Tighten up publishing security

[Andarist]

No description provided.

[Andarist]

This line is the biggest change here. And it's going to get slightly more annoying to publish packages with it.

With this env-based "gate" after merging a Version Packages PR, you will be prompted (through notifications/email) to approve this publishing job. At least when you set up the required reviewers for this env (which you should do).

Why this should be done? To decouple repo write access from publish rights. Without this anyone with write access to the repo can potentially land a malicious Version Packages PR.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 03b1310

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR