fix: remove redundant auxiliary package bump in publish step to fix SBOM version mismatch MONGOSH-2143

[Copilot]

During a full release, auxiliary package versions are bumped twice — once in compile_ts (when building compiled-ts.tgz) and again in the publish step — causing SBOMs generated during packaging to reference versions that are never actually published to npm.

Root cause

bumpAuxiliaryPackages() was called in publishMongosh even though compiled-ts.tgz (consumed via install in every downstream task) already contains package.json files at the post-bump version from compile_ts. The second call bumps again, so the SBOM's V1 versions never exist in npm — only V2 does.

Changes

• publish-mongosh.ts: Remove this.packageBumper.bumpAuxiliaryPackages() from publish(). commitBumpedPackages() still commits the V0→V1 diff captured in compiled-ts.tgz, and publishToNpm() publishes at V1 — matching what the SBOM captured.
• run-draft.ts: bumpAuxiliaryPackages() is kept in runDraft() as it is still needed to run against the new version during the draft step.
• Tests: Assert bumpAuxiliaryPackages is not called during publish (to prevent regression) and is called during draft.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[gagik]

@copilot we still need 1 bump to be able to run against the new version

[Copilot]

@copilot we still need 1 bump to be able to run against the new version

Restored bumpAuxiliaryPackages() to runDraft in commit 7be03df. The fix now only removes the redundant bump from publishMongosh.publish() — that's the one causing the SBOM mismatch, since it bumps packages a second time after the SBOM has already been captured during compile_artifact.