Add npm provenance publish workflow

[jozefizso]

Summary

• add a release-triggered npm publish workflow
• pack the npm tarball before publishing and attest that exact artifact with GitHub artifact attestations
• publish to npm with provenance enabled and public scoped package access

Verification

• ruby YAML parse for publish workflow
• npm test
• npm audit --audit-level=moderate
• npm ls --omit=dev --all
• npm pack --dry-run

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 31acb07a00

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate prerelease publishes or set a non-latest dist-tag

npm publish "$TARBALL" --provenance --access public publishes with npm’s default latest dist-tag, and this workflow is triggered by release: types: [published], which also runs for pre-releases. That means publishing a GitHub pre-release can unintentionally promote that build to latest for all consumers. Add a guard for github.event.release.prerelease == false or pass an explicit prerelease tag (for example --tag next) when release.prerelease is true.

Useful? React with 👍 / 👎.