chore: add npm release workflow + bump to 8.6.6

[1337mus]

What

• Adds .github/workflows/release.yml that publishes @phantom/react-native-fast-image to public npm on a GitHub Release (or manual workflow_dispatch), authenticated with NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT (the same npm publish token phantom/react-native-webview already uses).
• Bumps version 8.6.5 → 8.6.6 to ship the maxBufferSize prop merged in feat(ios): expose maxBufferSize to bound the animated-image frame buffer #2.

Why

This repo had no working publish path: the old ci.yml / dv-scripts flow is dormant and is wired for public-npm semantics it never actually runs. The @phantom scope is public on npmjs.org, and the wallet's Artifactory registry proxies it, so publishing to public npm is the established pattern for these standalone RN forks (this mirrors react-native-webview). A Release-triggered workflow is used instead of changesets since this fork is bumped infrequently.

Prerequisite

The repo needs access to the NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT secret (already used by phantom/react-native-webview). Once it's available to this repo:

1. Merge this PR.
2. Publish a GitHub Release tagged v8.6.6.
3. The workflow publishes 8.6.6 to npm.

Then Wallet pins 8.6.6 and sets maxBufferSize on the chat media grid.

Summary by CodeRabbit

• Chores
  • Bumped package version to 8.6.6
  • Added automated release workflow for npm publishing

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow .github/workflows/release.yml is added to automate npm publishing on GitHub release events, using a scoped npm configuration and a secret token. The package version in package.json is bumped from 8.6.5 to 8.6.6.

Changes

npm Release Automation

Layer / File(s)	Summary
Release workflow: triggers, permissions, and publish job .github/workflows/release.yml	Adds a Release workflow triggered by release: published and workflow_dispatch, with contents: read permissions. The publish job checks out the repo, configures Node 20 with npm registry URL and @phantom scope, installs dependencies via yarn install --frozen-lockfile, builds the project, and runs npm publish --access public authenticated with NODE_AUTH_TOKEN from secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT.
Version bump to 8.6.6 package.json	Updates the version field from 8.6.5 to 8.6.6.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: add npm release workflow + bump to 8.6.6' directly and accurately summarizes both main changes: adding the release workflow and the version bump.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch raj/add-release-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

16-17: 🧹 Nitpick | 🔵 Trivial | 🏗️ Heavy lift

Prefer npm trusted publishing (OIDC) over a long-lived publish token.

Using a repository secret token on Line 41 works, but trusted publishing removes static token exposure and improves release security posture.

Suggested direction

 permissions:
   contents: read
+  id-token: write
...
       - name: Publish
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}
+        run: npm publish --provenance --access public

Also applies to: 38-41

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 16 - 17, Replace the static npm
repository secret token authentication (referenced around the npm publish
configuration) with npm's OIDC trusted publishing setup. Update the permissions
block to include id-token: write permission to allow GitHub Actions to request
an OIDC token, then configure the npm authentication step to use OIDC instead of
passing the NPM_TOKEN secret. This removes the need for storing and managing
long-lived publish tokens, improving security by using short-lived identity
tokens.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 24-26: The workflow uses floating action version tags (`@v4`) which
are vulnerable to supply chain attacks, and the checkout action persists
credentials by default which unnecessarily exposes the GITHUB_TOKEN. Replace the
floating tags in both the actions/checkout@v4 and actions/setup-node@v4
references with immutable commit SHA versions (e.g., using the full commit hash
instead of `@v4`), and add a persist-credentials: false parameter to the checkout
action to disable credential persistence in the release pipeline.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 16-17: Replace the static npm repository secret token
authentication (referenced around the npm publish configuration) with npm's OIDC
trusted publishing setup. Update the permissions block to include id-token:
write permission to allow GitHub Actions to request an OIDC token, then
configure the npm authentication step to use OIDC instead of passing the
NPM_TOKEN secret. This removes the need for storing and managing long-lived
publish tokens, improving security by using short-lived identity tokens.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9e2c243b-e905-4581-86b5-03accc78be93

📥 Commits

Reviewing files that changed from the base of the PR and between 52bb61e and e8342b4.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/release.yml | head -40

Repository: phantom/react-native-fast-image

Length of output: 1426

---

Harden action references and checkout credential handling.

Lines 24 and 26 use floating action tags (@v4), and line 24 keeps credentials persisted. In a release pipeline, pin actions to immutable commit SHAs and disable persisted checkout credentials to prevent supply chain attacks and limit GITHUB_TOKEN exposure.

Suggested patch

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@<FULL_LENGTH_COMMIT_SHA>
         with:
           node-version: 20.x
           registry-url: "https://registry.npmjs.org"
           scope: "`@phantom`"

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 24-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 26-26: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 24 - 26, The workflow uses
floating action version tags (`@v4`) which are vulnerable to supply chain attacks,
and the checkout action persists credentials by default which unnecessarily
exposes the GITHUB_TOKEN. Replace the floating tags in both the
actions/checkout@v4 and actions/setup-node@v4 references with immutable commit
SHA versions (e.g., using the full commit hash instead of `@v4`), and add a
persist-credentials: false parameter to the checkout action to disable
credential persistence in the release pipeline.

Source: Linters/SAST tools