chore: Migrate publishing to GHA, consolidate CI workflows

.github/workflows/daily_ci.yaml

@@ -7,4 +7,4 @@
 
 jobs:
   daily-ci-js-helpers:
-      uses: ./.github/workflows/ci-unit-tests.yaml
+      uses: ./.github/workflows/shared-ci.yml

.github/workflows/prod-release.yml

@@ -0,0 +1,91 @@
+name: Release
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_bump:
+        required: false
+        description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
+        default: ''
+      dist_tag:
+        description: 'NPM distribution tag'
+        required: false
+        default: 'latest'
+      branch:
+        description: 'The branch to release from'
+        required: false
+        default: 'master'
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=4096"
+  NPM_CONFIG_UNSAFE_PERM: true
+
+jobs:
+  pre-release-ci:
+    uses: ./.github/workflows/shared-ci.yml
+
+  # Once all tests have passed, run semantic versioning
+  version:
+    runs-on: ubuntu-latest
+    needs: [pre-release-ci]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Configure git
+        env:
+          BRANCH: ${{ github.event.inputs.branch }}
+        run: |
+          git config --global user.name "aws-crypto-tools-ci-bot"
+          git config --global user.email "[email protected]"
+          git checkout $BRANCH
+
+      - name: Version packages and push
+        env:
+          VERSION_BUMP: ${{ github.event.inputs.version_bump }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Generate new version and CHANGELOG entry and push it
+          npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
+          # Log the commit for posterity
+          git log -n 1
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [pre-release-ci, version]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+      - run: npm ci --unsafe-perm
+      - run: npm run build --if-present
+      - run: npx lerna publish from-package --yes --dist-tag ${{ github.event.inputs.dist_tag }}
+
+  # Once publishing is complete, validate that the published packages are useable
+  validate:
+    uses: ./.github/workflows/shared-ci.yml
+    needs: [publish]
+    with:
+      test-published-packages: true

.github/workflows/pull.yaml

@@ -6,4 +6,4 @@
 
 jobs:
   pr-ci-js-helpers-test:
-    uses: ./.github/workflows/ci-unit-tests.yaml
+    uses: ./.github/workflows/shared-ci.yml

.github/workflows/push.yaml

@@ -8,4 +8,4 @@
 
 jobs:
   push-ci-js-helpers-test:
-    uses: ./.github/workflows/ci-unit-tests.yaml
+    uses: ./.github/workflows/shared-ci.yml

.github/workflows/shared-ci.yml

@@ -0,0 +1,59 @@
+name: Shared CI Tests
+
+on:
+  workflow_call:
+    inputs:
+      test-published-packages:
+        description: 'Test against published packages instead of checked out code'
+        required: false
+        type: boolean
+        default: false
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=4096"
+  NPM_CONFIG_UNSAFE_PERM: true
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        node-version: ['16.x', '18.x', '20.x', 'latest']
+        # Determine test categories based on whether testing published packages or source code:
+        # - Testing published packages: only run vector tests (don't have build artifacts to test coverage)
+        # - Testing source code: run unit tests and vector tests
+        test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["unit", "vectors"]') }}
+    name: test-${{ matrix.test-category }}-${{ matrix.os }}-${{ matrix.node-version }}
+    steps:
+      - name: Checkout code
+        # Always need repo for test scripts and configuration, even when testing published packages
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Build (for source code testing)
+        if: ${{ !inputs.test-published-packages }}
+        run: npm run build
+
+      - name: Run unit tests
+        if: ${{ matrix.test-category == 'unit' }}
+        run: npm test
+
+      - name: Publish locally for vector tests
+        if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }}
+        run: npm run verdaccio-publish
+
+      - name: Run vector tests
+        if: ${{ matrix.test-category == 'vectors' }}
+        run: npm run verdaccio-verify-publish -- ${{ inputs.test-published-packages && 'public' || 'ci' }}