fix(release): pass --tag next when publishing a pre-release

.github/workflows/release.yml

@@ -386,6 +386,7 @@ jobs:
         if: ${{ ! inputs.dry_run && inputs.publish_package }}
         env:
           INPUT_VERSION: ${{ inputs.version }}
+          INPUT_PRERELEASE: ${{ inputs.prerelease }}
           TARBALL: ${{ steps.pack.outputs.tarball }}
         run: |
           actual="$(node -p "require('./package.json').name + '@' + require('./package.json').version")"
@@ -394,6 +395,15 @@ jobs:
             echo "::error::package.json identity (${actual}) does not match expected (${expected}) — refusing to publish (ADR-0040)" >&2
             exit 1
           fi
+          # Pre-release versions must publish under a non-`latest` dist-tag.
+          # `npm publish` refuses to default a prerelease to `latest` and
+          # exits with "You must specify a tag using --tag when publishing
+          # a prerelease version." `inputs.prerelease == true` → publish
+          # under `next`; stable releases → default `latest` (no `--tag`).
+          publish_args=("--provenance")
+          if [ "${INPUT_PRERELEASE}" = "true" ]; then
+            publish_args+=("--tag" "next")
+          fi
           set +e
           view_output="$(npm view "specorator@${INPUT_VERSION}" version --json 2>&1)"
           view_exit=$?
@@ -405,7 +415,7 @@ jobs:
             # published archive equals the GitHub Release asset uploaded in
             # step 11 (T-V05-013). `--provenance` mints a sigstore provenance
             # statement via the OIDC token (ADR-0044, restoring ADR-0040).
-            npm publish --provenance "${TARBALL}"
+            npm publish "${publish_args[@]}" "${TARBALL}"
           else
             echo "::error::npm view failed with a non-404 error — refusing to publish so EPUBLISHCONFLICT cannot mask a real failure" >&2
             echo "$view_output" >&2