Goal
Establish a clear, repository-owned CI/CD publishing policy so release-related automation runs only in approved contexts and uses credentials that are scoped to the owning account.
Outcome
- Publishing actions are enabled only for trusted repository/branch contexts.
- Secret and token usage follows least privilege and avoids long-lived broad-scoped credentials where possible.
- External ecosystem publishing flows (for example package indexes and downstream repository updates) are authenticated through account-owned credentials with explicit ownership boundaries.
Why
The project needs a consistent governance model for automated publishing that is secure, predictable, and easy to reason about across all workflows.
Goal
Establish a clear, repository-owned CI/CD publishing policy so release-related automation runs only in approved contexts and uses credentials that are scoped to the owning account.
Outcome
Why
The project needs a consistent governance model for automated publishing that is secure, predictable, and easy to reason about across all workflows.