Merge "Build and Test" and "Publish" release jobs

[nicolo-ribaudo]

Q	A
Fixed Issues?	Fixes #1, Fixes #2
Patch: Bug Fix?
Major: Breaking Change?
Minor: New Feature?
Tests Added + Pass?	Yes
Documentation PR Link
Any Dependency Changes?
License	MIT

This is what @JLHwung suggested in #12810 (comment).

My original response:

The reason I split the jobs is because the "Publish release on npm" job has access to our npm token, so I wanted to run as few things as possible in it.

Currently it's only running yarn release-tool publish --yes, which means that it only runs code bundled ahead of time in this repository.

---

The release action takes 7 mins to upload a 3MB artifact (https://github.com/babel/babel/runs/1928439259?check_suite_focus=true): we can save 50% of the time if we merge those two jobs.

However, I'm not comfortable with running make build with the npm token accessible because it would be easily stolen by a malicious nested dependency. I'm marking this PR as draft until I figure out the security model.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 983f882:

Sandbox	Source
babel-repl-custom-plugin	Configuration
babel-plugin-multi-config	Configuration

[JLHwung]

Yeah the cache action will suffer in IO intensive scenarios: You can generate runtime on the fly. https://github.com/babel/babel/pull/12002/files#r476631461

[nicolo-ribaudo]

I actually think the token probably is safe and this can land as-id, I need to do some tests.

[nicolo-ribaudo]

The secret is not accessible unless we explicitly enable it with

        env:
          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

so make prepublish cannot access it.

[babel-bot]

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/40889/