.github/workflows/manual-manage-versions.yml

@@ -0,0 +1,44 @@
+---
+name: Manage versions
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-alias:
+        description: version alias to map to a version number
+        required: true
+        type: choice
+        options:
+          - stable
+          - latest
+          - latest-rc
+      version-number:
+        description: version number (semver format)
+        required: true
+        default: vX.Y.Z
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  add-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v6
+
+      - name: Setup node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+
+      - run: npm install -g npm@latest
+
+      - name: Add dist-tag
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version-number }}
+          VERSION_ALIAS: ${{ github.event.inputs.version-alias }}
+        run: npm dist-tag add "sf-git-merge-driver@${VERSION_NUMBER}" "$VERSION_ALIAS"

.github/workflows/npm-publish.yml

@@ -0,0 +1,110 @@
+---
+name: NPM Publish
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - "**.md"
+
+permissions:
+  contents: read
+  id-token: write
+
+# Manage concurrency to stop running jobs and start new ones in case of new commit pushed
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  # Dev publish on PR
+  publish-dev:
+    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    outputs:
+      channel: ${{ steps.publish.outputs.channel }}
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+      - run: npm install -g npm@latest
+      - uses: ./.github/actions/install
+      - name: Compute dev version
+        id: version
+        run: |
+          CURRENT_VERSION=$(jq -r '.version' package.json)
+          DEV_CHANNEL="dev-${{ github.event.pull_request.number }}"
+          DEV_VERSION="${CURRENT_VERSION}-${DEV_CHANNEL}.${{ github.run_id }}-${{ github.run_attempt }}"
+          echo "channel=$DEV_CHANNEL" >> "$GITHUB_OUTPUT"
+          echo "version=$DEV_VERSION" >> "$GITHUB_OUTPUT"
+      - name: Set version
+        env:
+          DEV_CHANNEL: ${{ steps.version.outputs.channel }}
+        run: |
+          git config --global user.email "${DEV_CHANNEL}@github.com"
+          git config --global user.name "$DEV_CHANNEL"
+          npm version "${{ steps.version.outputs.version }}" --no-git-tag-version
+      - name: Publish
+        id: publish
+        env:
+          CHANNEL: ${{ steps.version.outputs.channel }}
+        run: |
+          npm publish --provenance --access public --tag "$CHANNEL"
+          echo "channel=$CHANNEL" >> "$GITHUB_OUTPUT"
+      - name: Comment PR
+        uses: thollander/actions-comment-pull-request@v3
+        env:
+          DEV_CHANNEL: ${{ steps.version.outputs.channel }}
+        with:
+          message: |
+            Published under `${{ env.DEV_CHANNEL }}` npm channel.
+            ```sh
+            $ sf plugins install sf-git-merge-driver@${{ env.DEV_CHANNEL }}
+            ```
+          comment-tag: dev-publish
+          mode: recreate
+
+  # Release publish on release event
+  publish-release:
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+    outputs:
+      channel: ${{ github.event.release.tag_name }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+      - run: npm install -g npm@latest
+      - uses: ./.github/actions/install
+      - name: Publish
+        run: npm publish --provenance --access public --tag latest-rc
+
+  # E2E tests after dev publish
+  e2e-dev:
+    needs: [publish-dev]
+    if: github.event_name == 'pull_request'
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      channel: ${{ needs.publish-dev.outputs.channel }}
+
+  # E2E tests after release publish
+  e2e-release:
+    needs: [publish-release]
+    if: github.event_name == 'release'
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      channel: ${{ needs.publish-release.outputs.channel }}