ci: add npm trusted publisher workflow

Add publish.yml workflow that triggers on version tags and publishes
to npm using OIDC-based trusted publishers. Update release script to
use bumpp --push to trigger the workflow automatically.

Author: justin-schroeder

.github/workflows/publish.yml

@@ -0,0 +1,24 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          registry-url: https://registry.npmjs.org
+      - run: npm install -g npm@latest
+      - run: pnpm install
+      - run: pnpm build
+      - run: npm publish --access public

package.json

@@ -38,7 +38,7 @@
     "test": "TZ=\"America/New_York\" vitest",
     "docs-build": "cd ./docs && pnpm run build",
     "publint": "publint",
-    "release": "pnpm build && bumpp && pnpm publish",
+    "release": "pnpm build && bumpp --push",
     "size": "npm run build && size-limit"
   },
   "files": [